Combined Draft October 2007 version 4 STATE COUNCIL OF HIGHER EDUCATION FOR VIRGINIA PROGRAM PROPOSAL COVER SHEET 1. Institution 2. Program action (Check one): Spin-off proposal New program proposal George Mason University 3. Title of proposed program Computer Forensics 5. 4. CIP code Degree designation M.S. 6. Term and year of initiation Fall 2008 7a. For a proposed spin-off, title and degree designation of existing degree program 7b. CIP code (existing program) 8. Term and year of first graduates May 2010 9. Date approved by Board of Visitors (TBD) 10. For community colleges: date approved by local board date approved by State Board for Community Colleges 11. If collaborative or joint program, identify collaborating institution(s) and attach letter(s) of intent/support from corresponding chief academic officers(s) 12. Location of program within institution (complete for every level, as appropriate). School(s) or college(s) of Division(s) of Information Technology and Engineering Electrical and Computer Engineering Campus (or off-campus site) Fairfax, VA Distance Delivery (web-based, satellite, etc.) Not Applicable 13. Name, title, telephone number, and e-mail address of person(s) other than the institution’s chief academic officer who may be contacted by or may be expected to contact Council staff regarding this program proposal. Andrzej (Andre) Manitius, Professor and Chair, Electrical & Computer Engineering 703-993-1594, amanitiu@gmu.edu 1 Combined Draft October 2007 version 4 TABLE OF CONTENTS PROPOSAL FOR A MASTER’S DEGREE IN COMPUTER FORENSICS DESCRIPTION OF THE PROPOSED PROGRAM ...............................................................................................2 OVERVIEW ................................................................................................................................................................ 2 DESCRIPTION OF THE CURRICULUM……………………………………………………………………………….. 3 ADMISSION CRITERIA ............................................................................................................................................... 6 ADVANCEMENT TO CANDIDACY ...………………………………………………………………………………….7 FACULTY ................................................................................................................................................................... 7 PROGRAM SIZE AND VIABILITY …………………………………………………………………………………… 10 PROGRAM ADMINISTRATION ……………………………………………………………………………………... 10 LEARNING OUTCOMES AND ASSESSMENT………………………………………………………………………... 11 BENCHMARKS OF SUCCESS...................................................................................................................................... 11 EXPANSION OF AN EXISTING PROGRAM?................................................................................................................. 12 JUSTIFICATION FOR THE PROPOSED PROGRAM ....................................................................................... 13 RESPONSE TO CURRENT NEEDS ............................................................................................................................... 13 What is Computer Forensics ……………………………………………………………………………….13 Who Utilizes Computer Forensics …………………………………………………………………………13 Why Computer Forensics? …………………………………………………………………………………14 Impact of the Proposed Masters in Computer Forensics program on the Commonwealth of Virginia ..…..14 Evidence for the Need for Computer Forensics experts …………………………………………………...15 Historical Aspects of the proposed Masters in Computer Forensics program …………………………….15 ANTICIPATED STUDENT DEMAND ……………………………………………………………………………….. 16 ANTICIPATED EMPLOYMENT DEMAND …………………….…….………………………………………………..17 Sample Position advertisements …………………………………………………………………………...17 POSSIBLE DUPLICATION OF OTHER PROGRAMS ...................................................................................................... 263 LETTERS OF SUPPORT ………………………………………………………………………………………...24 PROJECTED RESOURCE NEEDS ........................................................................................................................ 26 APPENDIX A Course Descriptions ...................................................................................................................... A-1 APPENDIX B Sample Schedule for M.S. in Computer Forensics Completion ................................................. B-1 APPENDIX C Sample “Mini CV’s” for Faculty ................................................................................................. C-1 APPENDIX D Sample Job Announcement with URL and Date ........................................................................ D-1 APPENDIX E Sample Survey Instrument (and some results) ............................................................................ E-1 APPENDIX F Assumptions Used in Developing Resource Projections .............................................................. E-1 i Proposal for the M.S. in Computer Forensics Presented by the Department of Electrical and Computer Engineering George Mason University Description of the Proposed Program Overview The Department of Electrical and Computer Engineering as part of George Mason University’s Volgenau School of Information Technology and Engineering (ITE) is proposing a Master’s of Science in Computer Forensics (CFRS). Computer forensics is the collection (seizure), processing, and analysis of digital information such that this information (evidence) can be successfully admitted into a court of law. It is interdisciplinary in its nature with emphasis on computer science, network engineering, telecommunications, law, and ethics. Although related to information security, computer forensics is a discipline unto itself. In the last 20 years, computer forensics has evolved into its own industry. Once primarily focused on supporting criminal prosecutions, computer forensics now also supports civil prosecutions and the enforcement of the Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745). The proposed M.S. in Computer Forensics will prepare students for careers in industry, government, and academia by combining academic education with real world practical techniques. Emphasis is placed in the program on training students to use and apply computer forensics methods and knowledge in a variety of real life scenarios. Computer forensic examiners (CFE) work in both the public and private sectors, and the Washington D. C. area is home to a large work force of CFEs. These CFEs work for the FBI, DEA, USSS, as well as with the vast majority of Inspectors General and local police departments. Practically all of the major accounting and consulting firms employ computer forensic examiners on staff, and there is a growing cadre of independent consultants that work in this field. The American Society of Crime Lab Directors (ASCLAD), the governing association in the field forensics sciences, requires that all computer forensic examiners possess a bachelors degree with significant course work in math and science. The proposed M.S. in Computer Forensics will provide students with the necessary skills and knowledge to perform in a variety of computer forensic roles, including forensics examiner, and the ability to earn an advanced degree. The distinctiveness of the George Mason’s Master’s program in Computer Forensics lies in the curriculum, which has been tailored to strengthen the employment opportunities of students in non-academic jobs, as well as prepare students who may wish to pursue a doctorate. The proposed program will incorporate faculty research and teaching interests on a range of contemporary topical issues. It will also provide students with advanced training in computer and network digital evidence, intrusion forensics, and legal and ethical issues. The distinguished Computer Forensics program faculty cover a broad range of areas including many aspects of information technology, telecommunications, engineering, and computer science. Their specializations include information security, intrusion detection, network forensics, digital media forensics, operating systems theory, software and hardware theory, cryptography, cyber crime, digital evidence, and law and ethics. Many faculty members have hands-on experience in industry and government settings. 2 The Department of Electrical and Computer Engineering currently offers an advanced certificate in Telecommunications, Forensics, and Security (TFAS) as a concentration within the M.S. in Telecommunications (TCOM) program. The success of the TFAS certificate demonstrates a clear demand for a reputable Computer Forensics program at the Master’s level, offered by a Commonwealth of Virginia university. The M.S. in Computer Forensics will contribute to George Mason University needs and goals by serving a larger graduate student population in key areas and offering advanced elective courses in areas of interest to students pursuing advanced degrees in other George Mason programs, such as Information Security Assurance, Electrical Engineering, Computer Engineering, and Computer Science. George Mason University’s location in Northern Virginia; the teaching capabilities and capacity within the Volgenau School of Information Technology and Engineering (VSITE), the ECE department, and the university as a whole; and the status as a program within the Commonwealth of Virginia’s university system provides a unique advantage in offering students an excellent and affordable program that will prepare them to effectively use computer forensics skills and knowledge in their careers. Description of the Curriculum The field of forensics science as applied to digital telecommunications and storage has evolved over a range of disciplines in the last two decades. The initial concentration of effort was in protecting the communications links and storage devices from intrusion, theft, and sabotage. George Mason University’s School of IT&E developed, within the former Information Systems Department, a broad range of courses and research concentrations that focused on protecting telecommunications links and storage facilities. Other Departments and Schools within George Mason University used their range of faculty talents to address issues such as ethics and fraud within the framework of communications, accounting, and law. The Department of Electrical and Computer Engineering, within the School of IT&E, both through its master’s in Computer Engineering program and its Master’s in Telecommunications program, explored topics related to cryptography, network engineering, and advanced network security. The stage was therefore set to draw upon this existing, wide-ranging interdisciplinary pool of talent when cyber crime started to become a major issue. With the apparently increasing vulnerability of digital information, whether in transit or stored, the likely corruption or theft of digital data was such as to require a new capability: computer forensics. Clearly, the basis for the development of this new capability was in the field of computer engineering: a range of digital techniques needs to be mastered by any student seeking to be a practitioner in this field. However, the ability to trace the theft or corruption of digital information is not sufficient. The search results must be able to withstand the scrutiny of a court of law. The engineering knowledge of computer forensics has therefore to be balanced by a strong understanding of both ethical and legal issues to ensure that the evidence will hold up. The proposed masters in Computer Forensics program seeks to blend an exacting engineering, ethics, and legal issues plan of study to ensure that the graduates are thoroughly grounded in the skills necessary to work in both commercial and law enforcement areas, and are equipped to enter into an academic research path or a professional career. 3 The proposed M.S. in Computer Forensics (CFRS) requires the completion of a minimum of 30 hours of graduate course work with a GPA of 3.000, or higher. The CFRS program is split into two elements: a Core component of 18 credit hours (15 credit hours plus a mandatory, 3-credit, capstone course that is taken towards the end of the degree) and an Elective component of 12 credit hours Core Component: The Core component consists of three elements, with each individual course being 3 credit hours: - A mandatory introductory course (CFRS 500) that is to be taken as the first course, or one of the first courses, in the first semester of the student’s MS in Computer Forensics degree program (3 credits) - Three Forensics courses (CFRS 660, 661, and 663) that may be taken in any order, but which should be completed within the first 18 credit hours of the student’s degree program (total of 9 credits) - One Ethics course that may be selected from a pair of Ethics courses (CFRS 760 and 770), and which may be taken at any point in the program; and - A Capstone Project Course (CFRS 790) that may not be taken until at least 18 credit hours have been earned within the CFRS degree program (3 credits). Elective (Specialty) Component: The Elective component consists of a number of specialty topic courses, again each of 3 credit hours, and students are required to select 4 of these courses. Table 1 includes a detailed plan of the curriculum. Please refer to Appendix A for detailed course descriptions. Coursework will progress from core courses to more advanced specialty courses, culminating in a capstone project course. Both 600 and 700-level core courses are designed to establish a solid foundation for subsequent work beyond the master’s level. The basic core course CFRS 500 will be offered every semester, while the other core courses will be offered each year, probably in alternate semesters, until the CFRS student body builds up to warrant those courses being given in every semester. The Specialty courses are designed to provide students with advanced, more specialized, graduate level studies and, depending on their level, may be offered less frequently. Students may also be permitted to take a limited number of comparable specialty courses outside of the program. A number of these specialty courses exist in currently ongoing programs in the CS department on Information Systems Assurance (ISA) and information Systems (INFS). Two examples of such courses already offered within the school of IT&E are ISA 774 Intrusion detection and INFS 785 Data Mining for Homeland Security. 4 Table 1: M.S. in Computer Forensics Curriculum Mandatory Core Component (18 credits from 21 credits) Course Title CFRS 500* Intro to Technologies of Value to Forensics Network Forensics 3 Digital Media Forensics 3 Operations of Intrusion Detection for Forensics Legal and Ethics in IT Fraud and Forensics in Accounting Advanced Computer Forensics (CFRS Degree Capstone Course) 3 CFRS 660 (Currently TCOM 660) CFRS 661 (Currently TCOM 661) CFRS 663 (Currently TCOM 663) Either CFRS 760 * ++ Or CFRS 770 * ++ CFRS 790 * +++ Credits 3 3 3 3 Specialty Courses (12 credits from 21 credits) Course Title Credits CFRS 662 (Currently TCOM 662) ECE 646 Advanced Secure Networking 3 3 LAW 181 Cryptography and Computer-Network Security Communications Law SOCI 607 Criminology 3 CFRS 760 * ++ Legal and Ethics in IT 3 CFRS 770 * ++ Fraud and Forensics in Accounting 3 CFRS 780 * Special Topics Course 3 3 (*) Represents proposed new courses (++) Both of these courses may be taken but only one may be used in the core component (+++) CFRS 790 is the Capstone CFRS Course and may only be taken after a total of 18 credit hours has been completed in the CFRS program, which shall consist of CFRS 500; at least two courses drawn from TCOM 660, 661, and 663; and at least one course from CFRS 760 and 770. 