CNIT 152: Incident Response

Fall 2018 Sam Bowne

Schedule · Lectures · Projects · Links · Home Page


Incident Response & Computer Forensics, Third Edition by by Jason Luttgens, Matthew Pepe, and Kevin Mandia
Publisher: McGraw-Hill Education; 3 edition (August 1, 2014)
Sold by: Amazon Digital Services, LLC
ASIN: B00JFG7152
Kindle edition: $36, Paper edition: $16 (prices I saw on 4-10-16 at Amazon)
Buy from Amazon ($15 - $40)

Catalog Description

When computer networks are breached, incident response (IR) is required to assess the damage, eject the attackers, and improve security measures so they cannot return. This class covers the IR tools and techniques required to defend modern corporate networks. This class is part of the Advanced Cybersecurity Certificate.


The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

You should have received an email like this, inviting you to the Canvas system we are using, which is not the Canvas system controlled by CCSF. Follow the instructions in that email to join the Canvas system.

To take quizzes, log in to Canvas here:

Live Streaming

Live stream at:

Classes will also be recorded and published on YouTube for later viewing.

Kahoot and Zoom

The Kahoot competitions don't work well with the CCSF livestream, because it has a delay. For them, use Zoom:


For class-related questions, please email

Schedule (may be revised)

Mon 8-20  1 Real-World Incidents
Mon 8-27Quizzes: Ch 1 & 2 * 2 IR Management Handbook
Mon 9-3 Holiday: No Class
Fri 9-7 Last Day to Add
Mon 9-10Quiz: Ch 3
Proj 1 & 2 due
3 Pre-Incident Preparation
Mon 9-17Quiz: Ch 4-5
Proj 3 due
4 Getting the Investigation Started on the Right Foot
5 Initial Development of Leads
Mon 9-24Quiz: Ch 6-7
Proj 4 & 5 due
6 Discovering the Scope of the Incident
7 Live Data Collection
Mon 10-1Quiz: Ch 8
Proj 6 due
8 Forensic Duplication
Mon 10-8Quiz: Ch 9
Proj 7 & 8 & 7 due
9 Network Evidence
Mon 10-15Quiz: Ch 10
Proj 9 due
10 Enterprise Services
Mon 10-22Quiz: Ch 11
Proj 10 & 11 due
11 Analysis Methodology
Mon 10-29Quiz: Ch 12 (Part 1)
Proj 12 due
12 Investigating Windows Systems (Part 1)
Mon 11-5Quiz: Ch 12 (Part 2)
Proj 13 & 14 due
12 Investigating Windows Systems (Part 2)
Mon 11-12 Holiday: No Class
Mon 11-19No Quiz
No Proj Due
Guest Speaker TBA
Mon 11-26Quiz: Ch 12 (Part 3)
Proj 15 due
12 Investigating Windows Systems (Part 3)
Mon 12-3Quiz: Ch 13
Proj 16 & 17 due
13 Investigating Mac OS X Systems
Mon 12-10Last Class: Quiz: Ch 14
All Extra Credit Proj due
14 Investigating Applications
Thu 12-13 -
Thu 12-20
Final Exam available online throughout the week.
You can only take it once.
All quizzes due 30 min. before class
* No late penalty until after 9-10


Grading Policy
1 Real-World Incidents · KEY
2 IR Management Handbook · KEY
3 Pre-Incident Preparation · KEY
4 Getting the Investigation Started on the Right Foot &
5 Initial Development of Leads
6 Discovering the Scope of the Incident &
7 Live Data Collection
8 Forensic Duplication · KEY PDF
9 Network Evidence · KEY
10 Enterprise Services · KEY
11 Analysis Methodology · KEY
12 Investigating Windows Systems (Part 1 of 3) · KEY
12 Investigating Windows Systems (Part 2 of 3) · KEY
12 Investigating Windows Systems (Part 3 of 3) · KEY
13 Investigating Mac OS X Systems · KEY
14 Investigating Applications · KEY
15 Malware Triage
16 Report Writing · KEY
17 Remediation Introduction (Part 1) · KEY
18 Remediation Case Study

Click a lecture name to see it on SlideShare.
If you want to use other formats, you may find this useful: Cloud Convert.


Download VMware Player

Project 1: Preparing a Kali Virtual Machine (15 pts.)
Project 2: Windows 2016 Server Virtual Machine (20 Points)
Project 3: Capturing a RAM Image (15 Points)
Project 4: Analyzing a RAM Image with Bulk Extractor (15 Points)
Project 5: Analyzing a RAM Image with Volatility (15 Points)
Project 6: Capturing and Examining the Registry (15 pts.)

More Projects Will Be Added


osquery | Easily ask questions about your Linux, Windows, and macOS infrastructure
GitHub - Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X
OS X Incident Response: Scripting and Analysis--RECOMMENDED
GitHub - google/grr: GRR Rapid Response: remote live forensics for incident response
KnockKnock shows you what's persistently installed on your Mac! -- RECOMMENDED
GitHub - Yelp/amira: AMIRA: Automated Malware Incident Response & Analysis
Cyphort: Anti-SIEM reduces SIEM cost, noise, complexity, and wasted time
Collect NTFS forensic information with osquery
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Kit Hunter, a phishing kit detection script -- USEFUL FOR PROJECTS
Log-MD Tool Free Version

Last Updated: 8-20-18 8:00 pm