Combined Draft October 2007 version 4 George Mason University S

Combined Draft October 2007 version 4
STATE COUNCIL OF HIGHER EDUCATION FOR VIRGINIA
PROGRAM PROPOSAL COVER SHEET
1.
Institution
2. Program action (Check one):
Spin-off proposal
New program proposal
George Mason University
3. Title of proposed program
Computer Forensics
5.
4. CIP code
Degree designation M.S.
6. Term and year of initiation
Fall 2008
7a. For a proposed spin-off, title and degree designation of existing degree program
7b. CIP code (existing program)
8. Term and year of first graduates May 2010
9. Date approved by Board of Visitors
(TBD)
10. For community colleges:
date approved by local board
date approved by State Board for Community Colleges
11. If collaborative or joint program, identify collaborating institution(s) and attach letter(s) of
intent/support from corresponding chief academic officers(s)
12. Location of program within institution (complete for every level, as appropriate).
School(s) or college(s) of
Division(s) of
Information Technology and Engineering
Electrical and Computer Engineering
Campus (or off-campus site)
Fairfax, VA
Distance Delivery (web-based, satellite, etc.)
Not Applicable
13. Name, title, telephone number, and e-mail address of person(s) other than the institution’s
chief academic officer who may be contacted by or may be expected to contact Council staff
regarding this program proposal.
Andrzej (Andre) Manitius, Professor and Chair, Electrical & Computer Engineering
703-993-1594, [email protected]
1
Combined Draft October 2007 version 4
TABLE OF CONTENTS
PROPOSAL FOR A MASTER’S DEGREE IN COMPUTER FORENSICS
DESCRIPTION OF THE PROPOSED PROGRAM ...............................................................................................2
OVERVIEW ................................................................................................................................................................ 2
DESCRIPTION OF THE CURRICULUM……………………………………………………………………………….. 3
ADMISSION CRITERIA ............................................................................................................................................... 6
ADVANCEMENT TO CANDIDACY ...………………………………………………………………………………….7
FACULTY ................................................................................................................................................................... 7
PROGRAM SIZE AND VIABILITY …………………………………………………………………………………… 10
PROGRAM ADMINISTRATION ……………………………………………………………………………………... 10
LEARNING OUTCOMES AND ASSESSMENT………………………………………………………………………... 11
BENCHMARKS OF SUCCESS...................................................................................................................................... 11
EXPANSION OF AN EXISTING PROGRAM?................................................................................................................. 12
JUSTIFICATION FOR THE PROPOSED PROGRAM ....................................................................................... 13
RESPONSE TO CURRENT NEEDS ............................................................................................................................... 13
What is Computer Forensics ……………………………………………………………………………….13
Who Utilizes Computer Forensics …………………………………………………………………………13
Why Computer Forensics? …………………………………………………………………………………14
Impact of the Proposed Masters in Computer Forensics program on the Commonwealth of Virginia ..…..14
Evidence for the Need for Computer Forensics experts …………………………………………………...15
Historical Aspects of the proposed Masters in Computer Forensics program …………………………….15
ANTICIPATED STUDENT DEMAND ……………………………………………………………………………….. 16
ANTICIPATED EMPLOYMENT DEMAND …………………….…….………………………………………………..17
Sample Position advertisements …………………………………………………………………………...17
POSSIBLE DUPLICATION OF OTHER PROGRAMS ...................................................................................................... 263
LETTERS OF SUPPORT ………………………………………………………………………………………...24
PROJECTED RESOURCE NEEDS ........................................................................................................................ 26
APPENDIX A Course Descriptions ...................................................................................................................... A-1
APPENDIX B Sample Schedule for M.S. in Computer Forensics Completion ................................................. B-1
APPENDIX C Sample “Mini CV’s” for Faculty ................................................................................................. C-1
APPENDIX D Sample Job Announcement with URL and Date ........................................................................ D-1
APPENDIX E Sample Survey Instrument (and some results) ............................................................................ E-1
APPENDIX F Assumptions Used in Developing Resource Projections .............................................................. E-1
i
Proposal for the M.S. in Computer Forensics
Presented by the
Department of Electrical and Computer Engineering
George Mason University
Description of the Proposed Program
Overview
The Department of Electrical and Computer Engineering as part of George Mason University’s
Volgenau School of Information Technology and Engineering (ITE) is proposing a Master’s of
Science in Computer Forensics (CFRS). Computer forensics is the collection (seizure),
processing, and analysis of digital information such that this information (evidence) can be
successfully admitted into a court of law. It is interdisciplinary in its nature with emphasis on
computer science, network engineering, telecommunications, law, and ethics. Although related
to information security, computer forensics is a discipline unto itself. In the last 20 years,
computer forensics has evolved into its own industry. Once primarily focused on supporting
criminal prosecutions, computer forensics now also supports civil prosecutions and the
enforcement of the Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745).
The proposed M.S. in Computer Forensics will prepare students for careers in industry,
government, and academia by combining academic education with real world practical
techniques. Emphasis is placed in the program on training students to use and apply computer
forensics methods and knowledge in a variety of real life scenarios. Computer forensic
examiners (CFE) work in both the public and private sectors, and the Washington D. C. area is
home to a large work force of CFEs. These CFEs work for the FBI, DEA, USSS, as well as with
the vast majority of Inspectors General and local police departments. Practically all of the major
accounting and consulting firms employ computer forensic examiners on staff, and there is a
growing cadre of independent consultants that work in this field. The American Society of
Crime Lab Directors (ASCLAD), the governing association in the field forensics sciences,
requires that all computer forensic examiners possess a bachelors degree with significant course
work in math and science. The proposed M.S. in Computer Forensics will provide students with
the necessary skills and knowledge to perform in a variety of computer forensic roles, including
forensics examiner, and the ability to earn an advanced degree.
The distinctiveness of the George Mason’s Master’s program in Computer Forensics lies in the
curriculum, which has been tailored to strengthen the employment opportunities of students in
non-academic jobs, as well as prepare students who may wish to pursue a doctorate. The
proposed program will incorporate faculty research and teaching interests on a range of
contemporary topical issues. It will also provide students with advanced training in computer
and network digital evidence, intrusion forensics, and legal and ethical issues.
The distinguished Computer Forensics program faculty cover a broad range of areas including
many aspects of information technology, telecommunications, engineering, and computer
science. Their specializations include information security, intrusion detection, network
forensics, digital media forensics, operating systems theory, software and hardware theory,
cryptography, cyber crime, digital evidence, and law and ethics. Many faculty members have
hands-on experience in industry and government settings.
2
The Department of Electrical and Computer Engineering currently offers an advanced certificate
in Telecommunications, Forensics, and Security (TFAS) as a concentration within the M.S. in
Telecommunications (TCOM) program. The success of the TFAS certificate demonstrates a
clear demand for a reputable Computer Forensics program at the Master’s level, offered by a
Commonwealth of Virginia university.
The M.S. in Computer Forensics will contribute to George Mason University needs and goals by
serving a larger graduate student population in key areas and offering advanced elective courses
in areas of interest to students pursuing advanced degrees in other George Mason programs, such
as Information Security Assurance, Electrical Engineering, Computer Engineering, and
Computer Science. George Mason University’s location in Northern Virginia; the teaching
capabilities and capacity within the Volgenau School of Information Technology and
Engineering (VSITE), the ECE department, and the university as a whole; and the status as a
program within the Commonwealth of Virginia’s university system provides a unique advantage
in offering students an excellent and affordable program that will prepare them to effectively use
computer forensics skills and knowledge in their careers.
Description of the Curriculum
The field of forensics science as applied to digital telecommunications and storage has evolved
over a range of disciplines in the last two decades. The initial concentration of effort was in
protecting the communications links and storage devices from intrusion, theft, and sabotage.
George Mason University’s School of IT&E developed, within the former Information Systems
Department, a broad range of courses and research concentrations that focused on protecting
telecommunications links and storage facilities. Other Departments and Schools within George
Mason University used their range of faculty talents to address issues such as ethics and fraud
within the framework of communications, accounting, and law. The Department of Electrical
and Computer Engineering, within the School of IT&E, both through its master’s in Computer
Engineering program and its Master’s in Telecommunications program, explored topics related
to cryptography, network engineering, and advanced network security. The stage was therefore
set to draw upon this existing, wide-ranging interdisciplinary pool of talent when cyber crime
started to become a major issue.
With the apparently increasing vulnerability of digital information, whether in transit or stored,
the likely corruption or theft of digital data was such as to require a new capability: computer
forensics. Clearly, the basis for the development of this new capability was in the field of
computer engineering: a range of digital techniques needs to be mastered by any student seeking
to be a practitioner in this field. However, the ability to trace the theft or corruption of digital
information is not sufficient. The search results must be able to withstand the scrutiny of a court
of law. The engineering knowledge of computer forensics has therefore to be balanced by a
strong understanding of both ethical and legal issues to ensure that the evidence will hold up.
The proposed masters in Computer Forensics program seeks to blend an exacting engineering,
ethics, and legal issues plan of study to ensure that the graduates are thoroughly grounded in the
skills necessary to work in both commercial and law enforcement areas, and are equipped to
enter into an academic research path or a professional career.
3
The proposed M.S. in Computer Forensics (CFRS) requires the completion of a minimum of 30
hours of graduate course work with a GPA of 3.000, or higher. The CFRS program is split into
two elements: a Core component of 18 credit hours (15 credit hours plus a mandatory, 3-credit,
capstone course that is taken towards the end of the degree) and an Elective component of 12
credit hours
Core Component:
The Core component consists of three elements, with each individual course being 3 credit
hours:
-
A mandatory introductory course (CFRS 500) that is to be taken as the first course, or one of
the first courses, in the first semester of the student’s MS in Computer Forensics degree
program
(3 credits)
-
Three Forensics courses (CFRS 660, 661, and 663) that may be taken in any order, but
which should be completed within the first 18 credit hours of the student’s degree program
(total of 9 credits)
-
One Ethics course that may be selected from a pair of Ethics courses (CFRS 760 and 770),
and which may be taken at any point in the program; and
-
A Capstone Project Course (CFRS 790) that may not be taken until at least 18 credit hours
have been earned within the CFRS degree program
(3 credits).
Elective (Specialty) Component:
The Elective component consists of a number of specialty topic courses, again each of 3 credit
hours, and students are required to select 4 of these courses. Table 1 includes a detailed plan of
the curriculum. Please refer to Appendix A for detailed course descriptions.
Coursework will progress from core courses to more advanced specialty courses, culminating in
a capstone project course. Both 600 and 700-level core courses are designed to establish a solid
foundation for subsequent work beyond the master’s level. The basic core course CFRS 500 will
be offered every semester, while the other core courses will be offered each year, probably in
alternate semesters, until the CFRS student body builds up to warrant those courses being given
in every semester.
The Specialty courses are designed to provide students with advanced, more specialized,
graduate level studies and, depending on their level, may be offered less frequently. Students
may also be permitted to take a limited number of comparable specialty courses outside of the
program. A number of these specialty courses exist in currently ongoing programs in the CS
department on Information Systems Assurance (ISA) and information Systems (INFS). Two
examples of such courses already offered within the school of IT&E are ISA 774 Intrusion
detection and INFS 785 Data Mining for Homeland Security.
4
Table 1: M.S. in Computer Forensics Curriculum
Mandatory Core Component (18 credits from 21 credits)
Course
Title
CFRS 500*
Intro to Technologies of Value to
Forensics
Network Forensics
3
Digital Media Forensics
3
Operations of Intrusion Detection for
Forensics
Legal and Ethics in IT
Fraud and Forensics in Accounting
Advanced Computer Forensics
(CFRS Degree Capstone Course)
3
CFRS 660
(Currently TCOM 660)
CFRS 661
(Currently TCOM 661)
CFRS 663
(Currently TCOM 663)
Either
CFRS 760 * ++
Or
CFRS 770 * ++
CFRS 790 * +++
Credits
3
3
3
3
Specialty Courses (12 credits
from 21 credits)
Course
Title
Credits
CFRS 662
(Currently TCOM 662)
ECE 646
Advanced Secure Networking
3
3
LAW 181
Cryptography and Computer-Network
Security
Communications Law
SOCI 607
Criminology
3
CFRS 760 * ++
Legal and Ethics in IT
3
CFRS 770 * ++
Fraud and Forensics in Accounting
3
CFRS 780 *
Special Topics Course
3
3
(*)
Represents proposed new courses
(++) Both of these courses may be taken but only one may be used in the core component
(+++) CFRS 790 is the Capstone CFRS Course and may only be taken after a total of 18 credit
hours has been completed in the CFRS program, which shall consist of CFRS 500; at least two
courses drawn from TCOM 660, 661, and 663; and at least one course from CFRS 760 and 770.
5
The strong networking element of the CFRS program requires students to have detailed TCP/IP
and Internet Routing knowledge before entering the main CFRS program. If students lack this
background, they should take TCOM 509/529 (IP/Advanced IP) and TCOM 515 (Internet
Routing Lab), or equivalents, prior to CFRS 500. TCOM 509/529 and 515 are existing courses
offered every fall, spring, and summer as part of the MS in Telecommunications degree program.
It is worth noting that seven (7) courses within the proposed MS in Computer Forensics program
are existing courses that are taught in companion programs. Three (3) of these courses are in the
core component and four (4) are in the elective component of the proposed MS in Computer
Forensics program. Only five (5) brand new courses need to be developed, and their detailed
content, together with all of the other courses to be taught in the Ms in Computer Forensics
program, are given in Appendix A to this proposal. The requisite faculty are already available to
teach all of these courses and so no additional funds are requested for new faculty positions for
the proposed program.
Appendix B provides sample schedules for the CFRS degree completion for both full-time and
part-time students. Time to degree completion may involve more or less time depending on
student work load and courses chosen. It is anticipated that full-time students will graduate in
two years or less, while part-time students will take between two-and-a-half and four years.
These program durations match those of all 30 credit hour masters programs currently offered by
George Mason University. The same maximum permitted duration (6 years) that currently holds
for existing 30 credit hour masters programs at George Mason University will be applied to the
proposed Masters in Computer Forensics program, unless special conditions apply to a particular
student’s case. Under no circumstances will a program be permitted to extend beyond 10 years.
Admission Criteria
Students who hold a B.S. or B.A. degree from an accredited college or university in engineering,
math, science, computer science, business (with a quantitative background), economics, or other
analytical disciplines, or students who have equivalent work experience indicating analytical
aptitude, may apply to the M.S in Computer Forensics. Depending on their background, some
applicants may be required to complete 3 to 6 credits of preliminary course work before they are
allowed to enroll in any of the core courses or specialty courses in the program. The anticipated
courses some students will be required to take as a condition for admittance to the MS in
Computer Forensics program are TCOM 509 (Internet Protocols; 1.5 credits), TCOM 529
(Advanced Internet Protocols; 1.5 credits), TCOM 515 (Internet Routing lecture and lab; 3
credits), and TCOM 575 (Quantitative Fundamentals; 3 credits). TCOM 509, 529, 515, and 575
may not be taken for credit in the proposed MS in Computer Forensics program. A minimum
undergraduate GPA of 3.00 is required for acceptance.
