DIGITAL FORENSICS ESSENTIALS & INCIDENT RESPONSE

SHE Level 2
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code M2G421123
Module Leader Kenneth Ovens
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Security Landscape or equivalent.

Summary of Content

Forensic investigation is an inquiry and problem solving activity that is guided by the application of scientific principles of hypothesis testing, whilst operating within the strict confines of the law. Digital forensics is the scientific analysis of digital data for the purposes of presentation in a court of law, together with the study of the legal aspects of computer use and misuse. Unpatched, unprotected computers connected to the Internet can be compromised in a relatively short space of time. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve cyber crime. The aim of this module is to provide students with an understanding of the main principles behind Digital Forensics and how it can be applied to a Computer Crime Scene Investigation to systematically and impartially approach the preservation and extraction of all digital evidence. Students will be introduced to practical issues associated with hardware and operating systems, together with the principles, theories and technical skills employed in the static forensic analysis field. The topics introduced include concepts of computer investigation law, digital evidence, digital forensic investigation methodology, evidence documentation, data acquisition and forensic examination of computer systems. The ethical and professional issues/requirements of the Digital Forensics practitioner are incorporated throughout the syllabus. Students are guided through real-world scenarios featuring structured inquiry based learning.

Syllabus

Legal & Ethical Principles for Forensic Analysts Legal and ethical expectations in gathering, analysing, preservation and presentation of evidence. Who can investigate and investigative process laws. Evidence acquisition/analysis/preservation laws and guidelines. Laws investigators should know. Basic rules of evidence and forensic reports. Digital Forensics & E-Discovery Fundamentals Fundamental and defining principles of digital forensics. Philosophy of evidence and how the principles are applied to digital crime. Evolving terminology of crime investigation and the role of digital systems in crime. Electronic stored information: types; location, order of volatility. Evidence fundamentals. Reporting and presenting evidence. Forensic methodology. Challenges facing a digital investigator. Concept of the cyber trail. Evidence Acquisition & Analysis Evidence acquisition basics. Preservation of evidence. Handling. Integrity. Types of acquisition. Forensic field kits. Full disk image acquisition tools and techniques. Traditional tasks utilized using the forensic tools. Live & Incident Response Volatile evidence gathering and analysis. Live response. Incident response methodology. Evidence integrity. Complex forensic evidence acquisition and imaging. Types of forensic images. Live media acquisition. Write-blockers and host-protected area. Secure wiping. Mounting forensic images to browse files. Extracting logical partitions. Incident response procedures, live incident response, development of contingency plans. Principles and general guidelines surrounding incident response. How to approach forensic investigation from an incident response perspective. Preparation of Audit Trails to ACPO Expectations Evaluate the ACPO principles associated with documentation and the maintenance of audit trails. The standards and expectations of documentation required for presentation in court, including audit trail, digital evidence handling guidelines, chain of custody of digital evidence, evidential integrity.

Learning Outcomes

On completion of this module, the student should be able to-Explain the principles and legal aspects of forensic analysis and appreciate where these principles should be applied.Explain the policies and procedures of forensic investigations and be aware of the documentary and evidentiary standards expected in presenting investigative findings.Apply the core concepts, knowledge and practice of digital forensic methodology to computer crime investigation.Demonstrate an understanding of the tools and techniques used within forensic computing crime investigation.Evaluate and interpret forensic findings and document evidence. Describe forensic investigation approaches and the most up-to-date incident investigation techniques from an incident response perspective, including live analysis.

Teaching / Learning Strategy

Learning and teaching will take place through a variety of mechanisms, including lectures, seminars, with associated practical sessions, research into current developments and issues, and case studies. This module emphasises an active "hands-on" approach to learning. Case studies will be used formatively in tutorials throughout the module in order to promote application of knowledge to specific problems and encourage discussion. Topics will be introduced in lectures and discussed through guided inquiry based learning activities. Theoretical material will be re-enforced and consolidated through the critical analysis and discussion of case studies in tutorials that are designed to explain and elaborate both on theoretical and laboratory content. Additionally directed learning will reinforce essential theory and place understanding into context. Independent study will be encouraged to satisfy the student's own interests. A Virtual Learning Environment (VLE) will also be used to provide access to a range of relevant learning resources and materials to enhance the teaching strategy. Managed blended learning environments will be used to consider material and provide the capability for on-line reflection of material related to learning outcomes, and enable peer support. Feedback will be implemented via a combination of generic feedback, and verbal feedback during tutorials and laboratory sessions together with self assessment and peer review exercises to help the student to assess their understanding of material and to develop their learning strategy. The material presented in this module is potentially damaging if used maliciously and the capabilities developed in this module have potential for harm. Academics will emphasise the professional expectations of students and of persons working in this domain as well as stressing the students' ethical and moral responsibilities to themselves and others, including the School and the University.

Indicative Reading

Buchanan, W. J. (2011) Security and Network Forensics. Auerbach Publishers. Jones, K. J., Bejtilich, R. & Rose. C. W. (2006) Real Digital Forensics. Addison Wesley. Lillard, T. V. (2010) Digital Forensics for Network, Internet, and Cloud Computing. Syngress. Moore, R. (2010) Cybercrime: Investigating High-Technology Computer Crime. Anderson. Sammons (2012) The Basics of Digital Forensics. Syngress Gogolin (2013) Digital Forensics Explained. Auerbach. In addition to the references above several online resources (blogs, journals, websites, etc.), which reflect up to date understanding in the field, will be provided to students.

Transferrable Skills

TRADITIONAL ACADEMIC SKILLS - ability to apply knowledge, logical thinking, problem-solving PERSONAL DEVELOPMENT SKILLS - self-discipline, awareness of strengths and weaknesses, knowledge of international affairs, ability to reflect, integrity, honesty and regard for others ENTERPRISE OR BUSINESS SKILLS - ability to prioritise tasks, time management, interpersonal skills, presentational skills, ability to work in teams and leadership skills.

Module Structure

Activity Total Hours
Tutorials (FT) 12.00
Independent Learning (FT) 120.00
Practicals (FT) 24.00
Assessment (FT) 20.00
Lectures (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Coursework 1 0.00 30.00 35% Practical Lab work
Exam (Exams Office) 2.00 70.00 35% Unseen written exam