5 The strong networking element of the CFRS program requires students to have detailed TCP/IP and Internet Routing knowledge before entering the main CFRS program. If students lack this background, they should take TCOM 509/529 (IP/Advanced IP) and TCOM 515 (Internet Routing Lab), or equivalents, prior to CFRS 500. TCOM 509/529 and 515 are existing courses offered every fall, spring, and summer as part of the MS in Telecommunications degree program. It is worth noting that seven (7) courses within the proposed MS in Computer Forensics program are existing courses that are taught in companion programs. Three (3) of these courses are in the core component and four (4) are in the elective component of the proposed MS in Computer Forensics program. Only five (5) brand new courses need to be developed, and their detailed content, together with all of the other courses to be taught in the Ms in Computer Forensics program, are given in Appendix A to this proposal. The requisite faculty are already available to teach all of these courses and so no additional funds are requested for new faculty positions for the proposed program. Appendix B provides sample schedules for the CFRS degree completion for both full-time and part-time students. Time to degree completion may involve more or less time depending on student work load and courses chosen. It is anticipated that full-time students will graduate in two years or less, while part-time students will take between two-and-a-half and four years. These program durations match those of all 30 credit hour masters programs currently offered by George Mason University. The same maximum permitted duration (6 years) that currently holds for existing 30 credit hour masters programs at George Mason University will be applied to the proposed Masters in Computer Forensics program, unless special conditions apply to a particular student’s case. Under no circumstances will a program be permitted to extend beyond 10 years. Admission Criteria Students who hold a B.S. or B.A. degree from an accredited college or university in engineering, math, science, computer science, business (with a quantitative background), economics, or other analytical disciplines, or students who have equivalent work experience indicating analytical aptitude, may apply to the M.S in Computer Forensics. Depending on their background, some applicants may be required to complete 3 to 6 credits of preliminary course work before they are allowed to enroll in any of the core courses or specialty courses in the program. The anticipated courses some students will be required to take as a condition for admittance to the MS in Computer Forensics program are TCOM 509 (Internet Protocols; 1.5 credits), TCOM 529 (Advanced Internet Protocols; 1.5 credits), TCOM 515 (Internet Routing lecture and lab; 3 credits), and TCOM 575 (Quantitative Fundamentals; 3 credits). TCOM 509, 529, 515, and 575 may not be taken for credit in the proposed MS in Computer Forensics program. A minimum undergraduate GPA of 3.00 is required for acceptance. Students may be admitted to the M.S. program, or they may be admitted for non-degree study within the program, which allows them to take individual courses. Students in the non-degree 6 program have the option of transferring into the regular program, provided their GPA within the M.S. in Computer Forensics program is 3.00 or above. Up to 12 credits earned in non-degree study may be transferred into the regular program, provided each of the courses to be transferred in was passed with a grade of B, or above. These conditions are the same as those currently applied to most graduate degrees at George Mason University Advancement to Candidacy There is no dissertation or thesis requirement for this program and so all candidates admitted under regular master’s status to the proposed MS in Computer Forensics program are candidates for the degree. They graduate under the normal conditions that apply to master’s candidates: completion of the required core courses; completion of the elective element of the program; total of at least 30 credit hours with a minimum GPA of 3.000, no more than 6 credit hours worth of C grades. Faculty The M.S. in Computer Forensics will utilize the large and diverse capabilities of the faculty of the Volgenau School of Information Technology and Engineering (IT&E) where many courses are currently taught in a variety of master’s level programs with a security or forensics emphasis. The CS department houses the strong Information Security assurance (ISA) program, in addition to a broad Information Systems (INFS) program that forms a strong element of the Ph.D. in Information Technology available within the Volgenau School of Information Technology and Engineering (VSITE). A number of interdisciplinary programs exist within VSITE that call on faculty from other schools within George Mason University to teach within VSITE programs. Examples are the School of Public Policy and the Law School that offer courses within VSITE programs. In addition to regular faculty, the Volgenau School of IT&E is fortunate to have a large pool of experienced adjunct faculty with professional forensics experience in industry, government, or similar organizational entities, who can be called on to teach within the MS in Computer Forensics program. Some of these adjunct faculty have earned their master’s and doctoral degrees within VSITE and they bring both a strong loyalty to George Mason University and an extraordinarily strong and varied wealth of experience that will ensure a commitment to excellence in the proposed MS in Computer Forensics program. The use of current working forensics professionals and in-house research will ensure that the course content remains relevant and the instruction is at the level that both the students and the organizations to be served by this program demand. The proposed M.S. in Computer Forensics will be composed of faculty members with the following collective credentials: information security, intrusion detection, network forensics, digital media forensics, operating systems theory, software and hardware theory, cryptography, cyber crime, digital evidence, telecommunications law, and ethics. 7 Table 2. BSIT Enrollments by Concentration 2005 and 2006 2005 FT Freshmen Other Freshmen Sophomores Juniors Seniors TOTAL ISN 4 10 47 106 210 377 CGW 0 2 7 25 62 96 DBMP 0 0 1 1 2 Undeclared 42 40 94 46 309 87 TOTAL 2006 784 FT Freshmen Other Freshmen Sophomores Juniors Seniors TOTAL ISN 20 9 57 113 220 419 CGW 11 7 19 22 48 107 DBMP 6 5 4 10 5 30 Undeclared 11 22 69 22 43 167 TOTAL 723 __________________________________________________________ Table source: http://irr.gmu.edu/off%5Fenrl%5Fconc/ th Data extracted and prepared by Anne Marchant September 28 , 2007 Key ISN = Information Security and Networking CGW = Computer Graphics and Web DBMP = Database Management and Programming A key element in the proposed MS in Computer Forensics program is that it will not be starting from scratch: the majority of the components necessary for the success of the program already exist. At the undergraduate level, the thriving Bachelors of Science in Information Technology (BSIT) program already has a very well populated concentration. The number of students in the BSIT program in 2005 and 2006 academic years who have elected to concentrate on Information Security and Networking (ISN) is shown in Table 2 above. As can be seen, in 2005 almost half 8 of the students (377 of 784) elected ISN as their major and the number was even larger in 2006 (419 of 723). At the graduate level, there is an advanced certificate in Telecommunications Forensics and Security (TFAS) that is currently offered within the existing MS in Telecommunications (TCOM) program. The TFAS certificate has attracted a significant group of students who have entered the MS in Telecommunications program, with about 10% of the TCOM students electing to take the TFAS certificate. There are currently about 220 TCOM students and about 8 of the 80 TCOM students who graduated in each of the last two years (2005/6 and 2006/7) earned TFAS certificates. Details of the courses and structure of the TFAS certificate are in given in Table 3 below. Table 3. Telecommunications, Forensics, and Security (TFAS) Certificate Program Mandatory Core Courses (9 credits from 18 credits) TCOM 548/556 Security Issues in Telecom/Cryptography and Network Security (1.5 credits each; total of 3 credits) or TCOM 515 TCOM 562 (+) Internet Protocol Routing (3 credits) Network Security Fundamentals (3 credits) or ISA 562 (+) Information Systems Security (formerly INFS 762) (3 credits) And either TCOM 660 (*) Or TCOM 661 (*) Network Forensics (3 credits) Digital Media Forensics (3 credits) Specialty Courses (6 credits from 12 credits) TCOM 660 (*) Network Forensics (3 credits) TCOM 661 (*) Digital Media Forensics (3 credits) TCOM 662 Advanced Secure Networking (3 credits) TCOM 663 Operations of Intrusion Detection for Forensics (3 credits) (*) TCOM 660 and TCOM 661 cannot be taken twice for credit. If either course is taken in the core element, it cannot be taken again in the specialty element. (+) ISA 562 cannot be taken for credit if TCOM 562 is taken for credit, and vice versa. 9 Program Size and Viability There are around 400 BSIT students graduating each year with an Information Security and Networking (ISN) concentration from George Mason University. If 20% of this graduating pool were to go on to graduate school the next year (a conservative estimate) and 20% of these were attracted into the proposed MS in Computer Forensics program (again, a conservative estimate), there would be 16 prospective incoming students a year, just from the BIS program at George Mason University. More likely the number would be 3 or 4 times larger, giving an intake pool of more than 50 applicants to draw from. It is also anticipated that the proposed MS in Computer Forensics will attract those students within the MS in Telecommunications program who elected to take the TFAS certificate within their TCOM program. Based on the strong demand for well qualified applicants in the area of computer forensics in the local, and nationwide, job market, it is confidently expected that the proposed program will attract at least 100 viable applicants a year by the end of the second year of the program. Program Administration The proposed MS in Computer Forensics will be offered within the Electrical and Computer Engineering (ECE) department of the Volgenau School of Information Technology and Engineering (VSITE). The MS in Telecommunications (TCOM) is one of the master’s degrees offered within the ECE department, and the TFAS certificate is one of two advanced certificates offered within the TCOM program. The following faculty members have been teaching courses in the TFAS certificate within the TCOM program over the past several years: Special Agent Robert Osgood (FBI) – Digital media forensics, network forensics, digital evidence, cyber crime Ms. Angela Orebaugh – Information security, intrusion detection, network forensics Dr. Aleksandar Lazarevich – Information security, digital evidence, computer and network forensics, advanced network security, basic switching lab Dr. Thomas Shackelford - Network engineering, Computer Security, Data Mining, Text Categorization, Insider Threat Detection, and Data Forensics In addition to faculty currently active in teaching within the TFAS certificate, the M.S. in Computer Forensics will operate under an Advisory Committee composed of the following members: 10 Dr. Andrzej Z. Manitius – Chair of the Electrical and Computer Engineering department Mathematics, Digital Signal Processing, Engineering Dr. Jeremy Allnutt – Professor in ECE and director of the TCOM program Telecommunications, Satellite Communications, Digital Communications Dr. Anne Marchant – Associate professor in CS Computer Crime, Forensics, Auditing, Ethics David D. Hwang – Assistant professor in ECE Cryptographic hardware, Embedded Security The advisory committee provides direction and management of the M.S. in Computer Forensics program and curriculum. Learning Outcomes and Assessment Graduates from the M.S. in Computer Forensics will demonstrate superior academic skills in computer forensics methods and practice. Students will have an understanding of the laws associated with computer forensics and be able to present digital evidence in a court of law. They will also be able to successfully seize, image, deconstruct, and analyze digital media, analyze logs, decipher network traffic, and report this information in a suitable format. They will be able to implement an intrusion detection system, construct signatures, and apply intrusion detection in the forensics area. Students will be able to apply their classroom learning in a variety of computer forensics positions in industry, government, and academia. They will also demonstrate a foundation for advanced research in the computer forensics field. As with all academic programs in George Mason University, assessment of student learning in the proposed M.S. in Computer Forensics will take place at the levels of the student, the course, and the program. Students will be assessed in a number of ways throughout the program. Scholarly ability will be evaluated through course grading in seminar-style classes. Oral, written, and analytical skills will be considered in course grading. The capstone class, CFRS 790, will assess the students overall learning with a project that consolidates the various courses in the curriculum. Course evaluations are conducted in every course in every term, providing the student’s perspective on course effectiveness. Overall, the program will be reviewed on the 6-year cycle typical of programs within the Volgenau school of Information Technology and Engineering. Program review takes place under the guidance of the Office of institutional Assessment and requires three semesters to complete. The outcomes of the process are a series of deliverables – a self-assessment report and academic plan written by program faculty and a report by a review team external to the program – and changes made to enhance the program. The Department of Electrical and computer Engineering is scheduled for review of its programs in 2008-09. 11 Benchmarks of Success The program’s goal is to train students to use their computer forensics knowledge and methods effectively in industry, government, or academic positions. Specific benchmarks for success will be based upon the program’s ability to attract high-quality applicants, the timely graduation of qualified students, and job market placement. Given the success of the TFAS certificate in the M.S. in Telecommunications program, which has been in place for a little over two years, it is anticipated that the Master’s Program in Computer Forensics will receive academically well-qualified applications for admission. The quality of applicants will be measured against comparable Master’s programs in Computer Forensics. Success must also be measured by the ways in which the program affects career trajectories and job mobility once a student has completed the program. The projected length of the program for a full-time student is two to three years. For part-time students, it is difficult to estimate completion time, but it is approximately three to five years, depending on the number of classes in which part-time students enroll each semester. Appendix B provides sample schedules for degree completion for both full and part time students. Follow-up surveys will evaluate the success of graduated students in the job market. It is expected that for individuals who enter the program from a career position, they will most likely derive the benefit of promotion upon completion of the Master’s. For students who desire to enter academia, relevant faculty will assist graduates with obtaining entrance into a doctoral program at an appropriate institution of higher learning. If program benchmarks are not achieved, the program faculty will examine its marketing and recruiting practices, admissions requirements, curriculum, instructional methods, advising practices, and course evaluations to determine necessary program modifications. It is anticipated that as the program continues, higher benchmarks in the areas of admission requirements and job placement will be developed and applied. Expansion of an Existing Program? The success of the Telecommunications Forensics and security (TFAS) certificate within the MS in Telecommunications program was the main stimulus for the development of a stand-alone MS in Computer Forensics degree program. The MS in Computer Forensics degree program is designed to both supersede, and enhance, the present course offerings in Forensics and Security within the MS in Telecommunications program. The modifications are designed to enhance the rigor of the forensics certificate. The MS in Computer Forensics is not offered in collaboration with external academic institutions. However, the School of IT&E proposes to collaborate with other programs at George Mason University, notably Sociology, Law, Computer Science, and Information Systems. As a result of approval of the proposed MS in Computer Forensics program, we will cease to offer the TFAS certificate. (Students currently registered for the TFAS certificate at the time of approval of the MS in Computer Forensics will be offered the opportunity of transferring to the MS in Computer Forensics, subject to a review of their individual progress to date, or to continue within the TFAS certificate program until they 12 graduate.) The Ms in Computer Forensics will therefore not entail the requirement for additional resources, but will constitute a reallocation of existing resources, within George Mason University. The Telecommunications Forensics and Security (TFAS) certificate is a 15-credit program designed to provide students with an in-depth understanding of forensics and security as they apply both to networks and digital storage media. The TFAS certificate was developed to provide a specific concentration area within the MS in telecommunications degree program. The TFAS certificate is the foundation of the proposed Master’s degree in Computer Forensics, with three TCOM courses within the TFAS degree specifically adapted for the proposed MS in Computer Forensics program. Details of the TFAS certificate can be found earlier in Table 3. Justification for the Proposed Program Response to Current Needs This section provides background information on the proposed program, a description of what is occurring in the field that warrants the proposed Masters in Computer Forensics program, and evidence that the Commonwealth of Virginia needs this program to address emerging current demands. It is anticipated that these needs will only expand in the future, leading to growth in the proposed program. What is Computer Forensics? Computer forensics is the collection (seizure), processing, and analysis of information that has either been transmitted or stored in digital form in such a way that this information (evidence) can be successfully admitted into a court of law. Computer forensics is interdisciplinary in nature with an emphasis on computer science, network engineering, telecommunications, law, and ethics. There are two main subsets to the field of computer forensics: (a) Digital media acquisition and analysis; and (b) Network traffic collection, reconstitution, and analysis. Although related to information security, computer forensics is a discipline unto itself. Who Utilizes Computer Forensics? Law enforcement utilizes computer forensics