Students may be admitted to the M.S. program, or they may be admitted for non-degree study
within the program, which allows them to take individual courses. Students in the non-degree
6
program have the option of transferring into the regular program, provided their GPA within the
M.S. in Computer Forensics program is 3.00 or above. Up to 12 credits earned in non-degree
study may be transferred into the regular program, provided each of the courses to be transferred
in was passed with a grade of B, or above. These conditions are the same as those currently
applied to most graduate degrees at George Mason University
Advancement to Candidacy
There is no dissertation or thesis requirement for this program and so all candidates admitted
under regular master’s status to the proposed MS in Computer Forensics program are candidates
for the degree. They graduate under the normal conditions that apply to master’s candidates:
completion of the required core courses; completion of the elective element of the program; total
of at least 30 credit hours with a minimum GPA of 3.000, no more than 6 credit hours worth of C
grades.
Faculty
The M.S. in Computer Forensics will utilize the large and diverse capabilities of the faculty of
the Volgenau School of Information Technology and Engineering (IT&E) where many courses
are currently taught in a variety of master’s level programs with a security or forensics emphasis.
The CS department houses the strong Information Security assurance (ISA) program, in addition
to a broad Information Systems (INFS) program that forms a strong element of the Ph.D. in
Information Technology available within the Volgenau School of Information Technology and
Engineering (VSITE). A number of interdisciplinary programs exist within VSITE that call on
faculty from other schools within George Mason University to teach within VSITE programs.
Examples are the School of Public Policy and the Law School that offer courses within VSITE
programs.
In addition to regular faculty, the Volgenau School of IT&E is fortunate to have a large pool of
experienced adjunct faculty with professional forensics experience in industry, government, or
similar organizational entities, who can be called on to teach within the MS in Computer
Forensics program. Some of these adjunct faculty have earned their master’s and doctoral
degrees within VSITE and they bring both a strong loyalty to George Mason University and an
extraordinarily strong and varied wealth of experience that will ensure a commitment to
excellence in the proposed MS in Computer Forensics program. The use of current working
forensics professionals and in-house research will ensure that the course content remains relevant
and the instruction is at the level that both the students and the organizations to be served by this
program demand. The proposed M.S. in Computer Forensics will be composed of faculty
members with the following collective credentials: information security, intrusion detection,
network forensics, digital media forensics, operating systems theory, software and hardware
theory, cryptography, cyber crime, digital evidence, telecommunications law, and ethics.
7
Table 2. BSIT Enrollments by Concentration 2005 and 2006
2005
FT
Freshmen
Other
Freshmen
Sophomores
Juniors
Seniors
TOTAL
ISN
4
10
47
106
210
377
CGW
0
2
7
25
62
96
DBMP
0
0
1
1
2
Undeclared
42
40
94
46
309
87
TOTAL
2006
784
FT
Freshmen
Other
Freshmen
Sophomores
Juniors
Seniors
TOTAL
ISN
20
9
57
113
220
419
CGW
11
7
19
22
48
107
DBMP
6
5
4
10
5
30
Undeclared
11
22
69
22
43
167
TOTAL
723
__________________________________________________________
Table source: http://irr.gmu.edu/off%5Fenrl%5Fconc/
th
Data extracted and prepared by Anne Marchant September 28 , 2007
Key
ISN = Information Security and Networking
CGW = Computer Graphics and Web
DBMP = Database Management and Programming
A key element in the proposed MS in Computer Forensics program is that it will not be starting
from scratch: the majority of the components necessary for the success of the program already
exist. At the undergraduate level, the thriving Bachelors of Science in Information Technology
(BSIT) program already has a very well populated concentration. The number of students in the
BSIT program in 2005 and 2006 academic years who have elected to concentrate on Information
Security and Networking (ISN) is shown in Table 2 above. As can be seen, in 2005 almost half
8
of the students (377 of 784) elected ISN as their major and the number was even larger in 2006
(419 of 723).
At the graduate level, there is an advanced certificate in Telecommunications Forensics and
Security (TFAS) that is currently offered within the existing MS in Telecommunications
(TCOM) program. The TFAS certificate has attracted a significant group of students who have
entered the MS in Telecommunications program, with about 10% of the TCOM students electing
to take the TFAS certificate. There are currently about 220 TCOM students and about 8 of the
80 TCOM students who graduated in each of the last two years (2005/6 and 2006/7) earned
TFAS certificates. Details of the courses and structure of the TFAS certificate are in given in
Table 3 below.
Table 3. Telecommunications, Forensics, and Security (TFAS)
Certificate Program
Mandatory Core Courses (9 credits from 18 credits)
TCOM 548/556
Security Issues in Telecom/Cryptography and Network
Security (1.5 credits each; total of 3 credits)
or TCOM 515
TCOM 562 (+)
Internet Protocol Routing (3 credits)
Network Security Fundamentals (3 credits)
or ISA 562 (+)
Information Systems Security (formerly INFS 762) (3 credits)
And either TCOM 660 (*)
Or TCOM 661 (*)
Network Forensics (3 credits)
Digital Media Forensics (3 credits)
Specialty Courses (6 credits from 12 credits)
TCOM 660 (*)
Network Forensics (3 credits)
TCOM 661 (*)
Digital Media Forensics (3 credits)
TCOM 662
Advanced Secure Networking (3 credits)
TCOM 663
Operations of Intrusion Detection for Forensics (3 credits)
(*) TCOM 660 and TCOM 661 cannot be taken twice for credit. If either course is taken in the
core element, it cannot be taken again in the specialty element.
(+) ISA 562 cannot be taken for credit if TCOM 562 is taken for credit, and vice versa.
9
Program Size and Viability
There are around 400 BSIT students graduating each year with an Information Security and
Networking (ISN) concentration from George Mason University. If 20% of this graduating pool
were to go on to graduate school the next year (a conservative estimate) and 20% of these were
attracted into the proposed MS in Computer Forensics program (again, a conservative estimate),
there would be 16 prospective incoming students a year, just from the BIS program at George
Mason University. More likely the number would be 3 or 4 times larger, giving an intake pool of
more than 50 applicants to draw from. It is also anticipated that the proposed MS in Computer
Forensics will attract those students within the MS in Telecommunications program who elected
to take the TFAS certificate within their TCOM program. Based on the strong demand for well
qualified applicants in the area of computer forensics in the local, and nationwide, job market, it
is confidently expected that the proposed program will attract at least 100 viable applicants a
year by the end of the second year of the program.
Program Administration
The proposed MS in Computer Forensics will be offered within the Electrical and Computer
Engineering (ECE) department of the Volgenau School of Information Technology and
Engineering (VSITE). The MS in Telecommunications (TCOM) is one of the master’s degrees
offered within the ECE department, and the TFAS certificate is one of two advanced certificates
offered within the TCOM program.
The following faculty members have been teaching courses in the TFAS certificate within the
TCOM program over the past several years:
Special Agent Robert Osgood (FBI)
– Digital media forensics, network forensics, digital evidence, cyber crime
Ms. Angela Orebaugh
– Information security, intrusion detection, network forensics
Dr. Aleksandar Lazarevich
– Information security, digital evidence, computer and network forensics,
advanced network security, basic switching lab
Dr. Thomas Shackelford
- Network engineering, Computer Security, Data Mining, Text Categorization,
Insider Threat Detection, and Data Forensics
In addition to faculty currently active in teaching within the TFAS certificate, the M.S. in
Computer Forensics will operate under an Advisory Committee composed of the following
members:
10
Dr. Andrzej Z. Manitius
– Chair of the Electrical and Computer Engineering department
Mathematics, Digital Signal Processing, Engineering
Dr. Jeremy Allnutt
– Professor in ECE and director of the TCOM program
Telecommunications, Satellite Communications, Digital Communications
Dr. Anne Marchant
– Associate professor in CS
Computer Crime, Forensics, Auditing, Ethics
David D. Hwang
– Assistant professor in ECE
Cryptographic hardware, Embedded Security
The advisory committee provides direction and management of the M.S. in Computer Forensics
program and curriculum.
Learning Outcomes and Assessment
Graduates from the M.S. in Computer Forensics will demonstrate superior academic skills in
computer forensics methods and practice. Students will have an understanding of the laws
associated with computer forensics and be able to present digital evidence in a court of law.
They will also be able to successfully seize, image, deconstruct, and analyze digital media,
analyze logs, decipher network traffic, and report this information in a suitable format. They will
be able to implement an intrusion detection system, construct signatures, and apply intrusion
detection in the forensics area. Students will be able to apply their classroom learning in a
variety of computer forensics positions in industry, government, and academia. They will also
demonstrate a foundation for advanced research in the computer forensics field.
As with all academic programs in George Mason University, assessment of student learning in
the proposed M.S. in Computer Forensics will take place at the levels of the student, the course,
and the program. Students will be assessed in a number of ways throughout the program.
Scholarly ability will be evaluated through course grading in seminar-style classes. Oral,
written, and analytical skills will be considered in course grading. The capstone class, CFRS
790, will assess the students overall learning with a project that consolidates the various courses
in the curriculum.
Course evaluations are conducted in every course in every term, providing the student’s
perspective on course effectiveness. Overall, the program will be reviewed on the 6-year cycle
typical of programs within the Volgenau school of Information Technology and Engineering.
Program review takes place under the guidance of the Office of institutional Assessment and
requires three semesters to complete. The outcomes of the process are a series of deliverables –
a self-assessment report and academic plan written by program faculty and a report by a review
team external to the program – and changes made to enhance the program. The Department of
Electrical and computer Engineering is scheduled for review of its programs in 2008-09.
11
Benchmarks of Success
The program’s goal is to train students to use their computer forensics knowledge and methods
effectively in industry, government, or academic positions. Specific benchmarks for success will
be based upon the program’s ability to attract high-quality applicants, the timely graduation of
qualified students, and job market placement.
Given the success of the TFAS certificate in the M.S. in Telecommunications program, which
has been in place for a little over two years, it is anticipated that the Master’s Program in
Computer Forensics will receive academically well-qualified applications for admission. The
quality of applicants will be measured against comparable Master’s programs in Computer
Forensics. Success must also be measured by the ways in which the program affects career
trajectories and job mobility once a student has completed the program.
The projected length of the program for a full-time student is two to three years. For part-time
students, it is difficult to estimate completion time, but it is approximately three to five years,
depending on the number of classes in which part-time students enroll each semester. Appendix
B provides sample schedules for degree completion for both full and part time students.
Follow-up surveys will evaluate the success of graduated students in the job market. It is
expected that for individuals who enter the program from a career position, they will most likely
derive the benefit of promotion upon completion of the Master’s. For students who desire to
enter academia, relevant faculty will assist graduates with obtaining entrance into a doctoral
program at an appropriate institution of higher learning. If program benchmarks are not
achieved, the program faculty will examine its marketing and recruiting practices, admissions
requirements, curriculum, instructional methods, advising practices, and course evaluations to
determine necessary program modifications. It is anticipated that as the program continues,
higher benchmarks in the areas of admission requirements and job placement will be developed
and applied.
Expansion of an Existing Program?
The success of the Telecommunications Forensics and security (TFAS) certificate within the MS
in Telecommunications program was the main stimulus for the development of a stand-alone MS
in Computer Forensics degree program. The MS in Computer Forensics degree program is
designed to both supersede, and enhance, the present course offerings in Forensics and Security
within the MS in Telecommunications program. The modifications are designed to enhance the
rigor of the forensics certificate. The MS in Computer Forensics is not offered in collaboration
with external academic institutions. However, the School of IT&E proposes to collaborate with
other programs at George Mason University, notably Sociology, Law, Computer Science, and
Information Systems. As a result of approval of the proposed MS in Computer Forensics
program, we will cease to offer the TFAS certificate. (Students currently registered for the
TFAS certificate at the time of approval of the MS in Computer Forensics will be offered the
opportunity of transferring to the MS in Computer Forensics, subject to a review of their
individual progress to date, or to continue within the TFAS certificate program until they
12
graduate.) The Ms in Computer Forensics will therefore not entail the requirement for additional
resources, but will constitute a reallocation of existing resources, within George Mason
University.
The Telecommunications Forensics and Security (TFAS) certificate is a 15-credit program
designed to provide students with an in-depth understanding of forensics and security as they
apply both to networks and digital storage media. The TFAS certificate was developed to
provide a specific concentration area within the MS in telecommunications degree program. The
TFAS certificate is the foundation of the proposed Master’s degree in Computer Forensics, with
three TCOM courses within the TFAS degree specifically adapted for the proposed MS in
Computer Forensics program. Details of the TFAS certificate can be found earlier in Table 3.
Justification for the Proposed Program
Response to Current Needs
This section provides background information on the proposed program, a description of what is
occurring in the field that warrants the proposed Masters in Computer Forensics program, and
evidence that the Commonwealth of Virginia needs this program to address emerging current
demands. It is anticipated that these needs will only expand in the future, leading to growth in
the proposed program.
What is Computer Forensics?
Computer forensics is the collection (seizure), processing, and analysis of information that has
either been transmitted or stored in digital form in such a way that this information (evidence)
can be successfully admitted into a court of law. Computer forensics is interdisciplinary in
nature with an emphasis on computer science, network engineering, telecommunications, law,
and ethics. There are two main subsets to the field of computer forensics:
(a) Digital media acquisition and analysis; and
(b) Network traffic collection, reconstitution, and analysis.
Although related to information security, computer forensics is a discipline unto itself.
Who Utilizes Computer Forensics?
Law enforcement utilizes computer forensics extensively in the investigation of all types of
crimes that involve the sending or storing of digital information. Computer forensics has been
successfully applied in so-called white collar crime that involves, amongst other things,
computer intrusion, identity theft, and child pornography matters. It has also been used
extensively in the investigation and prosecution of homicides, sexual exploitation, illegal drug
distribution, and just about every other crime that you can think of. The search and seizure of
13
evidence almost always involves the investigation of digital storage media or digital network
access either as the primary or secondary means for the commission of the suspected crime. The
digital information can range from the SIM cards of cell phones to complex network instructions.
Computer forensics is not for law enforcement alone. The private sector utilizes computer
forensics extensively. In fact, computer forensics is an integral part of civil cases. Organizations
also use computer forensics internally for quality control and investigative matters. With the
advent of the Sarbanes-Oxley Act of 2002 making corporate executives personally responsible
for the financial statements of the company, computer forensics is playing a crucial role in the
identification and presentation of key information that executives need to effectively run and
report operations.1
Why Computer Forensics?
The design and development of digital media or digital networks requires a certain skill set that
is taught in a number of programs, one of which is the current Masters in Telecommunications at
George Mason University. However, when a security breach has occurred in the storage or
transport of digital information, or has been suspected to have occurred, the examination of the
digital media or digital networks for evidence of wrongdoing cannot be undertaken in a
haphazard manner. For the information uncovered in the examination of digital media or digital
networks to be admissible in a court of law, there are rigorous standards set, which must be
followed exactly. The Masters in Computer Forensics program will offer to all those who take
the program the policies, procedures, and techniques that can be applied across a myriad of
situations. Whether it is the seizure of digital media in support of a criminal prosecution, civil
dispute, or internal corporate matter, the tools and techniques that computer forensics offer are
invaluable. These will be taught in the proposed Masters in Computer Forensics.
