Skip Navigation

Utah Core  •  Curriculum Search  •  All CTE/Digital Technology Lesson Plans  •  USBE CTE/Digital Technology website

 

CTE/Digital Technology Curriculum Cyber Forensics
Printable Version Printable Version (pdf)

 

arrow icon Course Introduction

 

Core Standards of the Course

STRAND 1
Forensic Basics

Cyber Forensics Core

Standard 1
Understand how to analyze forensic images

  1. Apply basic forensic analysis using NIST accepted forensic techniques.
  2. Outcomes include:
    • Understand how to use a forensic tool to analyse an image.
    • Identifying actors, authenticity verification (integrity), violation of company policy.
    • Being able to compare side by side analysis of reference image and current images- spotting differences.
    • Ensure following a defined procedure and documenting.

Standard 2
Outline the process for creating a forensically sound image.

  1. Understand that when a device is found leave it in the same state to preserve the integrity of the data.
  2. Isolate the image and create a hash to ensure data integrity.
  3. Write blocking to prevent modifying or writing over the data.

Standard 3
Understand Metadata

  1. Understand what is metadata and wh it is important including: metadata found in email, iamges, webfiles, files, GPS (Global Positioning System), etc.
  2. Analyze metadata to identify anomalies and outliers to find an incident
  3. Alter metadata to find and hide a secret message.

STRAND 2
Network Forensics

Cyber Forensics Core

Standard 1
Network Basics

  1. Understand network protocols including UDP, TCP/IP model, ICMP
  2. Understand the difference between connection and connectionless transmission.
  3. Understand 6 most common ports used including: FTP/21, SSH/22, SMTP/25, DNS/53, HTTP/80, HTTPS/443
  4. Understand the purpose and use of port forwarding
  5. Understand the purpose behind subnet masls and be able to read slash notation. 10.10.10.0/8.
  6. Understand how to set up and configure an Intrusion Detection System (IDS) on a network.

Standard 2
Understand how to analyze network data

  1. Understand the purpose and use of packet capture software.
  2. Apply to principles of packet captures to a message between two computers.
  3. Analyze the packets captured to find a hidden message.
  4. Identify the ports, protocol, source and destination IPs of a network capture.

STRAND 3
Anti Forensic Techniques

Cyber Forensics Core

Standard 1
Understand Steganography

  1. Understand the priciples behind steganography and why a threat actor would use it.
  2. Apply principles of steganography to hide information inside a text and image file.
  3. Apply principles of steganography to find information inside a text and image file.

Standard 2
Understand Trail Obfuscation techniques

  1. Understand the principles behind trail obfuscation techniques and why a threat actor would use them including- altering or delting logs, spoofing, timestamp alteration, data sanitation and disk distruction.
  2. Apply the principles of trail obfuscation to hide information using data sanitization (as a minimum).
  3. Apply the principles of trail obfuscation to find altered information from an altered log and imestamp alteration (as a minimum).
  4. Apply one of the above techniques to a different Operating System.

STRAND 4
Collecting Forensic Evidence

Cyber Forensics Core

Standard 1
Determine and report logon/logoff times for a specific user.

  1. Outcomes-
    • Students should be able to find a user breaking the company's AUP assigned time.

Standard 2
Understand how to use hashes

  1. Understand the basics of hash algorithms, their uses and salting
  2. Outcomes-
    • Students know how to create a hash output for a file.
    • Students compare hash values to verify file integrity.

Standard 3
Summarize the proper handling of evidence.

  1. Understand the purpose of evidence logs.
  2. Understand how to implement a chain of evidence policy.
  3. Understand the purpose and value of a chain of custody.
  4. Discriminate between a live acquisition and static acquisition.
  5. Document the incident by taking photos of the acence before removing evidence.

Standard 4
Determine the important content of event logs in forensics.

  1. Understand the purpose of event logs
  2. Outcomes-
    • Students will be able to read event logs and find suspicious activity.

STRAND 5
Incident Respose

Cyber Forensics Core

Standard 1
Incident Response Team (IRT)

  1. Understand the purpose of an incident response team.
  2. Identify the members of an incident response team including: team leader, team commuunicator, team members, share and stakeholders
    • Team Leader- The team leader is the individual responsible for overseeing and coordinating all activities within an incident response team during a security breach or other critical event.
    • Team Communicator- The team communications lead is the spokesperson for the IRT. They are in charge of communication between the IRT and its various stakeholders.
    • Team Members - These are individuals within the cybersecurity department tasked with securing the organization's network. They assess the network for vulnerabilities and work to fix those vulnerabilities.
    • Shareholder- Shareholders refer to an individual or group that owns shares in a company, making them financially invested and therefore a key stakeholder who needs to be informed and considered during a cyber incident.
    • Stakeholder- Stakeholders can include internal parties such as employees from various departments, management, IT staff, and security personnel, as well as external entities like customers, vendors, regulatory bodies, and the media.
  3. Identify the process of how a general user will report an incident to the team.

Standard 2
Identify the emergency contact list for incident response.

  1. Identify who should be on the list, including position, responsibilities
  2. Identify who needs to be contacted and availability
  3. Create a process for keeping the list updated regularly.

Standard 3
Create an incident report process

  1. How to ensure the integrity of the documents.
  2. What is the standard information needed for each incident.
  3. How are the reports maintained and backed up
  4. Understand the parts of the incident report- Summary, Timeline of events, description of events, analysis of root cause and impact.
  5. Communicate the results of an investigation to an internal team.

Standard 4
Create a post incident response process

  1. Configuration changes- firewall rules amd device management setup, etc.
  2. Update loss prevention policies.
  3. Update certificates.
  4. Update incident response processes as needed.

UEN logo http://www.uen.org - in partnership with Utah State Board of Education (USBE) and Utah System of Higher Education (USHE).  Send questions or comments to USBE Specialist - Kristina Yamada and see the CTE/Digital Technology website. For general questions about Utah's Core Standards contact the Director - THALEA LONGHURST.

These materials have been produced by and for the teachers of the State of Utah. Copies of these materials may be freely reproduced for teacher and classroom use. When distributing these materials, credit should be given to Utah State Board of Education. These materials may not be published, in whole or part, or in any other format, without the written permission of the Utah State Board of Education, 250 East 500 South, PO Box 144200, Salt Lake City, Utah 84114-4200.