extensively in the investigation of all types of crimes that involve the sending or storing of digital information. Computer forensics has been successfully applied in so-called white collar crime that involves, amongst other things, computer intrusion, identity theft, and child pornography matters. It has also been used extensively in the investigation and prosecution of homicides, sexual exploitation, illegal drug distribution, and just about every other crime that you can think of. The search and seizure of 13 evidence almost always involves the investigation of digital storage media or digital network access either as the primary or secondary means for the commission of the suspected crime. The digital information can range from the SIM cards of cell phones to complex network instructions. Computer forensics is not for law enforcement alone. The private sector utilizes computer forensics extensively. In fact, computer forensics is an integral part of civil cases. Organizations also use computer forensics internally for quality control and investigative matters. With the advent of the Sarbanes-Oxley Act of 2002 making corporate executives personally responsible for the financial statements of the company, computer forensics is playing a crucial role in the identification and presentation of key information that executives need to effectively run and report operations.1 Why Computer Forensics? The design and development of digital media or digital networks requires a certain skill set that is taught in a number of programs, one of which is the current Masters in Telecommunications at George Mason University. However, when a security breach has occurred in the storage or transport of digital information, or has been suspected to have occurred, the examination of the digital media or digital networks for evidence of wrongdoing cannot be undertaken in a haphazard manner. For the information uncovered in the examination of digital media or digital networks to be admissible in a court of law, there are rigorous standards set, which must be followed exactly. The Masters in Computer Forensics program will offer to all those who take the program the policies, procedures, and techniques that can be applied across a myriad of situations. Whether it is the seizure of digital media in support of a criminal prosecution, civil dispute, or internal corporate matter, the tools and techniques that computer forensics offer are invaluable. These will be taught in the proposed Masters in Computer Forensics. Impact of the proposed Masters in Computer Forensics on the Commonwealth of Virginia? The Commonwealth of Virginia with its propinquity to the federal government, is the home of computer forensic programs of many federal agencies that include: the Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), United States State Department (USSD), United States Postal Service (USPS), Drug Enforcement Administration (DEA), and Defense Criminal Investigative Service (DCIS), just to name a few. Across the river in Washington D.C. you will find the computer forensic programs of the Department of Homeland Defense (DHS) and the United States Secret Service (USSS). On the state/local horizon, The Virginia State Police (VSP), the Fairfax County Police (FCP), Arlington County Police (ACP), Prince William County Police (PWCP), and other departments too numerous to mention have active computer forensics requirements that necessitate both internal and external programs of instructions for those employed by those agencies or forces. It is worth noting here that the Regional Computer Forensics Group holds its annual meeting at George Mason University every summer. Please 1 www.ijde.org, Patzakis, John, New Accounting Reform Laws Push For Technology-Based Document Retention Practices, International Journal of Digital Evidence, Spring 2003, Volume 2, Issue 1 14 visit http://rcfg.org for additional information. The most recent meeting was held from the 6th to the 10th of August, 2007. Corporate computer forensic presence in the Commonwealth include: Kroll Inc., MANDIANT, Deloitte Touch, BearingPoint, Northrop Grumman, and Booz Allen Hamilton, again just to name few. All of these organizations have both an internal instructional program and a requirement for more formal external instruction. The availability of a high quality Masters in Computer Forensics program at George Mason University will enable local branches of federal agencies, as well as the various departments and police forces in the State of Virginia, to send their officers and personnel for training in the formal requirements of digital media and network forensics procedures. The impact on the State of Virginia is expected to be very positive, both in the development of a cadre of forensics experts who can assist in crime prevention and prosecution, and in the overall reputation of the state for fostering such a program. Evidence for the need for Computer Forensics experts The Computer Security Institute, with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad, produces an annual report on computer crime and information security titled: ―Computer Crime and Security Survey.‖ In this survey published each year for the last 11 years, the rising tide of virus attacks, unauthorized access, and theft of proprietary information (i.e., intellectual property) account for 74% of financial loss. In the most recently published (2006) survey, 313 respondents identified over $52 million in losses due to cyber crime. 50 percent of the survey respondents agreed with the statement ―compliance with the Sarbanes–Oxley Act has raised my organization’s level of interest in information security. 2 There is clearly a current demand for experts in Computer Forensics, both in the commercial and government (civilian and military) areas, and it is unlikely that this demand will decrease. If anything, it will grow rapidly over the foreseeable future, as evidenced by the effects of the Sarbanes–Oxley law. Computer forensics is a strong growth area. Historical aspects of the proposed Masters in Computer Forensics program The masters in computer Forensics program is not a spin-off degree program from another masters program. However, the proposal for the Masters in Computer Forensics program had its derivation in a concentration that is currently available in the Masters in Telecommunications program. This concentration is the Telecommunications Forensics and Security (TFAS) certificate that is a concentration requiring 15 credit hours to be taken within the 30-credit MS in Telecommunications program. The proposed MS in Computer Forensics program will expand upon the TFAS certificate, but it will not require the allocation of new resources to George Mason University. Details of the existing certificate program (TFAS) have been given earlier. 2 www.gocsi.com. 15 Table 3 showed the courses in the TFAS certificate and, by reference to Table 1, the ratio of new courses to be developed to existing can be seen to be less than 50%. Anticipated Student Demand` The first group of students who undertook the Telecommunications Forensics and security (TFAS) certificate within their MS in Telecommunications degree graduated in May 2006 with the second group following in May 2007. There were 9 students with TFAS certificates in both of these graduating classes of about 90 students. The current enrollments in the TFAS certificate are running at a little above this level (10%), and so it is anticipated that about a dozen students would graduate each year with their TFAS certificate within their MS in Telecommunications degree. All of the students who graduated were part-time students employed in the Northern Virginia region, almost all taking 6 credit hours each semester. They average time to graduation is therefore 30 months for the degree, giving a cadre of about 30 students who are engaged in elements of the TFAS certificate at any one time. It is anticipated that the emergence of the masters in computer forensics degree program will attract more students to the discipline, perhaps 40 to 50 students, with about double this number applying each year for entry. The majority of the current undergraduate students within the BSIT program at George Mason University have chosen to take the Information Security and Networking (ISN) concentration. If historical trends continue, in addition to those who have currently declared ISN as their major, more than half of the undeclared students will also elect the ISN concentration, yielding around 500 graduates a year in this concentration. The Survey Instrument given in Appendix E (pages E-1 and E-2) was posted on the web on Friday, October 5th, 2007. Within four days, about 150 responses had been logged into the web site (surveymonkey.com). The survey responses are shown on pages E-4 to E-9 in Appendix E. The responses were overwhelmingly positive, with about 90% of those responding showing a strong interest in such a program. If just 20% of those who responded positively were to sign up, there would be 30 students registering for the program. The vast majority of those who responded were: undergraduates who are currently in the BSIT program; currently living in Virginia; preferred to come to the Fairfax campus for the forensics program; and felt it would enhance their careers. It is anticipated that the demand for the TFAS certificate within the TCOM program will drop markedly when the proposed MS in Computer Forensics is offered, and an assessment will be carried out about two years after the MS in Computer Forensics has been running to see whether it is necessary to continue the TFAS certificate. When offered, classroom registration for GMU’s three computer forensic courses: TCOM 660 (Network Forensics), TCOM 661 (Digital Media Forensics), and TCOM 663 (Intrusion Detection and Forensics), averages 20 students per class per semester, indicating that the demand for these courses is higher than those who are just focusing on the TFAS certificate. It is very likely that students not in the proposed masters in computer forensics program, but who are pursuing a different master’s degree in VSITE, will take one or two courses in the computer forensics program as part of their master’s program. Most master’s level programs in the VSITE permit students to take up to 6 credit hours outside 16 of their stated master’s degree to gain additional insights into other career options. These 6 credit hours are usually referred to as ―out of area‖ courses. Anticipated Employment Demand As can be seen in the information provided in preceding sections and in Appendix D, there is expected to be a strong, and increasing, demand for graduates of the MS in Computer Forensics program by the large number of federal, state, and local government agencies situated in Virginia directly involved in the field of computer forensics, as well as private sector representation. The field of computer forensics is a thriving activity in commercial business affairs, Virginia State agencies and forces, and federal agencies and forces. As reported by about.com, a simple search on the text string (key phrase) computer forensics at Dice, a popular technical job bank, returned 145 jobs and consulting gigs. Monster.com, a popular job bank that lists jobs of many types, returned 199.3 NOTE: Employment advertisements must reflect information obtained within six months of submitting the proposal to SCHEV. SCHEV expects a PDF file of downloaded job announcements that show the URL and date. Job announcements must show that a degree (at the appropriate level) is required or preferred. See Appendix B for example. Print announcements from the Web; do not incorporate them in your document. The Office of the Provost will create the PDF. Below are examples of positions in the field of computer forensics4: Example #1 Company: Title: Date: Location: Position ID: Dice ID: DTI Global Director of Computer Forensics 7-20-2007 Washington, DC M-143 10121136 Job description: Document Technologies (DTI) is America's fastest growing document outsourcing company. We believe that we have achieved this success by providing our customers the highest level of quality and service. This reputation for quality and performance rests 100% on the efforts of our employees. 3 4 http://jobsearchtech.about.com/od/computerjob13/a/comp_forensics.htm All examples from www.dice.com 17 In order to continue our growth and success, we must constantly look to add high-caliber individuals to our team. If you have a "can do" attitude, together with a "client first" set of priorities, we guarantee that we have an opportunity for you. Please visit our website at www.dtiglobal.com for more information and other great job opportunities. We encourage diverse candidates to apply. Document Technologies Inc. is an equal opportunity/AA employer. DTI is seeking a candidate for the position of Director of Computer Forensics. The ideal candidate will possess a bachelor’s degree and have a minimum of five years of experience in the forensic sciences and a minimum of three years supervisory experience. Candidate must have effective organizational and communication skills. Customer Service experience in a businessto-business sales environment or print industry experience is a plus. Up to 40% travel required. Summary of responsibilities Develop, maintain, implement and manage the regional strategic goals and departmental standards. Implement high level and ground level management of all regional projects. This includes sales strategy, and project management. Provide testing and validation of all hardware and software. Lead licensing initiatives to legalize the department’s software licensing requirements. Lead and assist with the creation, maintenance and implementation of the department’s documentation store and master library. Serve as regional lead on all forensic projects and functionally participate in project meetings. Develop procurement and funding sources to initiate new technology and maintain good vendor relations. Implement global training for all internal employees. As well as lead an initiative to provide profession forensic training to colleagues and peers. Incumbent is responsible for creating and maintaining a collaborative work environment with the other regional directors and VP of Technology. The idea candidate must be willing to accept 30-40% travel. Requirements and preferred skills: 18 Bachelors Degree in Computer Science or related area of study. Experience with networking environments including Novell and Microsoft Windows NT. Professional training of computer investigation techniques, application, and legal aspects is highly desired. Ability to independently conduct comprehensive analysis in all types of forensic microcomputer and computer media searches and examinations. Knowledge of computer science and laws related to computer evidence recovery as well as procedures for the collection, preservation and presentation of computer evidence. Skilled in the application of computer science to recover data which has been deleted/erased, fragmented, hidden, or encrypted from data storage devices. Demonstrated ability to evaluate and maintain hardware and software necessary for the performance of computer related investigations. Ongoing knowledge of state-of-the-art computer hardware and software technology which impact computer related investigations. Ability to communicate effectively, orally and in writing. Flexibility to accommodate 24/7 availability to respond to crime scenes to assist in identifying, securing, documenting, and seizing high technology evidence. Membership in a least one Professional Computer Forensic group. Experience speaking at forensic conferences preferred Private Investigators license preferred Expert witness certification in either Federal or State court MCSE, CCNA, CCE, or similar certification Law Enforcement, FBI or Military forensic experience Must be willing to complete background check including; criminal, driving, credit history, as well as drug test before hire. Example #2 Company: 19 Neohapsis Title: Date: Location: Position ID: Dice ID: Senior Security Consultant- Digital Forensics 7-26-2007 Chicago, IL Forensics RTL403829 Job description: Basic Function: Perform computer forensics services for clients Responsibilities: -Support sales personnel in communicating with clients to determine engagement scope -Preserve, capture, and perform thorough forensic examinations on digital evidence while following proper evidence custody and control procedures; document processes and results in a manner suitable for admissibility as evidence -Evaluate litigation discovery demands and other experts** reports and assist clients in drafting discovery demands and responses -Participate in and manage teams providing on-call and on-site incident response services -Evaluate and develop clients** incident response programs, policies, and procedures; provide first responder and incident response training -Prepare clear, comprehensive, and timely written reports and affidavits -Maintain frequent communication with clients to provide work-in-progress updates -Testify as expert witness Other -Maintain proficiency in the current forensic industry standards and methodologies and technology frameworks; provide SME briefings to sales and consulting personnel -Perform rigorous, documented testing of third-party forensic tools to assess accuracy of results -Contribute to continuous enhancement of Neohapsis consulting methodologies -Draft articles and participate as speaker in conferences Required Qualifications 20 Technical -Knowledge of computer forensics software, hardware, and methodologies, including use of