Impact of the proposed Masters in Computer Forensics on the Commonwealth of Virginia?
The Commonwealth of Virginia with its propinquity to the federal government, is the home of
computer forensic programs of many federal agencies that include: the Federal Bureau of
Investigation (FBI), Internal Revenue Service (IRS), United States State Department (USSD),
United States Postal Service (USPS), Drug Enforcement Administration (DEA), and Defense
Criminal Investigative Service (DCIS), just to name a few. Across the river in Washington D.C.
you will find the computer forensic programs of the Department of Homeland Defense (DHS)
and the United States Secret Service (USSS). On the state/local horizon, The Virginia State
Police (VSP), the Fairfax County Police (FCP), Arlington County Police (ACP), Prince William
County Police (PWCP), and other departments too numerous to mention have active computer
forensics requirements that necessitate both internal and external programs of instructions for
those employed by those agencies or forces. It is worth noting here that the Regional Computer
Forensics Group holds its annual meeting at George Mason University every summer. Please
1
www.ijde.org, Patzakis, John, New Accounting Reform Laws Push For Technology-Based Document Retention
Practices, International Journal of Digital Evidence, Spring 2003, Volume 2, Issue 1
14
visit http://rcfg.org for additional information. The most recent meeting was held from the 6th to
the 10th of August, 2007.
Corporate computer forensic presence in the Commonwealth include: Kroll Inc., MANDIANT,
Deloitte Touch, BearingPoint, Northrop Grumman, and Booz Allen Hamilton, again just to name
few. All of these organizations have both an internal instructional program and a requirement for
more formal external instruction.
The availability of a high quality Masters in Computer Forensics program at George Mason
University will enable local branches of federal agencies, as well as the various departments and
police forces in the State of Virginia, to send their officers and personnel for training in the
formal requirements of digital media and network forensics procedures. The impact on the State
of Virginia is expected to be very positive, both in the development of a cadre of forensics
experts who can assist in crime prevention and prosecution, and in the overall reputation of the
state for fostering such a program.
Evidence for the need for Computer Forensics experts
The Computer Security Institute, with the participation of the San Francisco Federal Bureau of
Investigation’s Computer Intrusion Squad, produces an annual report on computer crime and
information security titled: ―Computer Crime and Security Survey.‖ In this survey published
each year for the last 11 years, the rising tide of virus attacks, unauthorized access, and theft of
proprietary information (i.e., intellectual property) account for 74% of financial loss. In the most
recently published (2006) survey, 313 respondents identified over $52 million in losses due to
cyber crime. 50 percent of the survey respondents agreed with the statement ―compliance with
the Sarbanes–Oxley Act has raised my organization’s level of interest in information security. 2
There is clearly a current demand for experts in Computer Forensics, both in the commercial and
government (civilian and military) areas, and it is unlikely that this demand will decrease. If
anything, it will grow rapidly over the foreseeable future, as evidenced by the effects of the
Sarbanes–Oxley law. Computer forensics is a strong growth area.
Historical aspects of the proposed Masters in Computer Forensics program
The masters in computer Forensics program is not a spin-off degree program from another
masters program. However, the proposal for the Masters in Computer Forensics program had its
derivation in a concentration that is currently available in the Masters in Telecommunications
program. This concentration is the Telecommunications Forensics and Security (TFAS)
certificate that is a concentration requiring 15 credit hours to be taken within the 30-credit MS in
Telecommunications program. The proposed MS in Computer Forensics program will expand
upon the TFAS certificate, but it will not require the allocation of new resources to George
Mason University. Details of the existing certificate program (TFAS) have been given earlier.
2
www.gocsi.com.
15
Table 3 showed the courses in the TFAS certificate and, by reference to Table 1, the ratio of new
courses to be developed to existing can be seen to be less than 50%.
Anticipated Student Demand`
The first group of students who undertook the Telecommunications Forensics and security
(TFAS) certificate within their MS in Telecommunications degree graduated in May 2006 with
the second group following in May 2007. There were 9 students with TFAS certificates in both
of these graduating classes of about 90 students. The current enrollments in the TFAS certificate
are running at a little above this level (10%), and so it is anticipated that about a dozen students
would graduate each year with their TFAS certificate within their MS in Telecommunications
degree. All of the students who graduated were part-time students employed in the Northern
Virginia region, almost all taking 6 credit hours each semester. They average time to graduation
is therefore 30 months for the degree, giving a cadre of about 30 students who are engaged in
elements of the TFAS certificate at any one time. It is anticipated that the emergence of the
masters in computer forensics degree program will attract more students to the discipline,
perhaps 40 to 50 students, with about double this number applying each year for entry. The
majority of the current undergraduate students within the BSIT program at George Mason
University have chosen to take the Information Security and Networking (ISN) concentration. If
historical trends continue, in addition to those who have currently declared ISN as their major,
more than half of the undeclared students will also elect the ISN concentration, yielding around
500 graduates a year in this concentration.
The Survey Instrument given in Appendix E (pages E-1 and E-2) was posted on the web on
Friday, October 5th, 2007. Within four days, about 150 responses had been logged into the web
site (surveymonkey.com). The survey responses are shown on pages E-4 to E-9 in Appendix E.
The responses were overwhelmingly positive, with about 90% of those responding showing a
strong interest in such a program. If just 20% of those who responded positively were to sign up,
there would be 30 students registering for the program. The vast majority of those who
responded were: undergraduates who are currently in the BSIT program; currently living in
Virginia; preferred to come to the Fairfax campus for the forensics program; and felt it would
enhance their careers.
It is anticipated that the demand for the TFAS certificate within the TCOM program will drop
markedly when the proposed MS in Computer Forensics is offered, and an assessment will be
carried out about two years after the MS in Computer Forensics has been running to see whether
it is necessary to continue the TFAS certificate. When offered, classroom registration for
GMU’s three computer forensic courses: TCOM 660 (Network Forensics), TCOM 661 (Digital
Media Forensics), and TCOM 663 (Intrusion Detection and Forensics), averages 20 students per
class per semester, indicating that the demand for these courses is higher than those who are just
focusing on the TFAS certificate. It is very likely that students not in the proposed masters in
computer forensics program, but who are pursuing a different master’s degree in VSITE, will
take one or two courses in the computer forensics program as part of their master’s program.
Most master’s level programs in the VSITE permit students to take up to 6 credit hours outside
16
of their stated master’s degree to gain additional insights into other career options. These 6
credit hours are usually referred to as ―out of area‖ courses.
Anticipated Employment Demand
As can be seen in the information provided in preceding sections and in Appendix D, there is
expected to be a strong, and increasing, demand for graduates of the MS in Computer Forensics
program by the large number of federal, state, and local government agencies situated in Virginia
directly involved in the field of computer forensics, as well as private sector representation. The
field of computer forensics is a thriving activity in commercial business affairs, Virginia State
agencies and forces, and federal agencies and forces.
As reported by about.com, a simple search on the text string (key phrase) computer forensics at
Dice, a popular technical job bank, returned 145 jobs and consulting gigs. Monster.com, a
popular job bank that lists jobs of many types, returned 199.3
NOTE: Employment advertisements must reflect information obtained within six months of
submitting the proposal to SCHEV. SCHEV expects a PDF file of downloaded job
announcements that show the URL and date. Job announcements must show that a degree (at
the appropriate level) is required or preferred. See Appendix B for example. Print
announcements from the Web; do not incorporate them in your document. The Office of the
Provost will create the PDF.
Below are examples of positions in the field of computer forensics4:
Example #1
Company:
Title:
Date:
Location:
Position ID:
Dice ID:
DTI Global
Director of Computer Forensics
7-20-2007
Washington, DC
M-143
10121136
Job description:
Document Technologies (DTI) is America's fastest growing document outsourcing company.
We believe that we have achieved this success by providing our customers the highest level of
quality and service. This reputation for quality and performance rests 100% on the efforts of our
employees.
3
4
http://jobsearchtech.about.com/od/computerjob13/a/comp_forensics.htm
All examples from www.dice.com
17
In order to continue our growth and success, we must constantly look to add high-caliber
individuals to our team. If you have a "can do" attitude, together with a "client first" set of
priorities, we guarantee that we have an opportunity for you.
Please visit our website at www.dtiglobal.com for more information and other great job
opportunities.
We encourage diverse candidates to apply. Document Technologies Inc. is an equal
opportunity/AA employer.
DTI is seeking a candidate for the position of Director of Computer Forensics. The ideal
candidate will possess a bachelor’s degree and have a minimum of five years of experience in the
forensic sciences and a minimum of three years supervisory experience. Candidate must have
effective organizational and communication skills. Customer Service experience in a businessto-business sales environment or print industry experience is a plus. Up to 40% travel required.
Summary of responsibilities
Develop, maintain, implement and manage the regional strategic goals and departmental
standards.
Implement high level and ground level management of all regional projects. This includes sales
strategy, and project management.
Provide testing and validation of all hardware and software.
Lead licensing initiatives to legalize the department’s software licensing requirements.
Lead and assist with the creation, maintenance and implementation of the department’s
documentation store and master library.
Serve as regional lead on all forensic projects and functionally participate in project meetings.
Develop procurement and funding sources to initiate new technology and maintain good
vendor relations.
Implement global training for all internal employees. As well as lead an initiative to provide
profession forensic training to colleagues and peers.
Incumbent is responsible for creating and maintaining a collaborative work environment with
the other regional directors and VP of Technology.
The idea candidate must be willing to accept 30-40% travel.
Requirements and preferred skills:
18
Bachelors Degree in Computer Science or related area of study.
Experience with networking environments including Novell and Microsoft Windows NT.
Professional training of computer investigation techniques, application, and legal aspects is
highly desired.
Ability to independently conduct comprehensive analysis in all types of forensic microcomputer
and computer media searches and examinations.
Knowledge of computer science and laws related to computer evidence recovery as well as
procedures for the collection, preservation and presentation of computer evidence.
Skilled in the application of computer science to recover data which has been deleted/erased,
fragmented, hidden, or encrypted from data storage devices.
Demonstrated ability to evaluate and maintain hardware and software necessary for the
performance of computer related investigations.
Ongoing knowledge of state-of-the-art computer hardware and software technology which
impact computer related investigations.
Ability to communicate effectively, orally and in writing.
Flexibility to accommodate 24/7 availability to respond to crime scenes to assist in identifying,
securing, documenting, and seizing high technology evidence.
Membership in a least one Professional Computer Forensic group.
Experience speaking at forensic conferences preferred
Private Investigators license preferred
Expert witness certification in either Federal or State court
MCSE, CCNA, CCE, or similar certification
Law Enforcement, FBI or Military forensic experience
Must be willing to complete background check including; criminal, driving, credit history, as
well as drug test before hire.
Example #2
Company:
19
Neohapsis
Title:
Date:
Location:
Position ID:
Dice ID:
Senior Security Consultant- Digital Forensics
7-26-2007
Chicago, IL
Forensics
RTL403829
Job description:
Basic Function: Perform computer forensics services for clients
Responsibilities:
-Support sales personnel in communicating with clients to determine engagement scope
-Preserve, capture, and perform thorough forensic examinations on digital evidence while
following proper evidence custody and control procedures; document processes and results in
a manner suitable for admissibility as evidence
-Evaluate litigation discovery demands and other experts** reports and assist clients in
drafting discovery demands and responses
-Participate in and manage teams providing on-call and on-site incident response services
-Evaluate and develop clients** incident response programs, policies, and procedures; provide
first responder and incident response training
-Prepare clear, comprehensive, and timely written reports and affidavits
-Maintain frequent communication with clients to provide work-in-progress updates
-Testify as expert witness
Other
-Maintain proficiency in the current forensic industry standards and methodologies and
technology frameworks; provide SME briefings to sales and consulting personnel
-Perform rigorous, documented testing of third-party forensic tools to assess accuracy of
results
-Contribute to continuous enhancement of Neohapsis consulting methodologies
-Draft articles and participate as speaker in conferences
Required Qualifications
20
Technical
-Knowledge of computer forensics software, hardware, and methodologies, including use of
tools such as FTK, EnCase and Paraben
-Extensive hands-on experience with various electronic storage devices
-Understanding of network architectures and e-mail systems
Professional
-Understanding of principles of forensic integrity in information acquisition, analysis, and
reporting
-Ability to adhere to requirements for maintaining client confidentiality, attorney-client
privilege, and work-product privilege
-Excellent oral and written communication skills; ability to explain highly technical concepts
in concise, lay terms
-Strong analytical and organizational skills
-Self-starter with ability to work independently or in teams
-Sound judgment and ability to handle conflict and ethical issues professionally and
proactively and escalate appropriately
-Ability to work flexible and extended hours
-Suitable background history
Certifications (preferred, but may be obtained post-employment)
-EnCase(r) Certified Examiner (EnCE*)
-AccessData Certified Examiner (ACE)
-Certified Computer Examiner (CCE*)
Other Qualifications (preferred)
-Previous qualification as expert witness or other testimonial experience
-Civil or criminal investigations, corporate internal investigations, or litigation-related
experience
-CSIRT experience
21
-Understanding of intrusion detection systems (IDS)
-Experience in identifying full magnetic stripe data, PIN blocks, and CW2
-Experience in developing code or scripts for analyzing large volumes of forensic data
Education Requirements
-B.A./B.S. or a technical school certificate in science-related areas or 5+ years relevant
experience
Example #3
Company:
Title:
Date:
Location:
Position ID:
Dice ID:
ONSITE3
Senior Forensics Analyst
7-29-2007
Los Angeles, CA
0011004DIC
1012303
Job description:
Join our dynamic company, a lead provider of litigation services in the United States and abroad.
Servicing over 1500 clients and corporations, including a majority of the AmLaw 200 index of
top law firms in the U.S. we provide digital imaging, electronic data discovery, computer
forensics, coding, litigation copying, digital and offset printing services.
Why ONSITE3?
ONSITE3 is an exciting and growing company that thrives on the latest and greatest in an everchanging world of technology and can offer you a rewarding career. Electronic Evidence Labs a
Division of ONSITE3 is looking for a Computer Forensic Analyst to work in our lab in Los
Angeles, CA.
The Computer Forensics Analyst should have solid experience in conducting computer
forensic analysis and will be gaining experience in certain aspects of computer forensics such as
affidavit and report writing, working with customers, project managers and other personnel. This
position is geared toward gaining experience in all facets of computer forensics work.
Responsibilities will include:
Becoming knowledgeable and proficient at onsite data captures, data recovery,
22
forensic analysis, documentation, report writing, technical support, affidavits,
depositions and court testimony, as needed.
Providing effective Computer Forensic solutions following accepted protocols,
processes, and Chain of Custody.
Conducting effective Computer Forensic work using established tools and
techniques or by researching and becoming proficient in the use of new techniques.
Providing effective professional communication with customers through all forms of
communication.
Providing a high level of customer service and technical support as needed.
Learning the proper methods and techniques used for conducting forensic
investigations.
Business travel required at times to conduct onsite data collections, depositions,
testimony preparation, and appearances in court.
Hands-on experience EnCase, FTK, Paraben and other 3rd party software
Understanding of Network Architectures
Good Report/Affidavit drafting skills
Excellent communication and organizational skills
Bachelor's degree (B.A. / B.S.) from a four-year college or university, or a technical
school certificate in science related areas, or 5+ year's relevant experience, or equivalent
combination of education and experience.
