This module on digital forensics will familiarize you with forensics terminology and approaches, along with hands-on experience with a variety of forensic tools used by investigators to conduct incident response, find evidence of criminal behavior, and examine the effects of malware infection. The module will focus on Windows forensics and will use a Linux-based forensic workstation for hands-on analysis. Tools for conducting forensic examinations using a Windows system will also be introduced.
This is the first module in the Cyber-Physical Industry course; however, it can be taught as a standalone module. The purpose of this module is to introduce students to concepts associated with system assets and system operations in industrial control systems.
This exercise provides hands-on experience applying concepts learned during Lesson 2: Windows Filesystem and Browser Forensics in the Digital Forensics Module. Students will use tools on the SANS SIFT Workstation Linux distribution to examine partial Windows file system images and find browser and recycle bin artifacts.
This Intermediate level, real world lab exercise has students log into a worm-infected CentOS Linux server (ssh terminal only) and follow prescribed steps to secure, clean up and lock down the infected server. Students will use utilities such as chkconfig, service, ps, and kill to examine running services and shut down potentially malicious ones; netstat and nmap to identify rogue network services; iptables to properly configure the firewall; and, package management software such as rpm and yum to verify and repair system packages.
This introductory lab has students scanning a small network subnet using nmap to identify live hosts and open ports. Targets include three virtual machines: a web server, a vulnerable Samba server, and an FTP server, as well as other open network ports. It teaches Linux utilities for reconnaissance and scanning such as whois, ifconfig, and nmap with various command-line switches.
This introductory lab has students learn how to use both symmetric and asymmetric encryption at the Linux command line. This exercise includes an encryption primer and an introduction to symmetric encryption using the Linux utility ccrpyt. It also has students use the Linux gpg utility to create a public/private key pair, as well as encrypt and decrypt a file using public-key cryptography.
This introductory lab has students conducting a password audit using John the Ripper, a free open source password cracking software tool, on a Linux computer.
This introductory lab has students using simple command injection to attempt to gain unauthorized access to data on an intentionally vulnerable web server. The lab document includes a brief primer on command injection and an introduction to DVWA and its command injection tab so students can use command injection to answer a series of lab questions.
This introductory lab has students using simple SQL injection to attempt to gain unauthorized access to data on an intentionally vulnerable web server. The lab document includes a brief SQL primer so that students understand enough to exploit simple SQL injection attacks, followed by an introduction to DVWA and its SQL Injection page for testing injection techniques.
Students will use various block cipher modes of encryption to encrypt files and then compare and contrast based on the degree of data hiding achieved and the impact of bit errors on the encrypted document when it is decrypted.