tools such as FTK, EnCase and Paraben -Extensive hands-on experience with various electronic storage devices -Understanding of network architectures and e-mail systems Professional -Understanding of principles of forensic integrity in information acquisition, analysis, and reporting -Ability to adhere to requirements for maintaining client confidentiality, attorney-client privilege, and work-product privilege -Excellent oral and written communication skills; ability to explain highly technical concepts in concise, lay terms -Strong analytical and organizational skills -Self-starter with ability to work independently or in teams -Sound judgment and ability to handle conflict and ethical issues professionally and proactively and escalate appropriately -Ability to work flexible and extended hours -Suitable background history Certifications (preferred, but may be obtained post-employment) -EnCase(r) Certified Examiner (EnCE*) -AccessData Certified Examiner (ACE) -Certified Computer Examiner (CCE*) Other Qualifications (preferred) -Previous qualification as expert witness or other testimonial experience -Civil or criminal investigations, corporate internal investigations, or litigation-related experience -CSIRT experience 21 -Understanding of intrusion detection systems (IDS) -Experience in identifying full magnetic stripe data, PIN blocks, and CW2 -Experience in developing code or scripts for analyzing large volumes of forensic data Education Requirements -B.A./B.S. or a technical school certificate in science-related areas or 5+ years relevant experience Example #3 Company: Title: Date: Location: Position ID: Dice ID: ONSITE3 Senior Forensics Analyst 7-29-2007 Los Angeles, CA 0011004DIC 1012303 Job description: Join our dynamic company, a lead provider of litigation services in the United States and abroad. Servicing over 1500 clients and corporations, including a majority of the AmLaw 200 index of top law firms in the U.S. we provide digital imaging, electronic data discovery, computer forensics, coding, litigation copying, digital and offset printing services. Why ONSITE3? ONSITE3 is an exciting and growing company that thrives on the latest and greatest in an everchanging world of technology and can offer you a rewarding career. Electronic Evidence Labs a Division of ONSITE3 is looking for a Computer Forensic Analyst to work in our lab in Los Angeles, CA. The Computer Forensics Analyst should have solid experience in conducting computer forensic analysis and will be gaining experience in certain aspects of computer forensics such as affidavit and report writing, working with customers, project managers and other personnel. This position is geared toward gaining experience in all facets of computer forensics work. Responsibilities will include: Becoming knowledgeable and proficient at onsite data captures, data recovery, 22 forensic analysis, documentation, report writing, technical support, affidavits, depositions and court testimony, as needed. Providing effective Computer Forensic solutions following accepted protocols, processes, and Chain of Custody. Conducting effective Computer Forensic work using established tools and techniques or by researching and becoming proficient in the use of new techniques. Providing effective professional communication with customers through all forms of communication. Providing a high level of customer service and technical support as needed. Learning the proper methods and techniques used for conducting forensic investigations. Business travel required at times to conduct onsite data collections, depositions, testimony preparation, and appearances in court. Hands-on experience EnCase, FTK, Paraben and other 3rd party software Understanding of Network Architectures Good Report/Affidavit drafting skills Excellent communication and organizational skills Bachelor's degree (B.A. / B.S.) from a four-year college or university, or a technical school certificate in science related areas, or 5+ year's relevant experience, or equivalent combination of education and experience. Our company offers competitive salary, excellent benefits and unlimited potential for growth in a high-speed work environment. Onsite is committed to providing a safe and healthy work environment therefore enforces a drug free workplace policy. Duplication of the Proposed MS in Computer Forensics at other Virginia State Universities There are currently no Commonwealth universities that offer a Master of Science in Computer Forensics. George Washington University currently offers a Master of Forensic Sciences with a Concentration in High Technology Crime Investigation with approximately 80 students enrolled. As a result of the lack of computer forensics programs in the Commonwealth of Virginia, GMU’s program in not duplicative. 23 Letters of Support for the Proposed MS in Computer Forensics Letters of support were received from the following individuals. Their letters have been copied and place as attachments to this Proposal. NOTE: Letters must be signed and on letterhead. 1. Individual 1 Mr. Lam D. Nguyen Director, Boston computer forensics lab Stroz Friedberg, LLC 160 federal street, Suite 901 Boston, MA 02110 2. Individual 2 Ms. Sandra E. Ring Pikewerks Corporation 105 A Church Street, Madison, AL 35758 3. 4. Individual 3 5. Individual 4 6. Individual 5 [JEA has contact Jim Burrell to see if he has come contacts who would be willing to support the CpFRS program: Bob and Angela will also come up with some names for me to contact (or for them to contact, whichever is the best approach. I also asked Tom Shackelford to find someone to help in this] 24 What is the estimated headcount and FTE (full-time equivalent) students, including sources for the projection? With the assistance of the institution’s planning or Institutional Research office, complete and attach the “Summary of Projected Enrollments in Proposed Program.” Based on current enrollment in computer forensic courses as well as students obtaining the certificates in Telecommunications Forensics and Security (TFAS), it is estimated that initial enrollment in the program is 20 students FTE. (See section V for summary of projected enrollments in proposed program.) 25 The estimated headcount and FTE (full-time equivalent) students, including sources for the projection. With the assistance of the institution’s planning or Institutional Research office, complete the Summary of Projected Enrollments in Proposed Program.‖ Contact Renate Guilford (rguilfor@gmu.edu) for helping in completing the table below. ______________________________________________________________________________ STATE COUNCIL OF HIGHER EDUCATION FOR VIRGINIA SUMMARY OF PROJECTED ENROLLMENTS IN PROPOSED PROGRAM Projected enrollment: Year 1 Year 2 Year 3 Year 4 Target Year 20__ - 20__ 20__- 20__ 20__- 20__ 20__- 20__ 20__- 20__ HDCT FTES HDCT FTES HDCT FTES HDCT FTES HDCT FTES GRAD Duplication Include evidence that the proposed program is not unnecessarily duplicative of programs at other institutions in Virginia. Describe how the proposed program is similar to and different from other programs in this discipline in the region or state. Discuss the number of such programs in the state, the average number of students enrolled (headcount), and the average number of graduates over the past five years. Go to http://research.schev.edu/enrollment/programmaticenrollment.asp for headcounts and numbers of graduates in comparable programs. Projected Resource Needs In a narrative, describe the available and additional program resources anticipated in the following categories, explaining the need to operate the program: As you describe resources, you should also indicate their source. For example, ―The dean of the college has committed to providing the program with one new tenure-track faculty line for 2008-09,‖ or ―The provost provides each new Ph.D. program with a three-year Presidential Scholar’s Award.‖ Full-time Faculty You’ve described in a previous section the faculty who will be assigned to the program. This is where you indicate the FTE of full-time faculty necessary for teaching, advising, and directing 26 the program. See Appendix D for assumptions about resources, including teaching load per student FTE. Part-time Faculty from Other Academic Units This is a SCHEV-created category intended to quantify the effort from full-time faculty from outside the unit. Adjunct Faculty Graduate Assistants Classified Positions Targeted Financial Aid Equipment Library Telecommunications SCHEV wants to know about requirements for new telephone service for faculty, staff, and students. Space Other Resources 27 Once you describe the resources you’ll need, see Wendy for assistance in developing the charts for Parts Band C below. Appendix D provides the assumptions used for completing the charts. ______________________________________________________________________________ PROJECTED RESOURCE NEEDS FOR PROPOSED PROGRAM Part A: Answer the following questions about general budget information. Has or will the institution submit an addendum budget request to cover one-time costs? Has or will the institution submit an addendum budget request to cover operating costs? Will there be any operating budget requests for this program that would exceed normal operating budget guidelines (for example, unusual faculty mix, faculty salaries, or resources)? Will each type of space for the proposed program be within projected guidelines? Will a capital outlay request in support of this program be forthcoming? Yes No x Yes No x Yes No x Yes x Yes No Part B: Fill in the number of FTE positions needed for the program. Program initiation year 20__ - 20__ Ongoing and reallocated Added (new) Total expected by target enrollment year 20__ - 20__ Added* Total FTE positions Full-time faculty 0.00 0.00 0.00 0.00 Part-time faculty [faculty FTE split with other unit(s)] 0.00 0.00 0.00 0.00 Adjunct faculty 0.00 0.00 0.00 0.00 Graduate assistants 0.00 0.00 0.00 0.00 Classified positions 0.00 0.00 0.00 0.00 TOTAL 0.00 0.00 0.00 0.00 *Added after the program initiation year 28 No x Part C: Estimated $$ resources to initiate and operate the program. Total expected by target enrollment year 20__ - 20__ Program initiation year 20__ - 20__ Ongoing and reallocated Added (new) Full-time faculty salaries $ fringe benefits $ Part-time faculty [faculty FTE split with other unit(s)] salaries $ fringe benefits $ Adjunct faculty salaries $ fringe benefits $ Graduate assistants salaries $ fringe benefits $ Classified positions salaries $ fringe benefits $ Total personnel costs salaries $ fringe benefits $ TOTAL personnel costs $ Equipment $ Library $ Telecommunication costs $ Other costs (specify) $ TOTAL $ Total resources Added* $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ *Added after program initiation year Part D: Certification Statement(s) The institution will require additional state funding to initiate and sustain this program. Yes Signature of Chief Academic Officer x No Signature of Chief Academic Officer If “no,” please complete Items 1, 2, and 3 below. 29 1. Estimated $$ and funding source to initiate and operate the program. Funding Source Reallocation within the department or school (Note below Program initiation year 20__- 20__ Target enrollment year 20__ - 20__ the impact this will have within the school or department.) Reallocation within the institution (Note below the impact this will have within the school or department.) Other funding sources (Please specify and note if these are currently available or anticipated.) 2. Statement of Impact/Other Funding Sources. 3. Secondary Certification. If resources are reallocated from another unit to support this proposal, the institution will not subsequently request additional state funding to restore those resources for their original purpose. x Agree Signature of Chief Academic Officer Disagree Signature of Chief Academic Officer 30 APPENDIX A Course Descriptions (a) Basic Catalog descriptions CFRS 500* Intro to Technologies of Forensics Value This course will present an overview of technologies of interest to forensics examiners. It will provide an introduction to operating systems, software, and hardware. ISA 562 Information Security Theory and Practice This course is a broad introduction to the theory and practice of information security. It serves as the first security course for the MS-ISA degree and is required as a prerequisite for all subsequent ISA courses (at the 600 and 700 levels). It also serves as an entry-level course available to non-ISA students, including MS-CS, MS-ISE, and MS-SWE students. CFRS 660 (Currently TCOM 660) Network Forensics This course deals with the collection, preservation, and analysis of network generated digital evidence such that this evidence can be successfully presented in a court of law (both civil and criminal). The relevant federal laws will be examined as well as private sector applications. The capture/intercept of digital evidence, the analysis of audit trails, the recordation of running processes, and the reporting of such information will be examined. CFRS 661 (Currently TCOM 661) Digital Media Forensics This course deals with the collection, preservation, and analysis of digital media such that this evidence can be successfully presented in a court of law (both civil and criminal). The relevant federal laws will be examined as well as private sector applications. The seizure, preservation, and analysis of digital media will be examined in this course. CFRS 663 (Currently TCOM 663) Operations of Intrusion Detection for Forensics Introduces students to network and computer intrusion detection and its relation to forensics. It addresses intrusion detection architecture, system types, packet analysis, and products. It also presents advanced intrusion detection topics such as intrusion prevention and active response, decoy systems, alert correlation, data mining, and proactive forensics. CFRS 760* Legal and Ethics in IT This course will present legal and ethics topics in a forensics context. It will include cyber legal principles and types of crimes, witness testimony, and forensics report writing. A-1 CFRS 770* Fraud and Forensics in Accounting This course will present an overview of fraud discovered in digital accounting systems and the forensics of such systems. CFRS 780* Advanced Topics Course Advanced topics from recent developments and applications in various areas of computer forensics are covered in this course. The advanced topics are chosen in such a way that they do not duplicate existing CFRS courses. Active participation of the students is encouraged in the form of writing and presenting papers in various research areas of the advanced topic. The course is designed to enhance the professional engineering community’s understanding of breakthrough developments in specific areas of computer forensics. Examples of topics are enterprise hardware systems and RAID, steganography, and cell phone and personal digital assistant (PDA) forensics. CFRS 790* Advanced Computer Forensics This course will be a capstone course that consolidates training before graduation and results in the completion of a major applied project. Some class time used for discussion of projects, either to monitor progress or explore alternative approaches. Readings, class-time discussion of current trends, difficulties, and new opportunities for industry most relevant to module. Concludes with presentations of projects. TCOM 662 Advanced Secure Networking This course deals with the advanced technologies in network security that can be applied to enhance enterprise and ISP’s network security. It covers the network perimeter defense concept and the various components for a complete layered defense system. It examines each component and its technologies, including TCP/IP protocol vulnerabilities, router access control list (ACL), dynamic ACL, firewall, network address translation (NAT), virtual private network (VPN), IPSec tunnels, intrusion detection system (IDS), routing protocol security, denial-of-service (DOS) attack, DOS detection and mitigation techniques. ECE 646 Cryptography and Computer-Network Security Topics include need for security services in computer networks, basic concepts of cryptology, historical ciphers, modern symmetric ciphers, public key cryptography (RSA, elliptic curve cryptosystems), efficient hardware and software implementations of cryptographic primitives, requirements for implementation of cryptographic modules, data integrity and authentication, digital signature schemes, key exchange and key management, standard protocols for secure mail, www and electronic payments, security aspects of mobile communications, key escrow schemes, zero-knowledge identification schemes, Smart cards, quantum cryptography, and quantum computing. A-2 LAW 181 Communications Law A treatment of basic telecommunications law, policy, and regulation. SOCI 607 Criminology Crime and crime causation. Topics include social basis of law, administration of justice, and control and prevention of crime. (b) Detailed Course Descriptions ISA 562 A-3 Information Security Theory and Practice SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION a) CFRS 500 Intro to Technologies of Forensics Value (3:3:0) b) Prerequisites: Graduate standing c) Catalog Description: Presents an overview of technologies of interest to forensics examiners. It will provide an introduction to operating systems, software, and hardware. 