Our company offers competitive salary, excellent benefits and unlimited potential for
growth in a high-speed work environment. Onsite is committed to providing a safe and
healthy work environment therefore enforces a drug free workplace policy.
Duplication of the Proposed MS in Computer Forensics at other Virginia State Universities
There are currently no Commonwealth universities that offer a Master of Science in Computer
Forensics. George Washington University currently offers a Master of Forensic Sciences with a
Concentration in High Technology Crime Investigation with approximately 80 students enrolled.
As a result of the lack of computer forensics programs in the Commonwealth of Virginia,
GMU’s program in not duplicative.
23
Letters of Support for the Proposed MS in Computer Forensics
Letters of support were received from the following individuals. Their letters have been copied
and place as attachments to this Proposal.
NOTE: Letters must be signed and on letterhead.
1. Individual 1
Mr. Lam D. Nguyen
Director, Boston computer forensics lab
Stroz Friedberg, LLC
160 federal street, Suite 901
Boston, MA 02110
2. Individual 2
Ms. Sandra E. Ring
Pikewerks Corporation
105 A Church Street, Madison, AL 35758
3.
4. Individual 3
5. Individual 4
6. Individual 5
[JEA has contact Jim Burrell to see if he has come contacts who would be willing to
support the CpFRS program:
Bob and Angela will also come up with some names for me to contact (or for them to
contact, whichever is the best approach.
I also asked Tom Shackelford to find someone to help in this]
24
What is the estimated headcount and FTE (full-time equivalent) students, including sources
for the projection? With the assistance of the institution’s planning or Institutional Research
office, complete and attach the “Summary of Projected Enrollments in Proposed Program.”
Based on current enrollment in computer forensic courses as well as students obtaining
the certificates in Telecommunications Forensics and Security (TFAS), it is estimated that initial
enrollment in the program is 20 students FTE. (See section V for summary of projected
enrollments in proposed program.)
25
The estimated headcount and FTE (full-time equivalent) students, including sources for the
projection. With the assistance of the institution’s planning or Institutional Research office,
complete the Summary of Projected Enrollments in Proposed Program.‖
Contact Renate Guilford ([email protected]) for helping in completing the table below.
______________________________________________________________________________
STATE COUNCIL OF HIGHER EDUCATION FOR VIRGINIA
SUMMARY OF PROJECTED ENROLLMENTS IN PROPOSED PROGRAM
Projected enrollment:
Year 1
Year 2
Year 3
Year 4
Target Year
20__ - 20__
20__- 20__
20__- 20__
20__- 20__
20__- 20__
HDCT
FTES
HDCT
FTES
HDCT
FTES
HDCT
FTES
HDCT
FTES
GRAD
Duplication
Include evidence that the proposed program is not unnecessarily duplicative of programs at other
institutions in Virginia. Describe how the proposed program is similar to and different from other
programs in this discipline in the region or state.
Discuss the number of such programs in the state, the average number of students enrolled
(headcount), and the average number of graduates over the past five years. Go to
http://research.schev.edu/enrollment/programmaticenrollment.asp for headcounts and numbers of
graduates in comparable programs.
Projected Resource Needs
In a narrative, describe the available and additional program resources anticipated in the
following categories, explaining the need to operate the program: As you describe resources,
you should also indicate their source. For example, ―The dean of the college has committed to
providing the program with one new tenure-track faculty line for 2008-09,‖ or ―The provost
provides each new Ph.D. program with a three-year Presidential Scholar’s Award.‖
Full-time Faculty
You’ve described in a previous section the faculty who will be assigned to the program. This is
where you indicate the FTE of full-time faculty necessary for teaching, advising, and directing
26
the program. See Appendix D for assumptions about resources, including teaching load per
student FTE.
Part-time Faculty from Other Academic Units
This is a SCHEV-created category intended to quantify the effort from full-time faculty from
outside the unit.
Adjunct Faculty
Graduate Assistants
Classified Positions
Targeted Financial Aid
Equipment
Library
Telecommunications
SCHEV wants to know about requirements for new telephone service for faculty, staff, and
students.
Space
Other Resources
27
Once you describe the resources you’ll need, see Wendy for assistance in developing the charts
for Parts Band C below. Appendix D provides the assumptions used for completing the charts.
______________________________________________________________________________
PROJECTED RESOURCE NEEDS FOR PROPOSED PROGRAM
Part A: Answer the following questions about general budget information.
Has or will the institution submit an addendum budget request
to cover one-time costs?
Has or will the institution submit an addendum budget request
to cover operating costs?
Will there be any operating budget requests for this program
that would exceed normal operating budget guidelines (for
example, unusual faculty mix, faculty salaries, or resources)?
Will each type of space for the proposed program be within
projected guidelines?
Will a capital outlay request in support of this program be
forthcoming?
Yes
No
x
Yes
No
x
Yes
No
x
Yes
x
Yes
No
Part B: Fill in the number of FTE positions needed for the program.
Program initiation year
20__ - 20__
Ongoing and
reallocated
Added
(new)
Total expected by
target enrollment year
20__ - 20__
Added*
Total FTE
positions
Full-time faculty
0.00
0.00
0.00
0.00
Part-time faculty [faculty FTE
split with other unit(s)]
0.00
0.00
0.00
0.00
Adjunct faculty
0.00
0.00
0.00
0.00
Graduate assistants
0.00
0.00
0.00
0.00
Classified positions
0.00
0.00
0.00
0.00
TOTAL
0.00
0.00
0.00
0.00
*Added after the program initiation year
28
No
x
Part C: Estimated $$ resources to initiate and operate the program.
Total expected by
target enrollment year
20__ - 20__
Program initiation year
20__ - 20__
Ongoing and
reallocated
Added
(new)
Full-time faculty
salaries
$
fringe benefits
$
Part-time faculty [faculty FTE split with other unit(s)]
salaries
$
fringe benefits
$
Adjunct faculty
salaries
$
fringe benefits
$
Graduate assistants
salaries
$
fringe benefits
$
Classified positions
salaries
$
fringe benefits
$
Total personnel costs
salaries
$
fringe benefits
$
TOTAL personnel costs
$
Equipment
$
Library
$
Telecommunication costs
$
Other costs (specify)
$
TOTAL
$
Total
resources
Added*
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
*Added after program initiation year
Part D: Certification Statement(s)
The institution will require additional state funding to initiate and sustain this program.
Yes
Signature of Chief Academic Officer
x
No
Signature of Chief Academic Officer
If “no,” please complete Items 1, 2, and 3 below.
29
1. Estimated $$ and funding source to initiate and operate the program.
Funding Source
Reallocation within the
department or school (Note below
Program initiation year
20__- 20__
Target enrollment year
20__ - 20__
the impact this will have within the
school or department.)
Reallocation within the
institution (Note below the impact
this will have within the school or
department.)
Other funding sources
(Please specify and note if these are
currently available or anticipated.)
2. Statement of Impact/Other Funding Sources.
3. Secondary Certification.
If resources are reallocated from another unit to support this proposal, the institution will not
subsequently request additional state funding to restore those resources for their original purpose.
x
Agree
Signature of Chief Academic Officer
Disagree
Signature of Chief Academic Officer
30
APPENDIX A
Course Descriptions
(a) Basic Catalog descriptions
CFRS 500*
Intro to Technologies of Forensics Value
This course will present an overview of technologies of interest to forensics examiners. It will
provide an introduction to operating systems, software, and hardware.
ISA 562
Information Security Theory and Practice
This course is a broad introduction to the theory and practice of information security. It serves as
the first security course for the MS-ISA degree and is required as a prerequisite for all
subsequent ISA courses (at the 600 and 700 levels). It also serves as an entry-level course
available to non-ISA students, including MS-CS, MS-ISE, and MS-SWE students.
CFRS 660 (Currently TCOM 660) Network Forensics
This course deals with the collection, preservation, and analysis of network generated digital
evidence such that this evidence can be successfully presented in a court of law (both civil and
criminal). The relevant federal laws will be examined as well as private sector applications. The
capture/intercept of digital evidence, the analysis of audit trails, the recordation of running
processes, and the reporting of such information will be examined.
CFRS 661 (Currently TCOM 661) Digital Media Forensics
This course deals with the collection, preservation, and analysis of digital media such that this
evidence can be successfully presented in a court of law (both civil and criminal). The relevant
federal laws will be examined as well as private sector applications. The seizure, preservation,
and analysis of digital media will be examined in this course.
CFRS 663 (Currently TCOM 663) Operations of Intrusion Detection for Forensics
Introduces students to network and computer intrusion detection and its relation to forensics. It
addresses intrusion detection architecture, system types, packet analysis, and products. It also
presents advanced intrusion detection topics such as intrusion prevention and active response,
decoy systems, alert correlation, data mining, and proactive forensics.
CFRS 760*
Legal and Ethics in IT
This course will present legal and ethics topics in a forensics context. It will include cyber legal
principles and types of crimes, witness testimony, and forensics report writing.
A-1
CFRS 770*
Fraud and Forensics in Accounting
This course will present an overview of fraud discovered in digital accounting systems and the
forensics of such systems.
CFRS 780*
Advanced Topics Course
Advanced topics from recent developments and applications in various areas of computer
forensics are covered in this course. The advanced topics are chosen in such a way that they do
not duplicate existing CFRS courses. Active participation of the students is encouraged in the
form of writing and presenting papers in various research areas of the advanced topic. The
course is designed to enhance the professional engineering community’s understanding of
breakthrough developments in specific areas of computer forensics. Examples of topics are
enterprise hardware systems and RAID, steganography, and cell phone and personal digital
assistant (PDA) forensics.
CFRS 790*
Advanced Computer Forensics
This course will be a capstone course that consolidates training before graduation and results in
the completion of a major applied project. Some class time used for discussion of projects, either
to monitor progress or explore alternative approaches. Readings, class-time discussion of current
trends, difficulties, and new opportunities for industry most relevant to module. Concludes with
presentations of projects.
TCOM 662
Advanced Secure Networking
This course deals with the advanced technologies in network security that can be applied to
enhance enterprise and ISP’s network security. It covers the network perimeter defense concept
and the various components for a complete layered defense system. It examines each component
and its technologies, including TCP/IP protocol vulnerabilities, router access control list (ACL),
dynamic ACL, firewall, network address translation (NAT), virtual private network (VPN),
IPSec tunnels, intrusion detection system (IDS), routing protocol security, denial-of-service
(DOS) attack, DOS detection and mitigation techniques.
ECE 646
Cryptography and Computer-Network Security
Topics include need for security services in computer networks, basic concepts of cryptology,
historical ciphers, modern symmetric ciphers, public key cryptography (RSA, elliptic curve
cryptosystems), efficient hardware and software implementations of cryptographic primitives,
requirements for implementation of cryptographic modules, data integrity and authentication,
digital signature schemes, key exchange and key management, standard protocols for secure
mail, www and electronic payments, security aspects of mobile communications, key escrow
schemes, zero-knowledge identification schemes, Smart cards, quantum cryptography, and
quantum computing.
A-2
LAW 181
Communications Law
A treatment of basic telecommunications law, policy, and regulation.
SOCI 607
Criminology
Crime and crime causation. Topics include social basis of law, administration of justice, and
control and prevention of crime.
(b) Detailed Course Descriptions
ISA 562
A-3
Information Security Theory and Practice
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
a) CFRS 500 Intro to Technologies of Forensics Value (3:3:0)
b) Prerequisites: Graduate standing
c) Catalog Description:
Presents an overview of technologies of interest to forensics examiners. It will
provide an introduction to operating systems, software, and hardware.
2. JUSTIFICATION
(a) Course Objectives:
At the conclusion of this course, the student will have a foundation in the
technical concepts underlying the computer forensics field. Students will
understand information storage, the internals of several major operating systems
and their associated file systems, different types of software of forensic value, and
will be introduced to forensics tools and concepts.
(b) Course Necessity:
This course will ensure that students have a sufficient technical foundation to take
more technical courses in the program (CFRS 660, CFRS 661).
(c) Relationship to Existing Courses:
This is a new course in the CFRS MS program. It will be a required, first course
in the program.
3. APPROVAL HISTORY
ECE Department
Date:
IT&E Graduate Committee
Date:
IT&E Dean
Date:
4. SCHEDULING
Every semester, starting fall 2009.
Proposed Instructors: Dr. Anne Marchant, Dr. Jeremy Allnutt, Mr. Robert Osgood, and
other suitably qualified faculty.
5. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course. Overview of computer hardware and
different types of systems.
A-4
Week 2
Information Storage and Media. Number systems and representation of
information. Hashes. Magnetic and optical media, flash drives, RAID arrays.
Week 3
Operating Systems. Overview of basic principles with an emphasis on file handling,
memory management, security, and distributed systems.
Week 4
Windows Operating System internals. Registry, ports and services, Recycle Bin,
System Restore.
Week 5
Windows File Systems and permissions.
Week 6
Posix based Operating Systems.
Week 7
Posix based File Systems and permissions.
Week 8
Course review; Mid-term exam
Week 9
Imaging and Analysis tools. FTK, Encase, dd, Knoppix, Win Hex
Week 10
Internet history, Registry Analysis, Exif Data.
Week 11
Applications of Encryption Technology. Password cracking, BitLocker
Week 12
Email and Packet sniffing
Week 13
Logging and Scripting
Week 14
Specialized Operating Systems (handhelds, phones, and other devices).
Week 15
Final exam
A-5
(b) Required Reading and Reference Material
D. Farmer, W. Venema, Forensic Discovery, Addison Wesley, 2005.
B. Carrier, File System Forensic Analysis, Addison Wesley, 2005.
S. Anson, S. Bunting, Windows Network Forensics and Investigations, Sybex,
2007.
(c) Student Evaluation Criteria
Mid-term:
25%
Hands-on assignments:
25%
Jump kit:
20%
Final:
30%
Hands-on assignments with freeware tools will allow students to experiment with
disk images, hashes, registry examination, password cracking, packet sniffing, and
some simple scripting.
Students will design their own ―jump kit‖ of computer forensics tools as a class
project.
A-6
CFRS 660 will be submitted for approval as a cross-listed course with TCOM 660. There will be
no change to the syllabus from that in TCOM 660.
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 660 Network Forensics (3:3:0)
(b) Prerequisites: TCOM 509 and TCOM 529 and a working knowledge of computer
programming
(a) Catalog Description:
Deals with the collection, preservation, and analysis of network generated digital
evidence such that this evidence can be successfully presented in a court of law
(both civil and criminal). The relevant federal laws will be examined as well as
private sector applications. The capture/intercept of digital evidence, the analysis
of audit trails, the recordation of running processes, and the reporting of such
information will be examined.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will have learned the laws, concepts,
tools, and methodologies necessary to collect, preserve, analyze, and present
network digital evidence in a court of law. The student will be able to
successfully analyze logs, decipher network traffic, and report this information in
a suitable format.
(e) Course Necessity:
Since the explosion of the Internet with the World Wide Web, our increasingly
internetwork-dependent society has been under attack by those who would
subvert the Internet for political, economic, and/or personal gain. The field of
network forensics represents how intercepted digital evidence is used to
document, identify, and successfully prosecute those who would exploit computer
networks. Viruses, trojans, worms, root kits, buffer overflows, and other
malicious code permeate society, and network forensics provides the tools and
techniques to determine and document what happened.
(f) Relationship to Existing Courses:
This is a new course in the TCOM program that has been designed to provide a
body of knowledge that is directly applicable to the needs of the
telecommunications industry. It builds on other courses within the program
(TCOM 501/502, TCOM 509, TCOM 548/556, and TCOM 562) with the goal of
applying network-engineering skills to the field of network forensics. This course
will work hand in hand with the new course TCOM 661 Digital Media Forensics
that will be offered in alternating semesters. It will also be a complementary
course to another new course, TCOM 662 Network Security Issues, and related
courses in INFS.
A-7
3. APPROVAL HISTORY
ECE Department
Date: (TCOM 660 October 18th, 2004)
IT&E Graduate Committee
Date: (TCOM 660 October 21st, 2004)
IT&E Dean
Date: (TCOM 660 November 2004)
4. SCHEDULING
Every fall and spring semester, starting fall 2009.
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert
Osgood, Jeremy Allnutt, and other suitably qualified faculty.
6. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course and review of TCP/IP and Ethernet and
aspects required for network forensic analysis
Week 2
Presentation of Federal Laws: Federal laws pertaining to the interception of digital
evidence will be presented as they pertain to network forensics
Week 3
Intrusion methodologies: network vulnerabilities and likely attack points will be
presented
Week 4
Network data collection devices. The role routers, firewalls, intrusion detection
systems, together with access control systems will be presented.
Week 5
Log collection and analysis WINTEL:
Week 6
Log collection and analysis WINTEL (contd.):
Week 7
Course review; Mid-term exam
Week 8
Log collection and analysis Unix/Linux
Week 9
Log collection and analysis Unix/Linux (contd.)
A-8
Week 10
Using PERL to analyze log information
Week 11
Collection of online processes WINTEL
Week 12
Collection of online processes UNIX/LINUX
Week 13
Interception of digital evidence: Techniques for the interception of digital evidence
(Ethereal, Snoop, Etherpeek)
Week 14
Writing computer forensics reports
Week 15
Final exam
(b) Required Reading and Reference Material
‖Incident response & computer forensics‖, second edition, Kevin Mandia, Chris
Prosise, and Matt Pepe, McGraw Hill, ISBN# 0-07-222696-X
Reading assignments from the Web include the following sites:
www.house.gov
www.cert.org
www.cisco.com
www.ethereal.com
www.perl.org
www.foundstone.com
Suggested supplementary material includes:
―PERL by Example‖,
Ellie Quigley, Prentice Hall PTR, ISBN 0-13-655689-2
(c) Student Evaluation Criteria
A-9
Mid-term:
35%
Project:
30%
Final:
35%
CFRS 661 will be submitted for approval as a cross-listed course with TCOM 661. There will be
no change to the syllabus from that in TCOM 661.
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 661 Digital Media Forensics (3:3:0)
(b) Prerequisites: TCOM 548 & TCOM 556 or TCOM 562; a working knowledge of
computer operating systems (e.g. CS 471 or equivalent), or permission from
instructor
(c) Catalog Description:
Deals with the collection, preservation, and analysis of digital media such that this
evidence can be successfully presented in a court of law (both civil and criminal).
The relevant federal laws will be examined as well as private sector applications.
The seizure, preservation, and analysis of digital media will be examined in this
course.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will have learned the laws, concepts,
tools, and methodologies necessary to seize, preserve, analyze, and present digital
media evidence in a court of law. The student will have an understanding of: the
processes required for conducting digital media analysis; federal laws governing
the seizure of digital evidence, software and hardware, file system structures, and
steganography (digital watermarking).
(e) Course Necessity:
Computers permeate our lives and our lives are recorded on computers, however,
most computer storage media are volatile and, as such, they can be changed and
altered intentionally as well as unintentionally. Digital media forensics is a
discipline whose goal is to preserve information (evidence) on digital media in
such a way that this evidence can be successfully admitted into a court of law. In
both the public and private sectors, digital media forensics is being applied to a
broad range of issues to include: due diligence, intellectual property rights issues,
and high technology as well as more mundane criminal matters.
(f) Relationship to Existing Courses:
This is a new course in the TCOM program that has been designed to provide a
body of knowledge that is directly applicable to forensic activities in the
telecommunications industry. It builds on other courses within the TCOM
program (TCOM 548/556, and TCOM 562) with the goal of applying engineering
skills to the field of computer forensics. This course will work hand in hand with
two proposed new courses, TCOM 661, Network Forensics (that will be offered
in alternating semesters) and TCOM 662, Network Security Issues, plus related
course in INFS.
A-10
3. APPROVAL HISTORY
ECE Department
Date: (TCOM 661 October 18th, 2004)
IT&E Graduate Committee
Date: (TCOM 661 October 21st, 2004)
IT&E Dean
Date: (TCOM 661 November 2004)
4. SCHEDULING
Every fall and spring semester, starting fall 2009.
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert
Osgood, Jeremy Allnutt, and other suitably qualified faculty
5. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course and the concept of seizure and
preservation of stored data
Week 2
Presentation of Federal Laws: Federal laws pertaining to the seizure of digital
evidence, particularly in stored media
Week 3
Documentation requirements: Procedures for ensuring accurate documentation of
the storage medium under investigation
Week 4
Operating System environments: WINTEL file system structures
Week 5
Operating System environments: UNIX/LINUX file system structure
Week 6
Storage media structure analysis (fixed)
Week 7
Storage media structure analysis (removable devices)
Week 8
Course review; Mid-term exam
Week 9
Write protection
A-11
Week 10
Imaging WINTEL
Week 11
Imaging UNIX/LINUX/Solaris
Week 12
Detailed storage investigations: Logical files, deleted files, slack space, free space,
and unallocated space
Week 13
RAID devices
Week 14
Quality control: Steganography; Commercial tools used in digital media forensics
Week 15
Final exam
(b) Required Reading and Reference Material:
Guide to Computer Forensics and Investigations; Bill Nelson, Amelia Phillips,
Frank Enfinger, Chris Steuart; Thomson Course Technology; ISBN: 0-61913120-9
Reading assignments from the Web include the following sites:
www.house.gov
www.microsoft.com
www.sun.com
www.foundstone.com
(c) Student Evaluation Criteria
.
A-12
Mid-term:
35%
Project:
30%
Final:
35%
CFRS 662 will be submitted for approval as a cross-listed course with TCOM 662. There will be
no change to the syllabus from that in TCOM 662.
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) TCOM 662 Advanced Secure Networking (3:3:0)
(b) Prerequisites: TCOM 509 (TCP/IP) and TCOM562 (network Security
Fundamental) and a working knowledge of network routing protocols
(c) Catalog Description:
This course deals with the advanced technologies in network security that can be
applied to enhance enterprise and ISP’s network security. It covers the network
perimeter defense concept and the various components for a complete layered
defense system. It examines each component and its technologies, including
TCP/IP protocol vulnerabilities, router access control list (ACL), dynamic ACL,
firewall, network address translation (NAT), virtual private network (VPN), IPSec
tunnels, intrusion detection system (IDS), routing protocol security, denial-ofservice (DOS) attack, DOS detection and mitigation techniques.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will have learned the concept of
perimeter security, the components of a layer defense system, and the skills to
apply these techniques to design and to implement real-world network security. It
provides students with the opportunity to understand all potential network
vulnerabilities, the ability to examine and compare technologies that enhance the
network defense, and to evaluate evolving new standards and procedures.
(e) Course Necessity:
Since the explosion of the Internet with the World Wide Web, our increasingly
internetwork-dependent society has been under attack by those who would
subvert the Internet for political, economic, and/or personal gain. The field of
network security represents the defense components to prevent, detect, analyze,
and mitigate these attacks. New technologies emerge and new standards are being
proposed to defend against these constantly changing attack procedures. This
course will provide students with an understanding of the current state-of-art in
network security as well as the ability to examine and study emerging defense
procedures and new standards.
(f) Relationship to Existing Courses:
This is a new course in the TCOM program that has been designed to provide a
body of knowledge that is directly applicable to the needs of the
telecommunications industry. It builds on other courses within the program
(TCOM 501/502, TCOM 509/519, TCOM 548/556, and TCOM 562) with the
goal of applying network-engineering skills to the field of network security and
attack forensics. This course will work on the base of TCOM 562 and work hand
in hand with proposed new forensics courses TCOM 660 and TCOM 661 as part
A-13
of core courses within a network forensics and security certificate. Since it mostly
deals with network devices, routing protocols security and the routing techniques
instead of applications and servers, it will not significantly overlap, but be
complementary to, courses currently offered in Information Systems in the
security assurance area.
3. APPROVAL HISTORY
ECE Department
Date: (TCOM 662 October 18th, 2004)
IT&E Graduate Committee
Date: (TCOM 662 October 21st, 2004)
IT&E Dean
Date: (TCOM November 2004)
4. SCHEDULING
Every spring semester, starting spring 2005 and every spring thereafter.
Proposed Instructors: Dr. Jeremy Allnutt, Dr. Yunqing Wu, Dr. Aleks Lazarevich, Mr.
Scott Robohn and other suitably qualified faculty.
7. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course and review of TCP/IP; TCP/IP protocol
vulnerabilities, review of general attack, defense techniques and recent trends.
Project discussion
Week 2
Perimeter security and layered defense model, router ACL: perimeter security
model, each components of layered defense system, first layer of defense: perimeter
router, router access control list (ACL), Cisco router ACL configurations and router
ACL defense case study
Week 3
Advanced filtering and deep packet scan: communication states, stateful filtering,
dynamic ACL, reflexive ACL, content-based ACL, deep packet scan
Week 4
Firewall and NAT/PAT: The role of firewall, different type of firewalls, network
address translation (NAT), port address translation (PAT), firewall case study, PIX
firewall and enterprise network security case study
Course project initiated
Week 5
VPN and IPSec tunnels: VPN concept, different types of VPN, remote access VPN,
GRE tunnels, MPLS layer 2 and Layer 4 VPN, review of public vs. private key
encryption techniques, IPSec VPN
A-14
Week 6
IPSec VPN and enterprise network security case study: continued IPSec VPN
discussion, Cisco configuration, enterprise network layered defense case study
Week 7
Intrusion detection system (IDS) and mid-term review: IDS introduction, IDS types:
host-based IDS and network-based IDS, IDS architecture, IDS roles, mid-term
examination review
Week 8
Mid-term examination and project progress discussion
Week 9
IDS continued: Snort system: Snort architecture, preprocessors, Snort rule set, snort
deployment, example rules, Snort enhancement and other post Snort projects
Week 10
Router security and routing protocol security: role of router, router hardening,
routing protocol security: EIGRP, OSPF, BGP, BGP with MD5 and other BGP
security proposals (sBGP, soBGP, TTL hack etc)
Week 11
Router security continued and ISP packet filtering: protecting routing engine: Cisco
rACL and Juniper firewall rules, BGP TTL hack, dynamic ACL filtering and routmap, anti-spoofing ACL, RPF (Reverse path forwarding) and uRPF (unicast reverse
path forwarding)
Week 12
ISP network security and DOS attack: DOS attack, different types of DOS attack,
DDOS (Distributed Denial-of-services), ISP security response procedure, typical ISP
attack identification and classification techniques, classification ACL, blackhole
filtering
Student projects due
Week 13
DOS attack detection and mitigation: remotely triggered blackhole filtering, sink
hole network, backscatter traceback techniques, netflow traceback, BGP policy
accounting traceback, DOS mitigation: ACL, uRPF, CAR (committed access rate)
and blackhole filtering
Week 14
Special topics in network security, project discussion, and final exam review: homenetwork security, wireless network security, VoIP security, email anti-spamming,
selected project discussion, and final review
A-15
Week 15
Final exam
(b) Required Reading and Reference Material
Mandatory textbook:
o Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual
Private Networks (VPN's), Routers, and Intrusion Detection Systems, Stephen
Northcutt, Lenny Zeltser, Scott Winters, Karen Kent Frederick, et al., New Riders
Publishing, Paperback, Published June 2002, 678 pages, ISBN 0735712328
Reference books:
o Hacker's Challenge 2: Test Your Network Security & Forensic Skills, McGrawHill Osborne Media; 2nd edition (December 18, 2002), ISBN: 0072226307
o Hacking Exposed: Network Security Secrets & Solutions, 4th Ed, Stuart McClure,
Joel Scambray, McGraw Hill, Paperback, 4th edition, Published February 2003,
768 pages, ISBN 0072227427
o Secrets and Lies: Digital Security in a Networked World, Bruce Schneier
Wiley, Hardcover, Published August 2000, 412 pages, ISBN 0471253111
o CCIE Professional Development: Network Security Principles and Practices,
Saadat Malik, Cisco Press, Hardcover, Published November 2002, 774 pages,
ISBN 1587050250
Online Resources:
o http://cert.org
o http://www.sans.org
o http://www.insecure.org
o http://www.snort.org
o http://www.ietf.org
(c) Student Evaluation Criteria
Mid-term:
Project:
Final:
A-16
35%
30%
35%
CFRS 663 will be submitted for approval as a cross-listed course with TCOM 663. There will be
no change to the syllabus from that in TCOM 663.
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) TCOM 663 Operations of Intrusion Detection for Forensics (3:3:0)
(b) Prerequisites: TCOM 509 and TCOM 529 and a working knowledge of computer
programming
(c) Catalog Description: Introduces students to network and computer intrusion
detection and its relation to forensics. It addresses intrusion detection architecture,
system types, packet analysis, and products. It also presents advanced intrusion
detection topics such as intrusion prevention and active response, decoy systems,
alert correlation, data mining, and proactive forensics.
2. JUSTIFICATION
(d) Course Objective:
At the conclusion of this course the student will have learned why and how
intrusion detection systems are used and how they are applied in the forensics
area. The student will also know how to implement an intrusion detection system,
analyze packets, and construct signatures. The student will also have advanced
knowledge of prevention and response technologies and other leading areas of
research in intrusion detection and forensics.
(e) Course Necessity:
The field of intrusion detection has seen a lot of changes over the last few years.
Symantec's March 2005 bi-annual report stated that security incidents per day
have risen from 10.6 in early 2004 to 13.6 in 2005. The increase in the volume
and sophistication of attacks, increases in network bandwidth, and the migration
from network-based to application-based attacks has created numerous
opportunities for advancement of intrusion detection systems. This has created a
demand for intrusion detection to provide forensics information and analysis for
the purpose of tracking, monitoring, identifying, and prosecuting attackers.
(f) Relationship to Existing Courses:
This is a new course in the TCOM program that has been designed to provide a
body of knowledge that is directly applicable to the needs of the
telecommunications industry. It builds on other courses within the program
(TCOM 501/502, TCOM 509, TCOM 548/556, and TCOM 562) with the goal of
applying engineering skills to the field of intrusion detection and forensics. This
course will work hand in hand with the TCOM 660 Network Forensics course that
will be offered in alternating semesters. It will be a complementary course to the
new course, TCOM 662 Advanced Secure Networking, and related courses in CS.