2. JUSTIFICATION (a) Course Objectives: At the conclusion of this course, the student will have a foundation in the technical concepts underlying the computer forensics field. Students will understand information storage, the internals of several major operating systems and their associated file systems, different types of software of forensic value, and will be introduced to forensics tools and concepts. (b) Course Necessity: This course will ensure that students have a sufficient technical foundation to take more technical courses in the program (CFRS 660, CFRS 661). (c) Relationship to Existing Courses: This is a new course in the CFRS MS program. It will be a required, first course in the program. 3. APPROVAL HISTORY ECE Department Date: IT&E Graduate Committee Date: IT&E Dean Date: 4. SCHEDULING Every semester, starting fall 2009. Proposed Instructors: Dr. Anne Marchant, Dr. Jeremy Allnutt, Mr. Robert Osgood, and other suitably qualified faculty. 5. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course. Overview of computer hardware and different types of systems. A-4 Week 2 Information Storage and Media. Number systems and representation of information. Hashes. Magnetic and optical media, flash drives, RAID arrays. Week 3 Operating Systems. Overview of basic principles with an emphasis on file handling, memory management, security, and distributed systems. Week 4 Windows Operating System internals. Registry, ports and services, Recycle Bin, System Restore. Week 5 Windows File Systems and permissions. Week 6 Posix based Operating Systems. Week 7 Posix based File Systems and permissions. Week 8 Course review; Mid-term exam Week 9 Imaging and Analysis tools. FTK, Encase, dd, Knoppix, Win Hex Week 10 Internet history, Registry Analysis, Exif Data. Week 11 Applications of Encryption Technology. Password cracking, BitLocker Week 12 Email and Packet sniffing Week 13 Logging and Scripting Week 14 Specialized Operating Systems (handhelds, phones, and other devices). Week 15 Final exam A-5 (b) Required Reading and Reference Material D. Farmer, W. Venema, Forensic Discovery, Addison Wesley, 2005. B. Carrier, File System Forensic Analysis, Addison Wesley, 2005. S. Anson, S. Bunting, Windows Network Forensics and Investigations, Sybex, 2007. (c) Student Evaluation Criteria Mid-term: 25% Hands-on assignments: 25% Jump kit: 20% Final: 30% Hands-on assignments with freeware tools will allow students to experiment with disk images, hashes, registry examination, password cracking, packet sniffing, and some simple scripting. Students will design their own ―jump kit‖ of computer forensics tools as a class project. A-6 CFRS 660 will be submitted for approval as a cross-listed course with TCOM 660. There will be no change to the syllabus from that in TCOM 660. SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 660 Network Forensics (3:3:0) (b) Prerequisites: TCOM 509 and TCOM 529 and a working knowledge of computer programming (a) Catalog Description: Deals with the collection, preservation, and analysis of network generated digital evidence such that this evidence can be successfully presented in a court of law (both civil and criminal). The relevant federal laws will be examined as well as private sector applications. The capture/intercept of digital evidence, the analysis of audit trails, the recordation of running processes, and the reporting of such information will be examined. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will have learned the laws, concepts, tools, and methodologies necessary to collect, preserve, analyze, and present network digital evidence in a court of law. The student will be able to successfully analyze logs, decipher network traffic, and report this information in a suitable format. (e) Course Necessity: Since the explosion of the Internet with the World Wide Web, our increasingly internetwork-dependent society has been under attack by those who would subvert the Internet for political, economic, and/or personal gain. The field of network forensics represents how intercepted digital evidence is used to document, identify, and successfully prosecute those who would exploit computer networks. Viruses, trojans, worms, root kits, buffer overflows, and other malicious code permeate society, and network forensics provides the tools and techniques to determine and document what happened. (f) Relationship to Existing Courses: This is a new course in the TCOM program that has been designed to provide a body of knowledge that is directly applicable to the needs of the telecommunications industry. It builds on other courses within the program (TCOM 501/502, TCOM 509, TCOM 548/556, and TCOM 562) with the goal of applying network-engineering skills to the field of network forensics. This course will work hand in hand with the new course TCOM 661 Digital Media Forensics that will be offered in alternating semesters. It will also be a complementary course to another new course, TCOM 662 Network Security Issues, and related courses in INFS. A-7 3. APPROVAL HISTORY ECE Department Date: (TCOM 660 October 18th, 2004) IT&E Graduate Committee Date: (TCOM 660 October 21st, 2004) IT&E Dean Date: (TCOM 660 November 2004) 4. SCHEDULING Every fall and spring semester, starting fall 2009. Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty. 6. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course and review of TCP/IP and Ethernet and aspects required for network forensic analysis Week 2 Presentation of Federal Laws: Federal laws pertaining to the interception of digital evidence will be presented as they pertain to network forensics Week 3 Intrusion methodologies: network vulnerabilities and likely attack points will be presented Week 4 Network data collection devices. The role routers, firewalls, intrusion detection systems, together with access control systems will be presented. Week 5 Log collection and analysis WINTEL: Week 6 Log collection and analysis WINTEL (contd.): Week 7 Course review; Mid-term exam Week 8 Log collection and analysis Unix/Linux Week 9 Log collection and analysis Unix/Linux (contd.) A-8 Week 10 Using PERL to analyze log information Week 11 Collection of online processes WINTEL Week 12 Collection of online processes UNIX/LINUX Week 13 Interception of digital evidence: Techniques for the interception of digital evidence (Ethereal, Snoop, Etherpeek) Week 14 Writing computer forensics reports Week 15 Final exam (b) Required Reading and Reference Material ‖Incident response & computer forensics‖, second edition, Kevin Mandia, Chris Prosise, and Matt Pepe, McGraw Hill, ISBN# 0-07-222696-X Reading assignments from the Web include the following sites: www.house.gov www.cert.org www.cisco.com www.ethereal.com www.perl.org www.foundstone.com Suggested supplementary material includes: ―PERL by Example‖, Ellie Quigley, Prentice Hall PTR, ISBN 0-13-655689-2 (c) Student Evaluation Criteria A-9 Mid-term: 35% Project: 30% Final: 35% CFRS 661 will be submitted for approval as a cross-listed course with TCOM 661. There will be no change to the syllabus from that in TCOM 661. SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 661 Digital Media Forensics (3:3:0) (b) Prerequisites: TCOM 548 & TCOM 556 or TCOM 562; a working knowledge of computer operating systems (e.g. CS 471 or equivalent), or permission from instructor (c) Catalog Description: Deals with the collection, preservation, and analysis of digital media such that this evidence can be successfully presented in a court of law (both civil and criminal). The relevant federal laws will be examined as well as private sector applications. The seizure, preservation, and analysis of digital media will be examined in this course. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will have learned the laws, concepts, tools, and methodologies necessary to seize, preserve, analyze, and present digital media evidence in a court of law. The student will have an understanding of: the processes required for conducting digital media analysis; federal laws governing the seizure of digital evidence, software and hardware, file system structures, and steganography (digital watermarking). (e) Course Necessity: Computers permeate our lives and our lives are recorded on computers, however, most computer storage media are volatile and, as such, they can be changed and altered intentionally as well as unintentionally. Digital media forensics is a discipline whose goal is to preserve information (evidence) on digital media in such a way that this evidence can be successfully admitted into a court of law. In both the public and private sectors, digital media forensics is being applied to a broad range of issues to include: due diligence, intellectual property rights issues, and high technology as well as more mundane criminal matters. (f) Relationship to Existing Courses: This is a new course in the TCOM program that has been designed to provide a body of knowledge that is directly applicable to forensic activities in the telecommunications industry. It builds on other courses within the TCOM program (TCOM 548/556, and TCOM 562) with the goal of applying engineering skills to the field of computer forensics. This course will work hand in hand with two proposed new courses, TCOM 661, Network Forensics (that will be offered in alternating semesters) and TCOM 662, Network Security Issues, plus related course in INFS. A-10 3. APPROVAL HISTORY ECE Department Date: (TCOM 661 October 18th, 2004) IT&E Graduate Committee Date: (TCOM 661 October 21st, 2004) IT&E Dean Date: (TCOM 661 November 2004) 4. SCHEDULING Every fall and spring semester, starting fall 2009. Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty 5. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course and the concept of seizure and preservation of stored data Week 2 Presentation of Federal Laws: Federal laws pertaining to the seizure of digital evidence, particularly in stored media Week 3 Documentation requirements: Procedures for ensuring accurate documentation of the storage medium under investigation Week 4 Operating System environments: WINTEL file system structures Week 5 Operating System environments: UNIX/LINUX file system structure Week 6 Storage media structure analysis (fixed) Week 7 Storage media structure analysis (removable devices) Week 8 Course review; Mid-term exam Week 9 Write protection A-11 Week 10 Imaging WINTEL Week 11 Imaging UNIX/LINUX/Solaris Week 12 Detailed storage investigations: Logical files, deleted files, slack space, free space, and unallocated space Week 13 RAID devices Week 14 Quality control: Steganography; Commercial tools used in digital media forensics Week 15 Final exam (b) Required Reading and Reference Material: Guide to Computer Forensics and Investigations; Bill Nelson, Amelia Phillips, Frank Enfinger, Chris Steuart; Thomson Course Technology; ISBN: 0-61913120-9 Reading assignments from the Web include the following sites: www.house.gov www.microsoft.com www.sun.com www.foundstone.com (c) Student Evaluation Criteria . A-12 Mid-term: 35% Project: 30% Final: 35% CFRS 662 will be submitted for approval as a cross-listed course with TCOM 662. There will be no change to the syllabus from that in TCOM 662. SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) TCOM 662 Advanced Secure Networking (3:3:0) (b) Prerequisites: TCOM 509 (TCP/IP) and TCOM562 (network Security Fundamental) and a working knowledge of network routing protocols (c) Catalog Description: This course deals with the advanced technologies in network security that can be applied to enhance enterprise and ISP’s network security. It covers the network perimeter defense concept and the various components for a complete layered defense system. It examines each component and its technologies, including TCP/IP protocol vulnerabilities, router access control list (ACL), dynamic ACL, firewall, network address translation (NAT), virtual private network (VPN), IPSec tunnels, intrusion detection system (IDS), routing protocol security, denial-ofservice (DOS) attack, DOS detection and mitigation techniques. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will have learned the concept of perimeter security, the components of a layer defense system, and the skills to apply these techniques to design and to implement real-world network security. It provides students with the opportunity to understand all potential network vulnerabilities, the ability to examine and compare technologies that enhance the network defense, and to evaluate evolving new standards and procedures. (e) Course Necessity: Since the explosion of the Internet with the World Wide Web, our increasingly internetwork-dependent society has been under attack by those who would subvert the Internet for political, economic, and/or personal gain. The field of network security represents the defense components to prevent, detect, analyze, and mitigate these attacks. New technologies emerge and new standards are being proposed to defend against these constantly changing attack procedures. This course will provide students with an understanding of the current state-of-art in network security as well as the ability to examine and study emerging defense procedures and new standards. (f) Relationship to Existing Courses: This is a new course in the TCOM program that has been designed to provide a body of knowledge that is directly applicable to the needs of the telecommunications industry. It builds on other courses within the program (TCOM 501/502, TCOM 509/519, TCOM 548/556, and TCOM 562) with the goal of applying network-engineering skills to the field of network security and attack forensics. This course will work on the base of TCOM 562 and work hand in hand with proposed new forensics courses TCOM 660 and TCOM 661 as part A-13 of core courses within a network forensics and security certificate. Since it mostly deals with network devices, routing protocols security and the routing techniques instead of applications and servers, it will not significantly overlap, but be complementary to, courses currently offered in Information Systems in the security assurance area. 3. APPROVAL HISTORY ECE Department Date: (TCOM 662 October 18th, 2004) IT&E Graduate Committee Date: (TCOM 662 October 21st, 2004) IT&E Dean Date: (TCOM November 2004) 4. SCHEDULING Every spring semester, starting spring 2005 and every spring thereafter. Proposed Instructors: Dr. Jeremy Allnutt, Dr. Yunqing Wu, Dr. Aleks Lazarevich, Mr. Scott Robohn and other suitably qualified faculty. 7. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course and review of TCP/IP; TCP/IP protocol vulnerabilities, review of general attack, defense techniques and recent trends. Project discussion Week 2 Perimeter security and layered defense model, router ACL: perimeter security model, each components of layered defense system, first layer of defense: perimeter router, router access control list (ACL), Cisco router ACL configurations and router ACL defense case study Week 3 Advanced filtering and deep packet scan: communication states, stateful filtering, dynamic ACL, reflexive ACL, content-based ACL, deep packet scan Week 4 Firewall and NAT/PAT: The role of firewall, different type of firewalls, network address translation (NAT), port address translation (PAT), firewall case study, PIX firewall and enterprise network security case study Course project initiated Week 5 VPN and IPSec tunnels: VPN concept, different types of VPN, remote access VPN, GRE tunnels, MPLS layer 2 and Layer 4 VPN, review of public vs. private key encryption techniques, IPSec VPN A-14 Week 6 IPSec VPN and enterprise network security case study: continued IPSec VPN discussion, Cisco configuration, enterprise network layered defense case study Week 7 Intrusion detection system (IDS) and mid-term review: IDS introduction, IDS types: host-based IDS and network-based IDS, IDS architecture, IDS roles, mid-term examination review Week 8 Mid-term examination and project progress discussion Week 9 IDS continued: Snort system: Snort architecture, preprocessors, Snort rule set, snort deployment, example rules, Snort enhancement and other post Snort projects Week 10 Router security and routing protocol security: role of router, router hardening, routing protocol security: EIGRP, OSPF, BGP, BGP with MD5 and other BGP security proposals (sBGP, soBGP, TTL hack etc) Week 11 Router security continued and ISP packet filtering: protecting routing engine: Cisco rACL and Juniper firewall rules, BGP TTL hack, dynamic ACL filtering and routmap, anti-spoofing ACL, RPF (Reverse path forwarding) and uRPF (unicast reverse path forwarding) Week 12 ISP network security and DOS attack: DOS attack, different types of DOS attack, DDOS (Distributed Denial-of-services), ISP security response procedure, typical ISP attack identification and classification techniques, classification ACL, blackhole filtering Student projects due Week 13 DOS attack detection and mitigation: remotely triggered blackhole filtering, sink hole network, backscatter traceback techniques, netflow traceback, BGP policy accounting traceback, DOS mitigation: ACL, uRPF, CAR (committed access rate) and blackhole filtering Week 14 Special topics in network security, project discussion, and final exam review: homenetwork security, wireless network security, VoIP security, email anti-spamming, selected project discussion, and final review A-15 Week 15 Final exam (b) Required Reading and Reference Material Mandatory textbook: o Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPN's), Routers, and Intrusion Detection Systems, Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent Frederick, et al., New Riders Publishing, Paperback, Published June 2002, 678 pages, ISBN 0735712328 Reference books: o Hacker's Challenge 2: Test Your Network Security & Forensic Skills, McGrawHill Osborne Media; 2nd edition (December 18, 2002), ISBN: 0072226307 o Hacking Exposed: Network Security Secrets & Solutions, 4th Ed, Stuart McClure, Joel Scambray, McGraw Hill, Paperback, 4th edition, Published February 2003, 768 pages, ISBN 0072227427 o Secrets and Lies: Digital Security in a Networked World, Bruce Schneier Wiley, Hardcover, Published August 2000, 412 pages, ISBN 0471253111 o CCIE Professional Development: Network Security Principles and Practices, Saadat Malik, Cisco Press, Hardcover, Published November 2002, 774 pages, ISBN 1587050250 Online Resources: o http://cert.org o http://www.sans.org o http://www.insecure.org o http://www.snort.org o http://www.ietf.org (c) Student Evaluation Criteria Mid-term: Project: Final: A-16 35% 30% 35% CFRS 663 will be submitted for approval as a cross-listed course with TCOM 663. There will be no change to the syllabus from that in TCOM 663. SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) TCOM 663 Operations of Intrusion Detection for Forensics (3:3:0) (b) Prerequisites: TCOM 509 and TCOM 529 and a working knowledge of computer programming (c) Catalog Description: Introduces students to network and computer intrusion detection and its relation to forensics. It addresses intrusion detection architecture, system types, packet analysis, and products. It also presents advanced intrusion detection topics such as intrusion prevention and active response, decoy systems, alert correlation, data mining, and proactive forensics. 