A-17
3. APPROVAL HISTORY
ECE Department
Date: (TCOM 663 October 20th, 2006)
IT&E Graduate Committee
Date: (TCOM 663 November 2006)
IT&E Dean
Date: (TCOM 663 November 2006)
4. SCHEDULING
Every fall semester, starting fall 2007 and every fall thereafter.
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert
Osgood, Jeremy Allnutt, and other suitably qualified faculty
1. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course, review of TCP/IP, historic intrusion detection
systems, and other aspects required for intrusion detection and forensic analysis.
Week 2
Packet Analysis Part 1: Introduction to network analysis tools such as tcpdump and
Ethereal and examination of real world intrusions.
Week 3
Packet Analysis Part 2: Continuation of network analysis and examination of real
world intrusions.
Week 4
Fundamentals of IDS: Presentation of IDS architecture, misuse/anomaly/behavior
systems, host-based systems, network-based systems, IDS features, IDS products,
IDS testing.
Week 5
Introduction to Snort: Introduction to the open source Snort intrusion detection
system and usage.
Week 6
Snort Signatures and Analysis: Advanced Snort topics including signature creation.
Week 7
Vulnerability analysis for Intrusion Detection and Forensics: Address the need for
vulnerability analysis in conjunction with intrusion detection. Cover open source
products for vulnerability analysis.
A-18
Week 8
Mid-term exam
Week 9
Intrusion Prevention and Active Response: Present various prevention and response
techniques and open source products to implement the technologies.
Week 10
Decoy Systems for Detection and Forensics: Address honeypots/honeynets and other
techniques for collecting information for forensics and for performing intrusion
detection.
Week 11
Alert Correlation for Incident and Forensic Analysis: Present leading edge research
for intrusion detection and alert correlation including the TIAA toolkit.
Week 12
Advanced IDS Methods for Behavior Analysis: Present leading edge research for
intrusion detection and forensics by examining behavior in areas such as E-mail and
instant messaging.
Week 13
Data Mining/Proactive Forensics: Present data mining techniques for intrusion
detection, incident response, and forensics. Also present advanced techniques for
proactive forensics.
Week 14
Writing final reports
Week 15
Final exam
(b) Required Reading and Reference Material
No required reading material. Reading will be assigned from various Internet sites
and published research papers. The course will be delivered in a computer lab to
enhance the interactive component within the class.
Reading assignments from the Web include the following sites:
www.ethereal.com
www.snort.com
ACM and IEEE database
Optional supplementary material includes:
A-19
―Nessus, Snort, & Ethereal Power Tools : Customizing Open Source Security
Applications‖ by Brian Caswell, Gilbert Ramirez, Jay Beale, Noam Rathaus.
Syngress Publishing, ISBN# 1597490202.
―Investigative Data Mining for Security and Criminal Detection‖ by Jesus Mena.
Butterworth-Heinemann, ISBN# 0750676132.
(c) Student Evaluation Criteria
A-20
Mid-term:
30%
Homework:
15%
Final Paper:
25%
Final Exam:
30%
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 760 Legal and Ethical Issues in IT (3:3:0)
(b) Prerequisites: Graduate Standing
(c) Catalog Description:
Presents legal and ethics topics in the context of computer forensics. It will
include legal principles, types of crimes, witness testimony, and forensics report
writing.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will have learned and reflected upon
the legal principles and ethical standards underpinning the field of computer
forensics. The student will understand such concepts as: probable cause, the
―silver platter doctrine,‖ chain of custody, scienter, and Locard’s exchange
principle. Students will have examined the relationship of computer to other
disciplines. The student will also appreciate the role of professional
organizations, certifications and codes of ethics as they apply to professional
practice.
(e) Course Necessity:
As with any program in the fields of IT security or justice, a course in law and
ethics is necessary to ensure professional standards of conduct. The integration
of witness testimony and report writing will give students context in which to
apply legal principles and ethics.
(f) Relationship to Existing Courses:
This is a new course in the CFRS MS program. While it may be taken at any
point in the program to allow scheduling flexibility, students will be advised to
take it during their first year. While report writing is also covered in TCOM
660, note that reporting practices differ in different types of investigations and
that additional practice writing reports will be beneficial.
3. APPROVAL HISTORY
ECE Department
Date:
IT&E Graduate Committee
Date:
IT&E Dean
Date:
4. SCHEDULING
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert
Osgood, Jeremy Allnutt, and other suitably qualified faculty
A-21
5. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course. Overview of types of legal systems.
Review of federal and state laws as they relate to computer crime (CFAA, ECPA,
USAPA, NET Act, DMCA, FISA, The Omnibus Crime and Control Act of 1968,
etc.), search and seizure, trap and trace, intellectual property, and computer forensics.
Week 2
Types of crimes and criminals. The rise of international crime and the role of grid
computing.
Week 3
Overview of local, state, federal, and international law enforcement agencies and
court systems. Student seminar presentations.
Week 4
Jurisdiction and evidence. Determination of jurisdiction, types of evidence, rules of
evidence, chain of custody, evidence integrity. Student seminar presentations.
Week 5
Formal discussion of ethics I. Ethical standards, codes of ethics, ethical decision
making. Student seminar presentations.
Week 6
Formal examinations of landmark cases. Student seminar presentations.
Week 7
Course review; Mid-term exam
Week 8
Formal discussion of ethics II: Ethics training, whistle blowing, balancing privacy
and the needs of law enforcement in a free society, cultural and ethical considerations
in the context of international investigations. Student seminar presentations.
Week 9
Guest speaker (lawyer, prosecutor, or law enforcement). Student seminar
presentations.
Week 10
Report writing. Establishing facts, style and use of language. Verification and use of
accredited tools. Student seminar presentations.
A-22
Week 11
Legal instruments and courtroom procedures. Subpoenas, warrants, and affidavits.
Discovery, presentation of evidence, cross examination. Student seminar
presentations.
Week 12
Expert witness testimony. Student seminar presentations.
Week 13
Mock courtroom trial. Student seminar presentations.
Week 14
The computer forensics professional. Professional organizations, certifications and
computer Forensics as it relates to other disciplines. Professional preparation and
lifelong learning. Review and Synthesis.
Week 15
Final exam
(b) Required Reading and Reference Material
Orin S. Kerr (2006). Kerr's Computer Crime Law: (American Casebook Series)
(American Casebook Series). West Group.
Philip J. Candilis, Robert Weinstock, Richard Martinez, Andrew Szanton (Editor).
(2007) Forensic Ethics and the Expert Witness. Springer.
Suggested supplementary material includes:
Codes of ethics:
IACIS.com
ISFCE
Cybersecurity Institute
(c) Student Evaluation Criteria
A-23
Mid-term:
25%
Presentations:
20%
Mock forensic report:
20%
Final:
35%
Examples of Seminar Presentation Topics:
FRED (Federal Rules of Evidence)
Kyollo v. US
Katz v. US
California v. Greenwood
Attend and report on a current trial
Pretexting
USAPA (Patriot Act)
Hewlett-Packard employee surveillance case
DOJ HTIU (High Tech Investigative Crime Unit)
DOJ CCIP (Computer Crime and Intellectual Property)
FBI RCFLs (Regional Computer Forensics Laboratory)
IC3 (Internet Crime Complaint Center)
Interpol and Europol
Counter forensics: U.S. v. Robert Johnson, 2005, State of Missouri v. Zacheriah
Tripp, Kucala Enterprises v Auto Wax Co
Vigilantism: Titan Rain case
Data profiling and ―anonymizer‖ investigative tools (Jeffrey Jonas)
Panopticon and expectations of privacy in a free society
Hacker culture, networks, publications, and DEFCON
Online child exploitation (child pornography, stalking)
Internet Fraud, botnets and spam
NIST standards
A-24
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 770 Fraud and Forensics in Accounting (3:3:0)
(b) Prerequisites: Graduate standing
(c) Catalog Description:
Describes engagements that result from actual or anticipated disputes or litigation
in Forensic Accounting, which is a specialty practice area of accounting.
"Forensic" means "suitable for use in a court of law", and it is to that standard and
potential outcome that Forensic Accountants generally have to work. Forensic
Accountants often have to give expert evidence at the eventual trial.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will have learned the laws, concepts,
tools, and methodologies necessary to collect, preserve, analyze, and present
financial evidence in a court of law. The student will be able to successfully
perform vertical analysis, horizontal analysis, ratio analysis, data-mining analysis,
and reasonableness testing. The student will develop an understanding of the
elements required in order to conduct a forensic examination.
(e) Course Necessity:
Fraud is a multi-billion dollar business. It is transnational and affects everyone.
The demise of MCI, Enron, and Arthur Andersen are examples of the breath and
scope of fraud. The goal of Forensic Accounting, which is different than that of a
financial audit, is to detect, quantify, and report fraud.
(f) Relationship to Existing Courses:
This is a new course in the Computer Forensics program that has been designed to
provide a body of knowledge that is an adjunct to the discipline of computer
forensics. This course is designed as an elective for students who wish additional
exposure to the forensic process.
3. APPROVAL HISTORY
ECE Department
A-25
Date:
IT&E Graduate Committee
Date:
IT&E Dean
Date:
4. SCHEDULING
Every spring semester, starting spring 2010 and every spring thereafter.
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford, Robert
Osgood, Jeremy Allnutt, and other suitably qualified faculty
5. COURSE OUTLINE
(a) Syllabus
Week 1
Introduction, project requirements, introduction to fraud
Week 2
Money laundering
Week 3
Financial reporting fraud
Week 4
Potential red flags and fraud detection techniques
Week 5
Financial statement fraud: revenue and receivables
Week 6
Financial statement fraud: other schemes and misappropriations
Week 7
Investigative techniques
Week 8
Background investigations
Week 9
Interviewing
Week 10
Analyzing financial statements
Week 11
Data mining in forensic accounting
Week 12
When and why to call in forensic investigators
Week 13
Project presentations
A-26
Week 14
Project presentations
Week 15
Final exam
(b) Required Reading and Reference Material
A Guide to Forensic Accounting Investigation
Golden, Skalak, and Clayton
Wiley Publishing
ISBN: 0-471-46907-6
Enron: The Rise and Fall
Lauren Fox
Wiley Publishing
ISBN:0-471-47888-1
Stolen Without A Gun: Confessions from inside history's biggest accounting fraud - the
collapse of MCI Worldcom
Walter Pavlo Jr. and Neil Weinberg
Etika Books
ISBN 0979755808
(c)
Student Evaluation Criteria
Project:
40%
Presentation
10%
Final:
50%
Project: A detailed analysis, from a forensic accounting perspective, of some illegal
activity. This illegal activity can be from a major publicized fraud, or it can be one
that is lesser known. The deliverable will be a detailed report covering the elements
of the fraud supported by forensic accounting work performed by the student. Each
student will be required to formally present their findings in class.
A-27
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 780 Advanced Topics in Computer Forensics (3:3:0)
(b) Prerequisites: permission of instructor
(c) Catalog Description:
Covers advanced topics from recent developments and applications in various
areas of computer forensics are covered in this course. The advanced topics are
chosen in such a way that they do not duplicate existing CFRS courses. Active
participation of the students is encouraged in the form of writing and presenting
papers in various research areas of the advanced topic. The course is designed to
enhance the professional engineering community’s understanding of breakthrough
developments in specific areas of computer forensics.
2. JUSTIFICATION
(d) Course Objectives
This course is intended to provide students with the opportunity to learn about
advanced developments and applications in computer forensics that generally do
not fall into a specific existing course within the program.
(e) Course Necessity
The field of computer forensics is a dynamic area that deals with an ever-growing
field of specialized topics, and it is anticipated that within a few years of the
initiation of the MS in Computer Forensics program, there will be a demand to
cover some of these emerging topics. As with special topics courses and
advanced topics courses that have been offered in other disciplines, should a
particular advanced topic course in the CFRS program become a regular topic,
then it will be developed as a regular CFRS course and submitted for approval as
a regular CFRS course in the normal way.
(f) Relationship to Existing Courses
The course, and course content, do not have a specific relationship to any other
course, but the concept of CFRS 780 is similar to Advanced Topics courses
offered in many other programs, for example ECE 699 Advanced Topics in
Electrical and Computer Engineering and OR 750 Advanced Topics in Operations
Research.
3. APPROVAL HISTORY
ECE Department
Date:
IT&E Graduate Committee
Date:
IT&E Dean
Date:
4. SCHEDULING
When demand exists for such a course, it will be offered, usually only in the
A-28
regular fall or spring semesters
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford,
Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty.
5. COURSE OUTLINE
(a) Syllabus
The detailed syllabus will be constructed at the time the proposed Advanced
Topics in Computer Forensics is to be offered. Approval to offer the course as
proposed will be through the usual channels for placing such courses on the
Schedule of Classes.
(b) Reading and Reference Material
To be determined at the time the specific course is offered for inclusion in the
schedule of Classes.
(c) Student Evaluation Criteria
This will depend on the structure of the specific Advanced Topics course, (e.g. it
may be directed at students completing a major forensics project; or it may be a
regular lecture-based course), but it is anticipated that the student evaluation will
be broken down as follows:
Homework:
20%
Midterm/project prelim. review: 40%
Final/project report:
A-29
40%
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
SCHOOL OF INFORMATION TECHNOLOGY AND ENGINEERING
1. CATALOG DESCRIPTION
(a) CFRS 790 Advanced Computer Forensics (3:3:0)
(b) Prerequisites: CFRS 660, CFRS 661, and CFRS 663 Intrusion Detection and
Forensics
(c) Catalog Description:
Exposes students to advanced simulated case studies. Students will be required to
conduct computer forensic investigations of digital media, intercepted packet
switched data, and multi-source log information in order to successfully complete
each case study. This course is a capstone course for Master of Science in
Computer Forensics program to be taken in the last year prior to the completion of
degree requirement. As a capstone course, it will integrate the concepts and
practices in Computer Forensics program.
2. JUSTIFICATION
(d) Course Objectives:
At the conclusion of this course, the student will be able to conduct a full
computer forensic exam utilizing all of the tools and techniques and apply all of
the processes and procedures presented in the computer forensic program. This
will be accomplished through the use of case studies offered in a full computer
forensic laboratory environment. Each case study will require research and
forensic analysis resulting in a written report. For each case study, students will
be selected to give oral presentations. Every student will be required to give at
least two oral presentations.
(e) Course Necessity:
Since the explosion of the Internet with the World Wide Web, our increasingly
internetwork-dependent society has been under attack by those who would
subvert the Internet for political, economic, and/or personal gain. The field of
network forensics represents how intercepted digital evidence is used to
document, identify, and successfully prosecute those who would exploit computer
networks. Viruses, trojans, worms, root kits, buffer overflows, and other
malicious code permeate society, and network forensics provides the tools and
techniques to determine and document what happened. This course will coalesce
and bring together what is needed for today’s computer forensic examiner.
(f) Relationship to Existing Courses:
CFRS 790 builds on the work laid out in CFRS 660 (Network Forensics), CFRS
661 (Digital Media Forensics), and CFRS 663 (663 Intrusion Detection and
Forensics). These courses are currently listed as TCOM 660, TCOM 661, and
TCOM 662 respectively.
3. APPROVAL HISTORY
ECE Department
A-30
Date:
IT&E Graduate Committee
Date:
IT&E Dean
Date:
4. SCHEDULING
Proposed Instructors: Angela Orebaugh, Aleks Lazarevich, Tom Shackelford,
Robert Osgood, Jeremy Allnutt, and other suitably qualified faculty.
5. COURSE OUTLINE
(a) Syllabus
Week 1
Course overview: Introduction to the course and review of computer forensic tools
and techniques. Case Study 1 is presented for discussion and evaluation.
Week 2
Case Study 1 discussion. Application of tools and techniques to Case Study 1
examined.
Week 3
Case Study 1 due. Case Study 1 presentations given. Case Study 2 is presented for
discussion and evaluation.
Week 4
Case Study 2 discussion. Application of tools and techniques to Case Study 2
examined.
Week 5
Case Study 2 due. Case Study 2 presentations given. Case Study 3 is presented for
discussion and evaluation
Week 6
Case Study 3 discussion. Application of tools and techniques to Case Study 3
examined.
Week 7
Case Study 3 due. Case Study 3 presentations given. Case Study 4 is presented for
discussion and evaluation
Week 8
Case Study 4 discussion. Application of tools and techniques to Case Study 4
examined
Week 9
Case Study 4 due. Case Study 4 presentations given. Case Study 5 is presented for
discussion and evaluation
A-31
Week 10
Case Study 5 discussion. Application of tools and techniques to Case Study 5
examined
Week 11
Case Study 5 due. Case Study 5 presentations given. Case Study 6 is presented for
discussion and evaluation
Week 12
Case Study 6 discussion. Application of tools and techniques to Case Study 6
examined
Week 13
Case Study 6 due. Case Study 6 presentations given. Case Study 7 is presented for
discussion and evaluation
Week 14
Case Study 7 discussion. Application of tools and techniques to Case Study 7
examined
Week 15
Case Study 7 due. Case Study 7 presentations given. Examples of simulated case
studies are given at the end of this proposal.
(b) Required Reading and Reference Material
There will be no required text per se; however students will be responsible for
research that will come from the following sources, as a minimum:
Real Digital Forensics; Jones, Bejtlich, and Rose; Addison Wesley;
ISBN 0321240693
Wireshark & Ethereal; 1st Edition, Orebaugh, Ramirez, Beale; Syngress;
ISBN 1597490733
Mastering Windows Network Forensics and Investigation; Anson, Bunting; Sybex;
9780470097625
Incident Response & Computer Forensics; Mandia, Prosise, Pepe, Osborne;
ISBN 007222696X
Guide to Computer Forensics & Invesgtigations Second Edition; Nelson, Phillips,
Enfinger, Steuart; Thomson Course Technology; ISBN 0-619-21706-5
A-32
File System Forensics Analysis; Brian Carrier; Addison Wesley;
ISBN 0-321-26817-2
(c) Student Evaluation Criteria
Case Studies (Written Assignments):
80%
Oral Presentations:
20%
Examples of Case Studies for CFRS-790 Advanced Computer
Forensics
Case Study 1 – Opto-Medtronics Inc. Part 1
Opto-Medtronics Inc. (Opto-Med) is a publicly traded company specializing in optics
used in the medical industry. Unknown to most people, Opto-Med, has a division located
Vienna, Virginia that is dedicated to the U. S. Defense Department. Specifically, the Spatial
Support Division develops, builds, and maintains the optics that is equipped on Predator and
Global Hawk surveillance drones. These optical systems are the most sophisticated in the world
and classified Top Secret. All development and manufacturing work is performed in a secure
facility (SCIF) at Vienna, Virginia.
During a routine security sweep of the SCIF, security personnel found a small digital
camera under some papers in a work area. Personal cameras of any kind are forbidden in the
SCIF. The security personnel reviewed the contents of the camera which revealed numerous
photos of the DoD optics manufacturing processes. The security personnel in there zeal to report
this incident to the Chief Security Officer (CSO) somehow damaged the camera.
You are a computer forensics examiner working for Mason-Forensics (Ma-For), a small
computer company based in Fairfax, Virginia that recently entered into a contract with OptoMed to provide computer forensic services. You and your fellows examiners are former civilian
government and military and all possess the appropriate clearances.
The CSO contacts you and requests that you respond immediately to the Vienna, Virginia
office. The CSO provides the damaged camera to you and requests that you:
-Recover the data that is located on the SD card inside the camera
-Identify the owner of the camera if possible.
Deliverables:
1) Prepare and engagement letter to be signed by the CSO that:
A-33
- Specifically identifies what is required of you
- Specifically identify what is required of Opto-Med
2) Prepare a chain of custody for items provided to you by Opto-Med
3) Prepare a list of investigative steps that you will take in this matter to include:
-What non-technical investigative steps do you will take
-What technical investigative steps you will take
4) Perform the forensic analysis on the SD card and prepare a report for distribution to the CSO
and CEO of Opto-Med on your findings.
Case Study 2 – Opto-Medtronics Inc. Part 2
You have issued your report to Opto-Med and returned the camera, SD card, and images
created from the SD card to Opto-Med as well. The CSO contacts you stating that based on your
report, security has potentially identified the owner of the camera, an employee working at the
Vienna, Virginia facility. The CSO wants Ma-For to image and analyze the employee’s desktop
Internet computer as well as institute real-time content monitoring on that computer.
You recommend that Opto-Med contact federal law enforcement regarding this matter;
however, the CSO advises that, in discussions with the Corporation Council’s office as well as
the CEO, Opto-Med wants to be sure before notifying law enforcement. They do not want to
ruin the career of a long time employee without more proof.
Deliverables:
1) Prepare and engagement letter to be signed by the CSO that:
- Specifically identifies what is required of you
- Specifically identifies that the legal requirements have been met by Opto-Med allowing
you to perform this work.
2) Install the equipment for the real time collection
3) Image the hard drive of the employee’s desktop Internet computer
4) Prepare a chain of custody documents for the images and real time content collected
5) Prepare a list of investigative steps that you will take in this matter to include:
-What non-technical investigative steps do you will take
-What technical investigative steps you will take
A-34
6) Perform the forensic analysis on the hard drive image and prepare a report for distribution to
the CSO and CEO of Opto-Med on your findings.
Case Study 3 – Opto-Medtronics Inc. Part 3
Your collection system at Opto-Med has been running for two weeks. The CSO contacts
you and requests that you provide her with the findings of the analysis of the network traffic.
Opto-Med wishes to complete this part of the investigation and make a decision as to the status
of the employee.
Deliverable:
1) Prepare a report on your analysis of the network traffic for distribution to the CSO and CEO
of Opto-Med on your findings.
A-35
ECE 646
Cryptography and Computer-Network Security
Topics include need for security services in computer networks, basic concepts of cryptology,
historical ciphers, modern symmetric ciphers, public key cryptography (RSA, elliptic curve
cryptosystems), efficient hardware and software implementations of cryptographic primitives,
requirements for implementation of cryptographic modules, data integrity and authentication,
digital signature schemes, key exchange and key management, standard protocols for secure
mail, www and electronic payments, security aspects of mobile communications, key escrow
schemes, zero-knowledge identification schemes, Smart cards, quantum cryptography, and
quantum computing.
LAW 181
Communications Law
A treatment of basic telecommunications law, policy, and regulation.
SOCI 607
Criminology
Crime and crime causation. Topics include social basis of law, administration of justice, and
control and prevention of crime.
A-36
APPENDIX B Sample Schedule for M.S. in Computer Forensics Completion
Full Time Student Schedule
Fall
Spring
Year 1
CFRS 500, ISA 562, CFRS 660
Law 181, SOCI 607, CFRS 661
Fall
Spring
Year 2
CFRS 663,CFRS 760, CFRS 780
CFRS 790
Part Time Student Schedule
B-1
Fall
Spring
Year 1
CFRS 500, ISA 562
Law 181, SOCI 607
Fall
Spring
Year 2
CFRS 660, CFRS 760
CFRS 661
Fall
Spring
Year 3
CFRS 663, CFRS 780
CFRS 790
APPENDIX C Sample “Mini CV’s” for Faculty
Special Agent Bob Osgood is currently Chief of Digital Media exploitation for the FBI’s
Counterterrorism Division. He has over 20 years of experience in the fields of computer
forensics and Cyber crime. SA Osgood has an M.S. in Network Engineering, is a Cisco
engineer, A+ and Net + certified. SA Osgood currently teaches Digital Media Forensics and
Network Forensics in the GMU TFAS program.
Ms. Angela Orebaugh is an internationally recognized security technologist, scientist, and
author, with over 15 years of experience. Ms. Orebaugh is a Guest Researcher for the National
Institute of Standards and Technology (NIST), where she leads several security initiatives
including the authoring of security special publications, the National Vulnerability Database
(NVD), and electronic voting. At GMU she developed and taught the Intrusion Detection
curriculum, a core requirement of the TFAS program. Her current research interests include
peer-reviewed publications in the areas of intrusion detection and prevention, data mining,
attacker profiling, user behavior analysis, and network forensics. Ms. Orebaugh has a broad
spectrum of professional experience in information security, with hands-on expertise in security
architecture design and analysis, perimeter defense, vulnerability assessment and penetration
testing, forensics, intrusion detection and prevention, and incident handling and response. Ms.
Orebaugh is the author of several books on information security, and is currently scheduled to
defend her Ph.D. dissertation in spring 2008.
Dr. Aleksandar Lazarevich is a Senior Computer/Electronics Engineer with the Defense
Information Systems Agency. He is the operations managers and the Test Evaluation lead for
the DoD PKI program. He is an adjunct Professor with George Mason University and Masters
Degree program chair for the University of Fairfax. He has been the IT College Campus Chair
and the Area Chair for Networking and Operating Systems at the Northern Virginia campus of
University of Phoenix for two years and the IT department chair at WIU for four years. He has
over 33 years experience of Federal Civil Service in the field of Information Systems security
engineering and computer forensics. He holds the rank of Senior Member of the Institute of
Electrical and Electronics Engineers. He completed a PhD in Information Technology with an
emphasis in Information Assurance and computer forensics at George Mason University. His
research has been in the area of artificial intelligence modeling of evidence assessment. He
primarily teaches information security and computer forensic classes. He has represented the
U.S. Government in international forums for over three decades and has received recognition for
his expertise from numerous nations. Dr. Lazarevich was responsible for major information
system programs for such organizations as the White House Communications Agency, Executive
Office of the President and the Deputy Under Secretary of Defense for Logistics. He was elected
to the 2001 International Who’s Who of Information Technology.
Dr. Andrzej Z. Manitius received his Ph.D. degree from the Polytechnical University of
Warsaw, Warsaw, Poland in 1968. From 1968 to 1972 he held a junior faculty position with the
Institute of Automatics of the Polytechnical University of Warsaw. In 1972 and 1973 he was a
Visiting Associate Professor with the Center for Control Sciences at the University of Minnesota.
He subsequently joined the Mathematical Research Center at the University of Montreal,
Quebec, Canada, where he was an Associate and then Full Research Professor until 1981. From
C-1
1981 to 1988 he was a Professor in the Mathematical Sciences Department of the Rensselaer
Polytechnic Institute (RPI) in Troy, New York. While on leave from RPI, he served as Program
Director for Applied Mathematics (1986-1987) and Deputy Director, Division of Mathematical
Sciences (1987-88) at the National Science Foundation in Washington, D.C. He joined George
Mason University in September 1988 as Professor of Electrical and Computer Engineering. Dr.
Manitius’ research interests include mathematical aspects of control theory, including control of
distributed parameter and delay systems, optimal control, optimization, numerical and
computational methods in dynamical systems and control systems. He has published over 70
papers in his fields of interest, and held various editorial positions with several professional
journals. In 1991 he received American Mathematical Society's Citation for Public Service
related to his earlier work at the NSF.
Dr. Jeremy Allnutt earned his B.Sc. and Ph.D. in electrical engineering from the University of
Salford, UK, in 1966 and 1970, respectively. From 1970 to 1977 he was at the Appleton
Laboratory in Slough, England, where he ran propagation experiments with the US satellite
ATS-6 and the European satellites SIRIO and OTS. In 1977 he moved to BNR, now Nortel, in
Ottawa, Canada, and worked on satellite and rural communications projects before joining the
International Telecommunications Satellite Organization (INTELSAT) in Washington, DC, in
1979. Dr. Allnutt spent 15 years at INTELSAT in various departments. During this period he
ran experimental programs in Europe, Asia, Africa, North and South America, Australia, and
New Zealand, finishing as Chief, Communications Research Section. Dr. Allnutt spent one year
as Professor of Telecommunications Systems at the University of York, England, and then joined
the Northern Virginia Center of Virginia Tech in 1986, where he later ran the masters program in
ECE as well as being on the team that designed and set up the Masters in Information
Technology program. In August of 2000 he moved to George Mason University with dual
appointments: Director of the new Masters in Telecommunications program
(http://telecom.gmu.edu/) and Professor in the ECE department. Dr. Allnutt has published 100
papers in conferences and journals and written one book, most in his special field: radiowave
propagation. He is a Fellow of the UK IEE (now called IET) and a Fellow of the US IEEE.
Dr. Anne Marchant received her PhD from UC Berkeley in 1990. She is currently an Associate
Professor in the Department of Applied Information Technology teaching IT in the Global
Economy, Information Warfare, and Computer Crime, Forensics, and Auditing. She won a
GMU Teaching Excellence Award in 1999 while she was an instructor in the Computer Science
Dept teaching programming. Prior to coming to George Mason, she was an instructor for the
College of Engineering at UC Berkeley from 1990-1994. Her research interests include UAVs,
computer forensics, as well as technology related ethical and social issues.
Dr. David D. Hwang received the B.S., M.S., and Ph.D. degrees in electrical engineering from
the University of California, Los Angeles (UCLA) in 1997, 2001, and 2005, respectively. In
2004, he was a visiting international scholar at the Katholieke Universiteit Leuven in Belgium,
conducting research on cryptographic hardware and embedded security. From 2005-2006, he
was with KeyEye Communications, a semiconductor developer of multi-gigabit Ethernet
transceivers. From 2006-2007 he was a Senior Staff Scientist at Broadcom Corporation,
investigating VLSI signal processing algorithms and architectures for digital communication ICs.
He joined the electrical and computer engineering department of George Mason University as an
C-2
assistant professor in the spring of 2007. Dr. Hwang was a University of California Regents
Scholar, Department of Defense NDSEG Graduate Fellow, and a Hertz Foundation Graduate
Fellow. His research interests encompass cryptographic hardware for embedded system security,
digital signal processing architectures, and VLSI digital systems and circuits. He is a member of
IEEE, Tau Beta Pi, Eta Kappa Nu, and Phi Beta Kappa.
Dr. Thomas Shackelford has been working with computers and software design since 1986,
where his primary focus was with database administration, data management, and data analysis.