2. JUSTIFICATION (d) Course Objective: At the conclusion of this course the student will have learned why and how intrusion detection systems are used and how they are applied in the forensics area. The student will also know how to implement an intrusion detection system, analyze packets, and construct signatures. The student will also have advanced knowledge of prevention and response technologies and other leading areas of research in intrusion detection and forensics. (e) Course Necessity: The field of intrusion detection has seen a lot of changes over the last few years. Symantec's March 2005 bi-annual report stated that security incidents per day have risen from 10.6 in early 2004 to 13.6 in 2005. The increase in the volume and sophistication of attacks, increases in network bandwidth, and the migration from network-based to application-based attacks has created numerous opportunities for advancement of intrusion detection systems. This has created a demand for intrusion detection to provide forensics information and analysis for the purpose of tracking, monitoring, identifying, and prosecuting attackers. (f) Relationship to Existing Courses: This is a new course in the TCOM program that has been designed to provide a body of knowledge that is directly applicable to the needs of the telecommunications industry. It builds on other courses within the program (TCOM 501/502, TCOM 509, TCOM 548/556, and TCOM 562) with the goal of applying engineering skills to the field of intrusion detection and forensics. This course will work hand in hand with the TCOM 660 Network Forensics course that will be offered in alternating semesters. It will be a complementary course to the new course, TCOM 662 Advanced Secure Networking, and related courses in CS. A-17 3. APPROVAL HISTORY ECE Department Date: (TCOM 663 October 20th, 2006) IT&E Graduate Committee Date: (TCOM 663 November 2006) IT&E Dean Date: (TCOM 663 November 2006) 4. SCHEDULING Every fall semester, starting fall 2007 and every fall thereafter. Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty 1. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course, review of TCP/IP, historic intrusion detection systems, and other aspects required for intrusion detection and forensic analysis. Week 2 Packet Analysis Part 1: Introduction to network analysis tools such as tcpdump and Ethereal and examination of real world intrusions. Week 3 Packet Analysis Part 2: Continuation of network analysis and examination of real world intrusions. Week 4 Fundamentals of IDS: Presentation of IDS architecture, misuse/anomaly/behavior systems, host-based systems, network-based systems, IDS features, IDS products, IDS testing. Week 5 Introduction to Snort: Introduction to the open source Snort intrusion detection system and usage. Week 6 Snort Signatures and Analysis: Advanced Snort topics including signature creation. Week 7 Vulnerability analysis for Intrusion Detection and Forensics: Address the need for vulnerability analysis in conjunction with intrusion detection. Cover open source products for vulnerability analysis. A-18 Week 8 Mid-term exam Week 9 Intrusion Prevention and Active Response: Present various prevention and response techniques and open source products to implement the technologies. Week 10 Decoy Systems for Detection and Forensics: Address honeypots/honeynets and other techniques for collecting information for forensics and for performing intrusion detection. Week 11 Alert Correlation for Incident and Forensic Analysis: Present leading edge research for intrusion detection and alert correlation including the TIAA toolkit. Week 12 Advanced IDS Methods for Behavior Analysis: Present leading edge research for intrusion detection and forensics by examining behavior in areas such as E-mail and instant messaging. Week 13 Data Mining/Proactive Forensics: Present data mining techniques for intrusion detection, incident response, and forensics. Also present advanced techniques for proactive forensics. Week 14 Writing final reports Week 15 Final exam (b) Required Reading and Reference Material No required reading material. Reading will be assigned from various Internet sites and published research papers. The course will be delivered in a computer lab to enhance the interactive component within the class. Reading assignments from the Web include the following sites: www.ethereal.com www.snort.com ACM and IEEE database Optional supplementary material includes: A-19 ―Nessus, Snort, & Ethereal Power Tools : Customizing Open Source Security Applications‖ by Brian Caswell, Gilbert Ramirez, Jay Beale, Noam Rathaus. Syngress Publishing, ISBN# 1597490202. ―Investigative Data Mining for Security and Criminal Detection‖ by Jesus Mena. Butterworth-Heinemann, ISBN# 0750676132. (c) Student Evaluation Criteria A-20 Mid-term: 30% Homework: 15% Final Paper: 25% Final Exam: 30% SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 760 Legal and Ethical Issues in IT (3:3:0) (b) Prerequisites: Graduate Standing (c) Catalog Description: Presents legal and ethics topics in the context of computer forensics. It will include legal principles, types of crimes, witness testimony, and forensics report writing. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will have learned and reflected upon the legal principles and ethical standards underpinning the field of computer forensics. The student will understand such concepts as: probable cause, the ―silver platter doctrine,‖ chain of custody, scienter, and Locard’s exchange principle. Students will have examined the relationship of computer to other disciplines. The student will also appreciate the role of professional organizations, certifications and codes of ethics as they apply to professional practice. (e) Course Necessity: As with any program in the fields of IT security or justice, a course in law and ethics is necessary to ensure professional standards of conduct. The integration of witness testimony and report writing will give students context in which to apply legal principles and ethics. (f) Relationship to Existing Courses: This is a new course in the CFRS MS program. While it may be taken at any point in the program to allow scheduling flexibility, students will be advised to take it during their first year. While report writing is also covered in TCOM 660, note that reporting practices differ in different types of investigations and that additional practice writing reports will be beneficial. 3. APPROVAL HISTORY ECE Department Date: IT&E Graduate Committee Date: IT&E Dean Date: 4. SCHEDULING Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty A-21 5. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course. Overview of types of legal systems. Review of federal and state laws as they relate to computer crime (CFAA, ECPA, USAPA, NET Act, DMCA, FISA, The Omnibus Crime and Control Act of 1968, etc.), search and seizure, trap and trace, intellectual property, and computer forensics. Week 2 Types of crimes and criminals. The rise of international crime and the role of grid computing. Week 3 Overview of local, state, federal, and international law enforcement agencies and court systems. Student seminar presentations. Week 4 Jurisdiction and evidence. Determination of jurisdiction, types of evidence, rules of evidence, chain of custody, evidence integrity. Student seminar presentations. Week 5 Formal discussion of ethics I. Ethical standards, codes of ethics, ethical decision making. Student seminar presentations. Week 6 Formal examinations of landmark cases. Student seminar presentations. Week 7 Course review; Mid-term exam Week 8 Formal discussion of ethics II: Ethics training, whistle blowing, balancing privacy and the needs of law enforcement in a free society, cultural and ethical considerations in the context of international investigations. Student seminar presentations. Week 9 Guest speaker (lawyer, prosecutor, or law enforcement). Student seminar presentations. Week 10 Report writing. Establishing facts, style and use of language. Verification and use of accredited tools. Student seminar presentations. A-22 Week 11 Legal instruments and courtroom procedures. Subpoenas, warrants, and affidavits. Discovery, presentation of evidence, cross examination. Student seminar presentations. Week 12 Expert witness testimony. Student seminar presentations. Week 13 Mock courtroom trial. Student seminar presentations. Week 14 The computer forensics professional. Professional organizations, certifications and computer Forensics as it relates to other disciplines. Professional preparation and lifelong learning. Review and Synthesis. Week 15 Final exam (b) Required Reading and Reference Material Orin S. Kerr (2006). Kerr's Computer Crime Law: (American Casebook Series) (American Casebook Series). West Group. Philip J. Candilis, Robert Weinstock, Richard Martinez, Andrew Szanton (Editor). (2007) Forensic Ethics and the Expert Witness. Springer. Suggested supplementary material includes: Codes of ethics: IACIS.com ISFCE Cybersecurity Institute (c) Student Evaluation Criteria A-23 Mid-term: 25% Presentations: 20% Mock forensic report: 20% Final: 35% Examples of Seminar Presentation Topics: FRED (Federal Rules of Evidence) Kyollo v. US Katz v. US California v. Greenwood Attend and report on a current trial Pretexting USAPA (Patriot Act) Hewlett-Packard employee surveillance case DOJ HTIU (High Tech Investigative Crime Unit) DOJ CCIP (Computer Crime and Intellectual Property) FBI RCFLs (Regional Computer Forensics Laboratory) IC3 (Internet Crime Complaint Center) Interpol and Europol Counter forensics: U.S. v. Robert Johnson, 2005, State of Missouri v. Zacheriah Tripp, Kucala Enterprises v Auto Wax Co Vigilantism: Titan Rain case Data profiling and ―anonymizer‖ investigative tools (Jeffrey Jonas) Panopticon and expectations of privacy in a free society Hacker culture, networks, publications, and DEFCON Online child exploitation (child pornography, stalking) Internet Fraud, botnets and spam NIST standards A-24 SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 770 Fraud and Forensics in Accounting (3:3:0) (b) Prerequisites: Graduate standing (c) Catalog Description: Describes engagements that result from actual or anticipated disputes or litigation in Forensic Accounting, which is a specialty practice area of accounting. "Forensic" means "suitable for use in a court of law", and it is to that standard and potential outcome that Forensic Accountants generally have to work. Forensic Accountants often have to give expert evidence at the eventual trial. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will have learned the laws, concepts, tools, and methodologies necessary to collect, preserve, analyze, and present financial evidence in a court of law. The student will be able to successfully perform vertical analysis, horizontal analysis, ratio analysis, data-mining analysis, and reasonableness testing. The student will develop an understanding of the elements required in order to conduct a forensic examination. (e) Course Necessity: Fraud is a multi-billion dollar business. It is transnational and affects everyone. The demise of MCI, Enron, and Arthur Andersen are examples of the breath and scope of fraud. The goal of Forensic Accounting, which is different than that of a financial audit, is to detect, quantify, and report fraud. (f) Relationship to Existing Courses: This is a new course in the Computer Forensics program that has been designed to provide a body of knowledge that is an adjunct to the discipline of computer forensics. This course is designed as an elective for students who wish additional exposure to the forensic process. 3. APPROVAL HISTORY ECE Department A-25 Date: IT&E Graduate Committee Date: IT&E Dean Date: 4. SCHEDULING Every spring semester, starting spring 2010 and every spring thereafter. Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty 5. COURSE OUTLINE (a) Syllabus Week 1 Introduction, project requirements, introduction to fraud Week 2 Money laundering Week 3 Financial reporting fraud Week 4 Potential red flags and fraud detection techniques Week 5 Financial statement fraud: revenue and receivables Week 6 Financial statement fraud: other schemes and misappropriations Week 7 Investigative techniques Week 8 Background investigations Week 9 Interviewing Week 10 Analyzing financial statements Week 11 Data mining in forensic accounting Week 12 When and why to call in forensic investigators Week 13 Project presentations A-26 Week 14 Project presentations Week 15 Final exam (b) Required Reading and Reference Material A Guide to Forensic Accounting Investigation Golden, Skalak, and Clayton Wiley Publishing ISBN: 0-471-46907-6 Enron: The Rise and Fall Lauren Fox Wiley Publishing ISBN:0-471-47888-1 Stolen Without A Gun: Confessions from inside history's biggest accounting fraud - the collapse of MCI Worldcom Walter Pavlo Jr. and Neil Weinberg Etika Books ISBN 0979755808 (c) Student Evaluation Criteria Project: 40% Presentation 10% Final: 50% Project: A detailed analysis, from a forensic accounting perspective, of some illegal activity. This illegal activity can be from a major publicized fraud, or it can be one that is lesser known. The deliverable will be a detailed report covering the elements of the fraud supported by forensic accounting work performed by the student. Each student will be required to formally present their findings in class. A-27 SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 780 Advanced Topics in Computer Forensics (3:3:0) (b) Prerequisites: permission of instructor (c) Catalog Description: Covers advanced topics from recent developments and applications in various areas of computer forensics are covered in this course. The advanced topics are chosen in such a way that they do not duplicate existing CFRS courses. Active participation of the students is encouraged in the form of writing and presenting papers in various research areas of the advanced topic. The course is designed to enhance the professional engineering community’s understanding of breakthrough developments in specific areas of computer forensics. 2. JUSTIFICATION (d) Course Objectives This course is intended to provide students with the opportunity to learn about advanced developments and applications in computer forensics that generally do not fall into a specific existing course within the program. (e) Course Necessity The field of computer forensics is a dynamic area that deals with an ever-growing field of specialized topics, and it is anticipated that within a few years of the initiation of the MS in Computer Forensics program, there will be a demand to cover some of these emerging topics. As with special topics courses and advanced topics courses that have been offered in other disciplines, should a particular advanced topic course in the CFRS program become a regular topic, then it will be developed as a regular CFRS course and submitted for approval as a regular CFRS course in the normal way. (f) Relationship to Existing Courses The course, and course content, do not have a specific relationship to any other course, but the concept of CFRS 780 is similar to Advanced Topics courses offered in many other programs, for example ECE 699 Advanced Topics in Electrical and Computer Engineering and OR 750 Advanced Topics in Operations Research. 