From here his career has taken him through various programming and network engineering
disciplines from main frames through client server environments. He currently works as the
Information Assurance Manager overseeing security design and implementation for a major
financial system. He received his Bachelors of Science Degree in Computer Science from
Chapman University, a Master of Science Degree in Information Systems Engineering from
Western International University, and a Doctorate in Philosophy degree in Information
Technology with a special emphasis in computer security from George Mason University. His
Dissertation topic was ―The Use of Advanced Data Mining Techniques to Develop Measures of
Document Relevance‖. The purpose of the papers was to study how document relevance could
be used to track insider threat in a networked environment. Dr. Shackelford’s interests are in
Network engineering, Computer Security, Data Mining, Text Categorization, Insider Threat
Detection, and Data Forensics.
C-3
APPENDIX D Sample Job Announcements with URL and Date
Most advanced computer forensics positions are listed on the web site of the leading computer
forensics association, the International High Technology Crime Investigation Association (with
the acronym HTCIA, rather than IHTCIA) - http://www.htcia.org/cgi-bin/chapters.cgi
There are 41 chapters currently affiliated with the HTCIA, some international (Brazil, Canada,
UK) but most in the USA. The chapter that covers Virginia is the ―Mid-Atlantic Chapter‖
(http://www.htcia.org/cgi-bin/chapters.cgi?idChapter=7)
All chapters have job postings that are for the area covered by the chapter. On the Mid-Atlantic
chapter’s web site, there were 18 positions advertised, the oldest dating from May 8th, 2007 and
the most recent October 4th, 2007. The positions range from what could be considered to be
entry level positions (Computer Forensics Specialist – Washington, DC) to senior level positions
(Senior Electronic Data Examiner, Falls Church, VA). Both positions are given below, extracted
on October 8th, 2007.
Employment Opportunity – Computer Forensic Specialist (Washington, D.C.)
(No pdf; the advertisement was extracted in Word format from the web listing
http://www.htcia.org/cgi-bin/chapters.cgi?idChapter=7 selecting the listing with the above title
on October 8th, 2007)
The High Technology Investigative Unit (HTIU) within the Child Exploitation and Obscenity
Section (CEOS) of the U.S. Department of Justice initiates investigations and conducts forensic
analysis on computer evidence in federal cases involving child exploitation and obscenity
crimes. It works closely with federal law enforcement agencies such as the FBI, Immigration
and Customs Enforcement (ICE), Secret Service, and the Postal Inspection Service; as well as
federal prosecutors all across the country. The mission of the HTIU is simple: Provide the most
accurate, up-to-date expertise on computer forensic matters and assist law enforcement in
bringing criminals who peddle in child exploitation and obscenity to justice.
The HTIU goes far beyond the bits and bytes of standard computer forensic examinations. HTIU
specialists are routinely asked to assist in national operations involving child exploitation over
the internet, special investigative initiatives, and research and develop new investigative tools
and techniques. In addition, HTIU specialists may be asked to assist in drafting proposed
legislation, developing and delivering training for law enforcement agencies, and testify as
experts in federal court. HTIU specialists frequently travel to various field offices to assist in the
prosecution of some of the worst criminal offenders.
The HTIU is expanding and currently has a need for qualified computer forensic investigators.
Candidates should have extensive knowledge in computer forensics and computer investigations,
Internet technologies, and an educational background in CS or similar degree. Previous
programming and applications development experience as well as experience in *nix OSs are
highly desirable.
D-1
Salary range is $46,041 to $103,220.
For how to apply, see Vacancy No. 07-CRM-KS-049 at www.usajobs.gov
For additional information about this position, please contact [email protected]
Senior Electronic Data Examiner, Falls Church, VA
(http://www.htcia.org/classified/sedfe.pdf October 8th, 2007)
Capital Legal Solutions is a highly innovative electronic service provider headquartered in Falls
Church, VA, part of the metro DC area region. Founded in 2002, we have rapidly expanded from a
vision to equip the legal community with cost effective, technology driven litigation support to an
industry leading electronic discovery provider.
Currently we are seeking a qualified SENIOR ELECTRONIC DATA FORENSICS EXAMINER.
The ideal candidate will have:
Superior management and client relationship skills
Experience overseeing fully defensible preservation of electronic data (including by HD image
acquisition) within large corporations
The ability to forensically harvest data from a wide variety of sources and storage media
Extensive background in preparing written reports
General networking and strong hardware knowledge are necessities
Be familiar with providing expert testimony
ENCASE certification and familiarity with FTK and LINUX is a plus.
Compensation will be highly competitive and based upon experience, training and educational
background.
To apply for this position, please send your resume to:
Robert Eisenberg
Vice President—E-Discovery Consulting
CAPITAL LEGAL SOLUTIONS, LLC
150 S. WASHINGTON ST.
SUITE 500
FALLS CHURCH, VA 22046
Tel: 703-226-1544
Fax: 703-226-1550
Email: [email protected]
For more information about our company and this position, please visit our website at
www.capitallegals.com .
D-2
APPENDIX E Sample Survey Instrument
George Mason University is developing a Master’s in Computer Forensics program for
implementation in fall 2008. The proposed M.S. in Computer Forensics will prepare students for
careers in industry, government, and academia by combining academic education with real world
practical techniques. Emphasis is placed in the program on training students to use and apply
computer forensics methods and knowledge in a variety of real life scenarios. Computer forensic
examiners (CFE) work in both the public and private sectors, and the Washington, D. C. area is
home to a large work force of CFEs. These CFEs work for the FBI, DEA, USSS, as well as with
the vast majority of Inspectors General and local police departments. Practically all of the major
accounting and consulting firms employ computer forensic examiners on staff, and there is a
growing cadre of independent consultants that work in this field. The American Society of
Crime Lab Directors (ASCLAD), the governing association in the field forensics sciences,
requires that all computer forensic examiners possess a bachelors degree with significant course
work in math and science.
As a result of successfully completing this program, students should have the necessary skills
and knowledge to perform in a variety of computer forensic roles, including forensics examiner,
and the ability to earn an advanced degree.
We have prepared the survey below to gauge interest in the program. Your answers to the
following questions will be used in summary form only. No personally-identifiable information
will be released. Please feel free to contact Dr. Jeremy Allnutt at [email protected] if you would
like more information about the proposed program.
Thank you.
E-1
Yes
1. Would you be interested in enrolling in a program like this?
(If no, then skip to question 3.)
2. If yes, would you prefer to attend the program on a full-time or part-time basis?
Fulltime
No
Parttime
Not
sure
3. Have you ever applied to an institution offering a similar program? If so, which program,
at which school?
Yes
No
4. Are you currently attending George Mason University?
If so, in what program:
Yes
No
5. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL:
If this program had been available when you initially applied to Mason, would you have
applied for admission to it?
Yes
No
6. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL:
Are you currently enrolled, or are thinking of enrolling in, a certificate as part of your
master’s degree? If you answered yes, could you please put down the name or acronym of
the certificate (e.g. TFAS, ANPT, and WIRE).
Yes
No
Yes
No
Yes
No
Certificate program:……………………………………………….
7. FOR STUDENTS WHO LEFT MASON TO PURSUE EDUCATION ELSEWHERE:
If this program had been available when you completed your current program, would you
have applied for admission?
8. FOR STUDENTS WHO LEFT MASON BUT HAVE NOT PURSUED FURTHER
EDUCATION: If this program had been available when you completed your current
program, would you have applied for admission?
9. FOR STUDENTS WHO ANSWERED ―Yes‖ TO QUESTIONS 5, 7, OR, 8, COULD
YOU PLEASE TELL US WHAT YOUR PRINCIPAL BACKGROUND IS IN TERMS OF
YOUR CURRENT JOB OR INTEREST (Please check the most appropriate area below)
(a) IT …………. ……….
(b) Legal …………..………..
(c) ADJ ….....…………….
(d) Accounting …………
(e) Law enforcement ……….
(f) Teacher ……………….
(g) Other ……………… (Please explain below)
E-2
10. FOR STUDENTS WHO ANSWERED ―Yes‖ TO QUESTIONS 5, 7, OR, 8, COULD
YOU PLEASE TELL US WHAT PART OF COMPUTER FORENSICS INTERESTS
YOU THE MOST (Please check the appropriate area bellow)
(a) Hardware Forensics ……………….
(b) Software Forensics ……………….
(c) Network Forensics .………………..
(d) Search and Seizure ……………….
(e) Trap and Trace …………………….
(f) Law and Ethics as related to
Computer Forensics ………………
(g) Other (Please explain bellow)
11. In which state do you currently live?
Virginia
Maryland
…………………………………………………………………..
DC
Other
12. Do you plan to live in this state or country for the next three or four years?
Yes
No
13. Are you currently employed? (If not, then skip to 17.)
Yes
No
If you answered ―Other‖, which state or country (if not the USA) do you live in?
14. If you are employed, please identify the state in which you work.
If you answered ―Other‖, could you please tell us where you currently work
…………………………………….
Virginia
Maryland
DC
Other
15. If you are employed, are you employed full-time or part-time?
Fulltime
16. If you are employed, would the proposed program help you in your work?
17. Please feel free to provide below any additional comments about the proposed program.
E-3
Yes
Parttime
No
Responses on October 8th, 2007 to the web-based questionnaire
The Questionnaire became ―live‖ on Friday, October 5th, 2007. The responses below were taken
over the Columbus Day weekend.
Q1. Would you be interested in enrolling in a program like this?
answer options
Yes
No
Response
Percent
90.6%
10.1%
answered
question
skipped
question
Response Count
135
15
149
0
Q2. Would you prefer to attend the program on a full-time or part-time basis?
answer options
Full-time
Part-time
Not sure
Response
Percent
28.0%
60.6%
11.4%
answered
question
skipped
question
Response Count
37
80
15
132
17
Q3. Which campus of George Mason would you prefer:
answer options
Fairfax
Prince William
Loudon
Response
Percent
73.5%
24.2%
2.3%
answered
question
skipped
question
Response Count
97
32
3
132
17
Q4. Which type of classes do you prefer:
answer options
Distance Education (online)
Traditional Lecture (face-to-face)
A combination of both distance and
traditional.
E-4
Response
Percent
3.0%
44.4%
52.6%
answered
question
Response Count
4
59
70
133
skipped
question
16
Q5. Have you ever applied to an institution offering a similar program?
answer options
Yes
No
Response
Percent
1.4%
98.6%
answered
question
skipped
question
Response Count
2
145
147
2
Q6. If so, which program, at which school?
answer options
Program
School
Response
Percent
100.0%
100.0%
answered
question
skipped
question
Response
Count
4
4
4
145
Q7. Are you currently attending George Mason University?
answer options
No
Yes
Response
Percent
17.7%
82.3%
(Please
specify
program)
answered
question
skipped
question
Response
Count
26
121
Response
Percent
65.4%
34.6%
answered
question
skipped
question
Response
Count
17
9
110
147
2
Q8. Are you a former GMU student?
answer options
Yes
No
E-5
26
123
Q9. FOR STUDENTS WHO LEFT MASON TO PURSUE EDUCATION ELSEWHERE:
If this program had been available when you
completed your current program would you have
applied for admission?
Response
Percent
80.0%
20.0%
answered
question
skipped
question
answer options
Yes
No
Response
Count
4
1
5
144
Q10. FOR STUDENTS WHO LEFT MASON BUT HAVE NOT PURSUED FURTHER EDUCATION: If this
program had been available when you completed your current program, would you have applied for
admission?
Response
Percent
70.0%
30.0%
answered
question
skipped
question
answer options
Yes
No
Response
Count
7
3
10
139
Q11. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL:
If this program had been available when
you initially applied to Mason would you
have applied for admission to it?"
answer options
Yes
No
Response
Percent
74.4%
25.6%
answered
question
skipped
question
Response
Count
61
21
82
67
Q12. FOR STUDENTS CURRENTLY IN MASON PROGRAMS AT THE SAME LEVEL: Are you currently
enrolled, or are thinking of enrolling in, a certificate as part of your master’s degree?
answer options
Yes
E-6
Response
Percent
49.4%
Response
Count
39
No
50.6%
answered
question
skipped
question
40
79
70
Q13. Please enter the name or acronym of the certificate (e.g. TFAS, ANPT, and WIRE).
Response Count
22
22
127
answered question
skipped question
Q14. Please tell us what your principal background is in terms of your current job or interest:
Response
Percent
94.7%
0.0%
3.8%
0.8%
0.0%
0.8%
Other
(please
specify)
answered
question
skipped
question
answer options
IT
Legal
Law Enforcement
Administration of Justice
Accounting
Teacher
Response
Count
125
0
5
1
0
1
15
132
17
Q15. Please tell us what part of computer forensics interests you the most:
answer options
Hardware
Forensics
Software
Forensics
Network
Forensics
Search and
Seizure
Law and Ethics
Trap and Trace
Response Percent
Response Count
19.0%
26
22.6%
31
38.7%
53
6.6%
6.6%
6.6%
Other (please
specify)
answered question
skipped question
9
9
9
2
137
12
Q16. In which state do you currently live?
answer options
E-7
Response Percent
Response Count
DC
Maryland
Virginia
0.7%
0.0%
99.3%
Other (please
specify)
answered question
skipped question
1
0
140
0
141
8
Q17. Do you plan to live in this state or country for the next three or four years?
answer options
Yes
No
Response Percent
93.6%
6.4%
answered question
skipped question
Response Count
132
9
141
8
Q18. Are you currently employed?
answer options
Yes
No
Response Percent
83.0%
17.0%
answered question
skipped question
Response Count
117
24
141
8
Q19. Please identify the state in which you work:
answer
options
DC
Maryland
Virginia
Response
Percent
8.5%
4.2%
87.3%
Other (please
specify)
answered
question
skipped question
Response Count
10
5
103
0
118
31
Q20. Are you employed full-time or part-time?
answer
options
Full-time
Part-time
Response
Percent
64.1%
35.9%
answered
question
skipped question
Response Count
75
42
117
32
Q21. Would the proposed program help you in your work?
answer
options
E-8
Response
Percent
Response Count
Yes
No
65.8%
34.2%
answered
question
skipped question
77
40
117
32
Q22. Please feel free to provide below any additional comments about the proposed program:
Response Count
answered
question
skipped
question
E-9
30
30
119
APPENDIX F
Assumptions Used in Developing Resource Projections
Faculty FTE
Undergraduate:
Graduate:
Adjunct:
GTA:
18 student FTE = 1 faculty FTE
12 student FTE = 1 faculty FTE
8 3-credit courses/year = 1 faculty FTE
4 3-credit courses/year = 1 full-time GTA = 0.5 FTE
Salary
Full professor:
Assistant professor:
Adjunct:
GTA:
GRA:
Pres. Scholar GRA:
$90,000
$60,000
$1,070/credit (undergraduate)
$1,150/credit (graduate)
1 FTE = 8 classes * 3 credits/class * adjunct rate
$22,000 ($10,000 stipend + $12,000 tuition)
$24,000 ($12,000 stipend + $12,000 tuition)
$30,000 ($18,000 stipend + $12,000 tuition)
Fringe benefits
Full-time faculty:
Adjunct:
Classified:
Admin faculty:
GTA:
.2765
.0765
.3541
.2825
0
Equipment
New full-time faculty and staff get a computer:
New full-time faculty and staff get a desk and chair:
Telecommunications
New faculty and staff get a telephone:
Annual charges:
E-10
$750
$240
$2,000
$3,000
`