3. APPROVAL HISTORY ECE Department Date: IT&E Graduate Committee Date: IT&E Dean Date: 4. SCHEDULING When demand exists for such a course, it will be offered, usually only in the A-28 regular fall or spring semesters Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty. 5. COURSE OUTLINE (a) Syllabus The detailed syllabus will be constructed at the time the proposed Advanced Topics in Computer Forensics is to be offered. Approval to offer the course as proposed will be through the usual channels for placing such courses on the Schedule of Classes. (b) Reading and Reference Material To be determined at the time the specific course is offered for inclusion in the schedule of Classes. (c) Student Evaluation Criteria This will depend on the structure of the specific Advanced Topics course, (e.g. it may be directed at students completing a major forensics project; or it may be a regular lecture-based course), but it is anticipated that the student evaluation will be broken down as follows: Homework: 20% Midterm/project prelim. review: 40% Final/project report: A-29 40% SCHOOL PROPOSAL TO THE GRADUATE COUNCIL BY SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING 1. CATALOG DESCRIPTION (a) CFRS 790 Advanced Computer Forensics (3:3:0) (b) Prerequisites: CFRS 660, CFRS 661, and CFRS 663 Intrusion Detection and Forensics (c) Catalog Description: Exposes students to advanced simulated case studies. Students will be required to conduct computer forensic investigations of digital media, intercepted packet switched data, and multi-source log information in order to successfully complete each case study. This course is a capstone course for Master of Science in Computer Forensics program to be taken in the last year prior to the completion of degree requirement. As a capstone course, it will integrate the concepts and practices in Computer Forensics program. 2. JUSTIFICATION (d) Course Objectives: At the conclusion of this course, the student will be able to conduct a full computer forensic exam utilizing all of the tools and techniques and apply all of the processes and procedures presented in the computer forensic program. This will be accomplished through the use of case studies offered in a full computer forensic laboratory environment. Each case study will require research and forensic analysis resulting in a written report. For each case study, students will be selected to give oral presentations. Every student will be required to give at least two oral presentations. (e) Course Necessity: Since the explosion of the Internet with the World Wide Web, our increasingly internetwork-dependent society has been under attack by those who would subvert the Internet for political, economic, and/or personal gain. The field of network forensics represents how intercepted digital evidence is used to document, identify, and successfully prosecute those who would exploit computer networks. Viruses, trojans, worms, root kits, buffer overflows, and other malicious code permeate society, and network forensics provides the tools and techniques to determine and document what happened. This course will coalesce and bring together what is needed for today’s computer forensic examiner. (f) Relationship to Existing Courses: CFRS 790 builds on the work laid out in CFRS 660 (Network Forensics), CFRS 661 (Digital Media Forensics), and CFRS 663 (663 Intrusion Detection and Forensics). These courses are currently listed as TCOM 660, TCOM 661, and TCOM 662 respectively. 3. APPROVAL HISTORY ECE Department A-30 Date: IT&E Graduate Committee Date: IT&E Dean Date: 4. SCHEDULING Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty. 5. COURSE OUTLINE (a) Syllabus Week 1 Course overview: Introduction to the course and review of computer forensic tools and techniques. Case Study 1 is presented for discussion and evaluation. Week 2 Case Study 1 discussion. Application of tools and techniques to Case Study 1 examined. Week 3 Case Study 1 due. Case Study 1 presentations given. Case Study 2 is presented for discussion and evaluation. Week 4 Case Study 2 discussion. Application of tools and techniques to Case Study 2 examined. Week 5 Case Study 2 due. Case Study 2 presentations given. Case Study 3 is presented for discussion and evaluation Week 6 Case Study 3 discussion. Application of tools and techniques to Case Study 3 examined. Week 7 Case Study 3 due. Case Study 3 presentations given. Case Study 4 is presented for discussion and evaluation Week 8 Case Study 4 discussion. Application of tools and techniques to Case Study 4 examined Week 9 Case Study 4 due. Case Study 4 presentations given. Case Study 5 is presented for discussion and evaluation A-31 Week 10 Case Study 5 discussion. Application of tools and techniques to Case Study 5 examined Week 11 Case Study 5 due. Case Study 5 presentations given. Case Study 6 is presented for discussion and evaluation Week 12 Case Study 6 discussion. Application of tools and techniques to Case Study 6 examined Week 13 Case Study 6 due. Case Study 6 presentations given. Case Study 7 is presented for discussion and evaluation Week 14 Case Study 7 discussion. Application of tools and techniques to Case Study 7 examined Week 15 Case Study 7 due. Case Study 7 presentations given. Examples of simulated case studies are given at the end of this proposal. (b) Required Reading and Reference Material There will be no required text per se; however students will be responsible for research that will come from the following sources, as a minimum: Real Digital Forensics; Jones, Bejtlich, and Rose; Addison Wesley; ISBN 0321240693 Wireshark & Ethereal; 1st Edition, Orebaugh, Ramirez, Beale; Syngress; ISBN 1597490733 Mastering Windows Network Forensics and Investigation; Anson, Bunting; Sybex; 9780470097625 Incident Response & Computer Forensics; Mandia, Prosise, Pepe, Osborne; ISBN 007222696X Guide to Computer Forensics & Invesgtigations Second Edition; Nelson, Phillips, Enfinger, Steuart; Thomson Course Technology; ISBN 0-619-21706-5 A-32 File System Forensics Analysis; Brian Carrier; Addison Wesley; ISBN 0-321-26817-2 (c) Student Evaluation Criteria Case Studies (Written Assignments): 80% Oral Presentations: 20% Examples of Case Studies for CFRS-790 Advanced Computer Forensics Case Study 1 – Opto-Medtronics Inc. Part 1 Opto-Medtronics Inc. (Opto-Med) is a publicly traded company specializing in optics used in the medical industry. Unknown to most people, Opto-Med, has a division located Vienna, Virginia that is dedicated to the U. S. Defense Department. Specifically, the Spatial Support Division develops, builds, and maintains the optics that is equipped on Predator and Global Hawk surveillance drones. These optical systems are the most sophisticated in the world and classified Top Secret. All development and manufacturing work is performed in a secure facility (SCIF) at Vienna, Virginia. During a routine security sweep of the SCIF, security personnel found a small digital camera under some papers in a work area. Personal cameras of any kind are forbidden in the SCIF. The security personnel reviewed the contents of the camera which revealed numerous photos of the DoD optics manufacturing processes. The security personnel in there zeal to report this incident to the Chief Security Officer (CSO) somehow damaged the camera. You are a computer forensics examiner working for Mason-Forensics (Ma-For), a small computer company based in Fairfax, Virginia that recently entered into a contract with OptoMed to provide computer forensic services. You and your fellows examiners are former civilian government and military and all possess the appropriate clearances. The CSO contacts you and requests that you respond immediately to the Vienna, Virginia office. The CSO provides the damaged camera to you and requests that you: -Recover the data that is located on the SD card inside the camera -Identify the owner of the camera if possible. Deliverables: 1) Prepare and engagement letter to be signed by the CSO that: A-33 - Specifically identifies what is required of you - Specifically identify what is required of Opto-Med 2) Prepare a chain of custody for items provided to you by Opto-Med 3) Prepare a list of investigative steps that you will take in this matter to include: -What non-technical investigative steps do you will take -What technical investigative steps you will take 4) Perform the forensic analysis on the SD card and prepare a report for distribution to the CSO and CEO of Opto-Med on your findings. Case Study 2 – Opto-Medtronics Inc. Part 2 You have issued your report to Opto-Med and returned the camera, SD card, and images created from the SD card to Opto-Med as well. The CSO contacts you stating that based on your report, security has potentially identified the owner of the camera, an employee working at the Vienna, Virginia facility. The CSO wants Ma-For to image and analyze the employee’s desktop Internet computer as well as institute real-time content monitoring on that computer. You recommend that Opto-Med contact federal law enforcement regarding this matter; however, the CSO advises that, in discussions with the Corporation Council’s office as well as the CEO, Opto-Med wants to be sure before notifying law enforcement. They do not want to ruin the career of a long time employee without more proof. Deliverables: 1) Prepare and engagement letter to be signed by the CSO that: - Specifically identifies what is required of you - Specifically identifies that the legal requirements have been met by Opto-Med allowing you to perform this work. 2) Install the equipment for the real time collection 3) Image the hard drive of the employee’s desktop Internet computer 4) Prepare a chain of custody documents for the images and real time content collected 5) Prepare a list of investigative steps that you will take in this matter to include: -What non-technical investigative steps do you will take -What technical investigative steps you will take A-34 6) Perform the forensic analysis on the hard drive image and prepare a report for distribution to the CSO and CEO of Opto-Med on your findings. Case Study 3 – Opto-Medtronics Inc. Part 3 Your collection system at Opto-Med has been running for two weeks. The CSO contacts you and requests that you provide her with the findings of the analysis of the network traffic. Opto-Med wishes to complete this part of the investigation and make a decision as to the status of the employee. Deliverable: 1) Prepare a report on your analysis of the network traffic for distribution to the CSO and CEO of Opto-Med on your findings. A-35 ECE 646 Cryptography and Computer-Network Security Topics include need for security services in computer networks, basic concepts of cryptology, historical ciphers, modern symmetric ciphers, public key cryptography (RSA, elliptic curve cryptosystems), efficient hardware and software implementations of cryptographic primitives, requirements for implementation of cryptographic modules, data integrity and authentication, digital signature schemes, key exchange and key management, standard protocols for secure mail, www and electronic payments, security aspects of mobile communications, key escrow schemes, zero-knowledge identification schemes, Smart cards, quantum cryptography, and quantum computing. LAW 181 Communications Law A treatment of basic telecommunications law, policy, and regulation. SOCI 607 Criminology Crime and crime causation. Topics include social basis of law, administration of justice, and control and prevention of crime. A-36 APPENDIX B Sample Schedule for M.S. in Computer Forensics Completion Full Time Student Schedule Fall Spring Year 1 CFRS 500, ISA 562, CFRS 660 Law 181, SOCI 607, CFRS 661 Fall Spring Year 2 CFRS 663,CFRS 760, CFRS 780 CFRS 790 Part Time Student Schedule B-1 Fall Spring Year 1 CFRS 500, ISA 562 Law 181, SOCI 607 Fall Spring Year 2 CFRS 660, CFRS 760 CFRS 661 Fall Spring Year 3 CFRS 663, CFRS 780 CFRS 790 APPENDIX C Sample “Mini CV’s” for Faculty Special Agent Bob Osgood is currently Chief of Digital Media exploitation for the FBI’s Counterterrorism Division. He has over 20 years of experience in the fields of computer forensics and Cyber crime. SA Osgood has an M.S. in Network Engineering, is a Cisco engineer, A+ and Net + certified. SA Osgood currently teaches Digital Media Forensics and Network Forensics in the GMU TFAS program. Ms. Angela Orebaugh is an internationally recognized security technologist, scientist, and author, with over 15 years of experience. Ms. Orebaugh is a Guest Researcher for the National Institute of Standards and Technology (NIST), where she leads several security initiatives including the authoring of security special publications, the National Vulnerability Database (NVD), and electronic voting. At GMU she developed and taught the Intrusion Detection curriculum, a core requirement of the TFAS program. Her current research interests include peer-reviewed publications in the areas of intrusion detection and prevention, data mining, attacker profiling, user behavior analysis, and network forensics. Ms. Orebaugh has a broad spectrum of professional experience in information security, with hands-on expertise in security architecture design and analysis, perimeter defense, vulnerability assessment and penetration testing, forensics, intrusion detection and prevention, and incident handling and response. Ms. Orebaugh is the author of several books on information security, and is currently scheduled to defend her Ph.D. dissertation in spring 2008. Dr. Aleksandar Lazarevich is a Senior Computer/Electronics Engineer with the Defense Information Systems Agency. He is the operations managers and the Test Evaluation lead for the DoD PKI program. He is an adjunct Professor with George Mason University and Masters Degree program chair for the University of Fairfax. He has been the IT College Campus Chair and the Area Chair for Networking and Operating Systems at the Northern Virginia campus of University of Phoenix for two years and the IT department chair at WIU for four years. He has over 33 years experience of Federal Civil Service in the field of Information Systems security engineering and computer forensics. He holds the rank of Senior Member of the Institute of Electrical and Electronics Engineers. He completed a PhD in Information Technology with an emphasis in Information Assurance and computer forensics at George Mason University. His research has been in the area of artificial intelligence modeling of evidence assessment. He primarily teaches information security and computer forensic classes. He has represented the U.S. Government in international forums for over three decades and has received recognition for his expertise from numerous nations. Dr. Lazarevich was responsible for major information system programs for such organizations as the White House Communications Agency, Executive Office of the President and the Deputy Under Secretary of Defense for Logistics. He was elected to the 2001 International Who’s Who of Information Technology. Dr. Andrzej Z. Manitius received his Ph.D. degree from the Polytechnical University of Warsaw, Warsaw, Poland in 1968. From 1968 to 1972 he held a junior faculty position with the Institute of Automatics of the Polytechnical University of Warsaw. In 1972 and 1973 he was a Visiting Associate Professor with the Center for Control Sciences at the University of Minnesota. He subsequently joined the Mathematical Research Center at the University of Montreal, Quebec, Canada, where he was an Associate and then Full Research Professor until 1981. From C-1 1981 to 1988 he was a Professor in the Mathematical Sciences Department of the Rensselaer Polytechnic Institute (RPI) in Troy, New York. While on leave from RPI, he served as Program Director for Applied Mathematics (1986-1987) and Deputy Director, Division of Mathematical Sciences (1987-88) at the National Science Foundation in Washington, D.C. He joined George Mason University in September 1988 as Professor of Electrical and Computer Engineering. Dr. Manitius’ research interests include mathematical aspects of control theory, including control of distributed parameter and delay systems, optimal control, optimization, numerical and computational methods in dynamical systems and control systems. He has published over 70 papers in his fields of interest, and held various editorial positions with several professional journals. In 1991 he received American Mathematical Society's Citation for Public Service related to his earlier work at the NSF. Dr. Jeremy Allnutt earned his B.Sc. and Ph.D. in electrical engineering from the University of Salford, UK, in 1966 and 1970, respectively. From 1970 to 1977 he was at the Appleton Laboratory in Slough, England, where he ran propagation experiments with the US satellite ATS-6 and the European satellites SIRIO and OTS. In 1977 he moved to BNR, now Nortel, in Ottawa, Canada, and worked on satellite and rural communications projects before joining the International Telecommunications Satellite Organization (INTELSAT) in Washington, DC, in 1979. Dr. Allnutt spent 15 years at INTELSAT in various departments. During this period he ran experimental programs in Europe, Asia, Africa, North and South America, Australia, and New Zealand, finishing as Chief, Communications Research Section. Dr. Allnutt spent one year as Professor of Telecommunications Systems at the University of York, England, and then joined the Northern Virginia Center of Virginia Tech in 1986, where he later ran the masters program in ECE as well as being on the team that designed and set up the Masters in Information Technology program. In August of 2000 he moved to George Mason University with dual appointments: Director of the new Masters in Telecommunications program (http://telecom.gmu.edu/) and Professor in the ECE department. Dr. Allnutt has published 100 papers in conferences and journals and written one book, most in his special field: radiowave propagation. He is a Fellow of the UK IEE (now called IET) and a Fellow of the US IEEE. Dr. Anne Marchant received her PhD from UC Berkeley in 1990. She is currently an Associate Professor in the Department of Applied Information Technology teaching IT in the Global Economy, Information Warfare, and Computer Crime, Forensics, and Auditing. She won a GMU Teaching Excellence Award in 1999 while she was an instructor in the Computer Science Dept teaching programming. Prior to coming to George Mason, she was an instructor for the College of Engineering at UC Berkeley from 1990-1994. Her research interests include UAVs, computer forensics, as well as technology related ethical and social issues. Dr. David D. Hwang received the B.S., M.S., and Ph.D. degrees in electrical engineering from the University of California, Los Angeles (UCLA) in 1997, 2001, and 2005, respectively. In 2004, he was a visiting international scholar at the Katholieke Universiteit Leuven in Belgium, conducting research on cryptographic hardware and embedded security. From 2005-2006, he was with KeyEye Communications, a semiconductor developer of multi-gigabit Ethernet transceivers. From 2006-2007 he was a Senior Staff Scientist at Broadcom Corporation, investigating VLSI signal processing algorithms and architectures for digital communication ICs. He joined the electrical and computer engineering department of George Mason University as an C-2 assistant professor in the spring of 2007. Dr. Hwang was a University of California Regents Scholar, Department of Defense NDSEG Graduate Fellow, and a Hertz Foundation Graduate Fellow. His research interests encompass cryptographic hardware for embedded system security, digital signal processing architectures, and VLSI digital systems and circuits. He is a member of IEEE, Tau Beta Pi, Eta Kappa Nu, and Phi Beta Kappa. Dr. Thomas Shackelford has been working with computers and software design since 1986, where his primary focus was with database administration, data management, and data analysis. From here his career has taken him through various programming and network engineering disciplines from main frames through client server environments. He currently works as the Information Assurance Manager overseeing security design and implementation for a major financial system. He received his Bachelors of Science Degree in Computer Science from Chapman University, a Master of Science Degree in Information Systems Engineering from Western International University, and a Doctorate in Philosophy degree in Information Technology with a special emphasis in computer security from George Mason University. His Dissertation topic was ―The Use of Advanced Data Mining Techniques to Develop Measures of Document Relevance‖. The purpose of the papers was to study how document relevance could be used to track insider threat in a networked environment. Dr. Shackelford’s interests are in Network engineering, Computer Security, Data Mining, Text Categorization, Insider Threat Detection, and Data Forensics. C-3 APPENDIX D Sample Job Announcements with URL and Date Most advanced computer forensics positions are listed on the web site of the leading computer forensics association, the International High Technology Crime Investigation Association (with the acronym HTCIA, rather than IHTCIA) - http://www.htcia.org/cgi-bin/chapters.cgi There are 41 chapters currently affiliated with the HTCIA, some international (Brazil, Canada, UK) but most in the USA. The chapter that covers Virginia is the ―Mid-Atlantic Chapter‖ (http://www.htcia.org/cgi-bin/chapters.cgi?idChapter=7) All chapters have job postings that are for the area covered by the chapter. On the Mid-Atlantic chapter’s web site, there were 18 positions advertised, the oldest dating from May 8th, 2007 and the most recent October 4th, 2007. The positions range from what could be considered to be entry level positions (Computer Forensics Specialist – Washington, DC) to senior level positions (Senior Electronic Data Examiner, Falls Church, VA). Both positions are given below, extracted on October 8th, 2007. Employment Opportunity – Computer Forensic Specialist (Washington, D.C.) (No pdf; the advertisement was extracted in Word format from the web listing http://www.htcia.org/cgi-bin/chapters.cgi?idChapter=7 selecting the listing with the above title on October 8th, 2007) The High Technology Investigative Unit (HTIU) within the Child Exploitation and Obscenity Section (CEOS) of the U.S. Department of Justice initiates investigations and conducts forensic analysis on computer evidence in federal cases involving child exploitation and obscenity crimes. It works closely with federal law enforcement agencies such as the FBI, Immigration and Customs Enforcement (ICE), Secret Service, and the Postal Inspection Service; as well as federal prosecutors all across the country. The mission of the HTIU is simple: Provide the most accurate, up-to-date expertise on computer forensic matters and assist law enforcement in bringing criminals who peddle in child exploitation and obscenity to justice. The HTIU goes far beyond the bits and bytes of standard computer forensic examinations. HTIU specialists are routinely asked to assist in national operations involving child exploitation over the internet, special investigative initiatives, and research and develop new investigative tools and techniques. In addition, HTIU specialists may be asked to assist in drafting proposed legislation, developing and delivering training for law enforcement agencies, and testify as experts in federal court. HTIU specialists frequently travel to various field offices to assist in the prosecution of some of the worst criminal offenders. The HTIU is expanding and currently has a need for qualified computer forensic investigators. Candidates should have extensive knowledge in computer forensics and computer investigations, Internet technologies, and an educational background in CS or similar degree. Previous programming and applications development experience as well as experience in *nix OSs are highly desirable. D-1 Salary range is $46,041 to $103,220. For how to apply, see Vacancy No. 07-CRM-KS-049 at www.usajobs.gov For additional information about this position, please contact Shannon.Perkins@usdoj.gov Senior Electronic Data Examiner, Falls Church, VA (http://www.htcia.org/classified/sedfe.pdf October 8th, 2007) Capital Legal Solutions is a highly innovative electronic service provider headquartered in Falls Church, VA, part of the metro DC area region. Founded in 2002, we have rapidly expanded from a vision to equip the legal community with cost effective, technology driven litigation support to an industry leading electronic discovery provider. Currently we are seeking a qualified SENIOR ELECTRONIC DATA FORENSICS EXAMINER. The ideal candidate will have: Superior management and client relationship skills Experience overseeing fully defensible preservation of electronic data (including by HD image acquisition) within large corporations The ability to forensically harvest data from a wide variety of sources and storage media Extensive background in preparing written reports General networking and strong hardware knowledge are necessities Be familiar with providing expert testimony ENCASE certification and familiarity with FTK and LINUX is a plus. Compensation will be highly competitive and based upon experience, training and educational background. To apply for this position, please send your resume to: Robert Eisenberg Vice President—E-Discovery Consulting CAPITAL LEGAL SOLUTIONS, LLC 150 S. WASHINGTON ST. SUITE 500 FALLS CHURCH, VA 22046 Tel: 703-226-1544 Fax: 703-226-1550 Email: reisenberg@capitallegals.com For more information about our company and this position, please visit our website at www.capitallegals.com . D-2 APPENDIX E Sample Survey Instrument George Mason University is developing a Master’s in Computer Forensics program for implementation in fall 2008. The proposed M.S. in Computer Forensics will prepare students for careers in industry, government, and academia by combining academic education with real world practical techniques. Emphasis is placed in the program on training students to use and apply computer forensics methods and knowledge in a variety of real life scenarios. Computer forensic examiners (CFE) work in both the public and private sectors, and the Washington, D. C. area is home to a large work force of CFEs. These CFEs work for the FBI, DEA, USSS, as well as with the vast majority of Inspectors General and local police departments. Practically all of the major accounting and consulting firms employ computer forensic examiners on staff, and there is a growing cadre of independent consultants that work in this field. The American Society of Crime Lab Directors (ASCLAD), the governing association in the field forensics sciences, requires that all computer forensic examiners possess a bachelors degree with significant course work in math and science. As a result of successfully completing this program, students should have the necessary skills and knowledge to perform in a variety of computer forensic roles, including forensics examiner, and the ability to earn an advanced degree. We have prepared the survey below to gauge interest in the program. Your answers to the following questions will be used in summary form only. No personally-identifiable information will be released. Please feel free to contact Dr. Jeremy Allnutt at jallnutt@gmu.edu if you would like more information about the proposed program. Thank you. E-1 Yes 1. Would you be interested in enrolling in a program like this? (If no, then skip to question 3.) 2. If yes, would you prefer to attend the program on a full-time or part-time basis? Fulltime No Parttime Not sure 3. Have you ever applied to an institution offering a similar program? If so, which program, at which school? Yes No 4. Are you currently attending George Mason University? If so, in what program: Yes No 5. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL: If this program had been available when you initially applied to Mason, would you have applied for admission to it? Yes No 6. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL: Are you currently enrolled, or are thinking of enrolling in, a certificate as part of your master’s degree? If you answered yes, could you please put down the name or acronym of the certificate (e.g. TFAS, ANPT, and WIRE). Yes No Yes No Yes No Certificate program:………………………………………………. 7. FOR STUDENTS WHO LEFT MASON TO PURSUE EDUCATION ELSEWHERE: If this program had been available when you completed your current program, would you have applied for admission? 8. FOR STUDENTS WHO LEFT MASON BUT HAVE NOT PURSUED FURTHER EDUCATION: If this program had been available when you completed your current program, would you have applied for admission? 9. FOR STUDENTS WHO ANSWERED ―Yes‖ TO QUESTIONS 5, 7, OR, 8, COULD YOU PLEASE TELL US WHAT YOUR PRINCIPAL BACKGROUND IS IN TERMS OF YOUR CURRENT JOB OR INTEREST (Please check the most appropriate area below) (a) IT …………. ………. (b) Legal …………..……….. (c) ADJ ….....……………. (d) Accounting ………… (e) Law enforcement ………. (f) Teacher ………………. (g) Other ……………… (Please explain below) E-2 10. FOR STUDENTS WHO ANSWERED ―Yes‖ TO QUESTIONS 5, 7, OR, 8, COULD YOU PLEASE TELL US WHAT PART OF COMPUTER FORENSICS INTERESTS YOU THE MOST (Please check the appropriate area bellow) (a) Hardware Forensics ………………. (b) Software Forensics ………………. (c) Network Forensics .……………….. (d) Search and Seizure ………………. (e) Trap and Trace ……………………. (f) Law and Ethics as related to Computer Forensics ……………… (g) Other (Please explain bellow) 11. In which state do you currently live? Virginia Maryland ………………………………………………………………….. DC Other 12. Do you plan to live in this state or country for the next three or four years? Yes No 13. Are you currently employed? (If not, then skip to 17.) Yes No If you answered ―Other‖, which state or country (if not the USA) do you live in? 14. If you are employed, please identify the state in which you work. If you answered ―Other‖, could you please tell us where you currently work ……………………………………. Virginia Maryland DC Other 15. If you are employed, are you employed full-time or part-time? Fulltime 16. If you are employed, would the proposed program help you in your work? 17. Please feel free to provide below any additional comments about the proposed program. E-3 Yes Parttime No Responses on October 8th, 2007 to the web-based questionnaire The Questionnaire became ―live‖ on Friday, October 5th, 2007. The responses below were taken over the Columbus Day weekend. Q1. Would you be interested in enrolling in a program like this? answer options Yes No Response Percent 90.6% 10.1% answered question skipped question Response Count 135 15 149 0 Q2. Would you prefer to attend the program on a full-time or part-time basis? answer options Full-time Part-time Not sure Response Percent 28.0% 60.6% 11.4% answered question skipped question Response Count 37 80 15 132 17 Q3. Which campus of George Mason would you prefer: answer options Fairfax Prince William Loudon Response Percent 73.5% 24.2% 2.3% answered question skipped question Response Count 97 32 3 132 17 Q4. Which type of classes do you prefer: answer options Distance Education (online) Traditional Lecture (face-to-face) A combination of both distance and traditional. E-4 Response Percent 3.0% 44.4% 52.6% answered question Response Count 4 59 70 133 skipped question 16 Q5. Have you ever applied to an institution offering a similar program? answer options Yes No Response Percent 1.4% 98.6% answered question skipped question Response Count 2 145 147 2 Q6. If so, which program, at which school? answer options Program School Response Percent 100.0% 100.0% answered question skipped question Response Count 4 4 4 145 Q7. Are you currently attending George Mason University? answer options No Yes Response Percent 17.7% 82.3% (Please specify program) answered question skipped question Response Count 26 121 Response Percent 65.4% 34.6% answered question skipped question Response Count 17 9 110 147 2 Q8. Are you a former GMU student? answer options Yes No E-5 26 123 Q9. FOR STUDENTS WHO LEFT MASON TO PURSUE EDUCATION ELSEWHERE: If this program had been available when you completed your current program would you have applied for admission? Response Percent 80.0% 20.0% answered question skipped question answer options Yes No Response Count 4 1 5 144 Q10. FOR STUDENTS WHO LEFT MASON BUT HAVE NOT PURSUED FURTHER EDUCATION: If this program had been available when you completed your current program, would you have applied for admission? Response Percent 70.0% 30.0% answered question skipped question answer options Yes No Response Count 7 3 10 139 Q11. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL: If this program had been available when you initially applied to Mason would you have applied for admission to it?" answer options Yes No Response Percent 74.4% 25.6% answered question skipped question Response Count 61 21 82 67 Q12. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL: Are you currently enrolled, or are thinking of enrolling in, a certificate as part of your master’s degree? answer options Yes E-6 Response Percent 49.4% Response Count 39 No 50.6% answered question skipped question 40 79 70 Q13. Please enter the name or acronym of the certificate (e.g. TFAS, ANPT, and WIRE). Response Count 22 22 127 answered question skipped question Q14. Please tell us what your principal background is in terms of your current job or interest: Response Percent 94.7% 0.0% 3.8% 0.8% 0.0% 0.8% Other (please specify) answered question skipped question answer options IT Legal Law Enforcement Administration of Justice Accounting Teacher Response Count 125 0 5 1 0 1 15 132 17 Q15. Please tell us what part of computer forensics interests you the most: answer options Hardware Forensics Software Forensics Network Forensics Search and Seizure Law and Ethics Trap and Trace Response Percent Response Count 19.0% 26 22.6% 31 38.7% 53 6.6% 6.6% 6.6% Other (please specify) answered question skipped question 9 9 9 2 137 12 Q16. In which state do you currently live? answer options E-7 Response Percent Response Count DC Maryland Virginia 0.7% 0.0% 99.3% Other (please specify) answered question skipped question 1 0 140 0 141 8 Q17. Do you plan to live in this state or country for the next three or four years? answer options Yes No Response Percent 93.6% 6.4% answered question skipped question Response Count 132 9 141 8 Q18. Are you currently employed? answer options Yes No Response Percent 83.0% 17.0% answered question skipped question Response Count 117 24 141 8 Q19. Please identify the state in which you work: answer options DC Maryland Virginia Response Percent 8.5% 4.2% 87.3% Other (please specify) answered question skipped question Response Count 10 5 103 0 118 31 Q20. Are you employed full-time or part-time? answer options Full-time Part-time Response Percent 64.1% 35.9% answered question skipped question Response Count 75 42 117 32 Q21. Would the proposed program help you in your work? answer options E-8 Response Percent Response Count Yes No 65.8% 34.2% answered question skipped question 77 40 117 32 Q22. Please feel free to provide below any additional comments about the proposed program: Response Count answered question skipped question E-9 30 30 119 APPENDIX F Assumptions Used in Developing Resource Projections Faculty FTE Undergraduate: Graduate: Adjunct: GTA: 18 student FTE = 1 faculty FTE 12 student FTE = 1 faculty FTE 8 3-credit courses/year = 1 faculty FTE 4 3-credit courses/year = 1 full-time GTA = 0.5 FTE Salary Full professor: Assistant professor: Adjunct: GTA: GRA: Pres. Scholar GRA: $90,000 $60,000 $1,070/credit (undergraduate) $1,150/credit (graduate) 1 FTE = 8 classes * 3 credits/class * adjunct rate $22,000 ($10,000 stipend + $12,000 tuition) $24,000 ($12,000 stipend + $12,000 tuition) $30,000 ($18,000 stipend + $12,000 tuition) Fringe benefits Full-time faculty: Adjunct: Classified: Admin faculty: GTA: .2765 .0765 .3541 .2825 0 Equipment New full-time faculty and staff get a computer: New full-time faculty and staff get a desk and chair: Telecommunications New faculty and staff get a telephone: Annual charges: E-10 $750 $240 $2,000 $3,000
© Copyright 2024