DIGITAL FORENSICS ANALYSIS

SHE Level 3
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code M3I123695
Module Leader Riccardo Lazzarini
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Digital Forensics Essentials and Incident Response, or equivalent

Summary of Content

With today's ever-changing technologies and environments, it is inevitable that security professionals will deal with some form of cyber crime, such as computer fraud, insider threat, industrial espionage, or phishing. This module focuses on the essentials that a forensic investigator must know to investigate core digital crime incidents successfully. The module extends knowledge beyond conventional static computer forensics analysis by applying the methodology to develop the principles surrounding preliminary case considerations and the collection of evidence left behind by malicious activity and the collection and analysis of volatile data. The module also examines the future shape of digital crime and the forensic response to these threats from law enforcement and government perspectives. The module is practical in nature. Utilising case studies and scenarios, students will be guided through the process of conducting a digital forensic investigation. This course will enable the student to be able to undertake a forensic investigation using current forensic tools. The ethical and professional issues/requirements of the Digital Forensics practitioner are incorporated throughout the syllabus. Students are guided through real-world scenarios featuring structured inquiry based learning.

Syllabus

Legal & Ethical Principles with Computer Crime Legal and ethical expectations in the gathering, analysing, preservation and presentation of digital evidence. Types of computer crime investigated. Forensic and Investigative Essentials Digital forensics for incident responders. Incident response and forensics. File system fundamentals. Application of Forensic Principles The principles of forensic science for determining significance of evidence, reconstructing fragments of data and drawing conclusions based on evidence found through hypothesis generation and confirmation. Forensic Examination of Digital Systems Forensic techniques in the examination of operating systems. Advanced file analysis approaches, network forensics, mobile device forensic computing, data hiding and hostile code, encryption and forensics, investigation of fraud, data recovery. Future directions in the field. File System Forensic Analysis Timeline analysis. File system and data layer examination. Metadata layer examination. File name layer examination. File sorting and hash comparisons. Forensic Artefact Analysis Analysis concepts. Event log analysis. Web browser forensics. Methodology to analyze and solve challenging cases. Malware Analysis Tools & Techniques Malware analysis fundamentals. Performing behavioural analysis of malicious executables. Performing static and dynamic code analysis of malicious executables. Intercepting system and network-level activities. Reverse-engineering malware). malware analysis approaches. Malicious code analysis. malicious documents and memory forensics .

Learning Outcomes

On completion of this module, the student should be able to- Explain the methodologies, principles and guidelines associated with forensic investigations.Appreciate the methods for identifying, preserving and recovering data/retrieve evidence for use in investigations.Identify, evaluate and select appropriate tools and techniques for the detection and prevention of digital crime.Undertake digital forensic analysis by applying appropriate computer and network forensics tools and the basic principles of digital forensics.Describe how to approach forensic investigations from static, mounted, live and network perspectives.Discuss the issues surrounding the collection of volatile data.Explain how to identify forensic artefacts.

Teaching / Learning Strategy

Learning and teaching will take place through a variety of mechanisms, including lectures, seminars, with associated practical sessions, research into current developments and issues, and case studies. This module emphasises an active "hands-on" approach to learning. Case studies will be used formatively in tutorials throughout the module in order to promote application of knowledge to specific problems and encourage discussion. Topics will be introduced in lectures and discussed through guided inquiry and problem based learning activities. Theoretical material will be re-enforced and consolidated through the critical analysis and discussion of case studies in tutorials that are designed to explain and elaborate both on theoretical and laboratory content. Additionally directed learning will reinforce essential theory and place understanding into context. Independent study will be encouraged to satisfy the student's own interests. A Virtual Learning Environment (VLE) will also be used to provide access to a range of relevant learning resources and materials to enhance the teaching strategy. Managed blended learning environments will be used to consider material and provide the capability for on-line reflection of material related to learning outcomes, and enable peer support. Feedback will be implemented via a combination of generic feedback, and verbal feedback during tutorials and laboratory sessions together with self assessment and peer review exercises to help the student to assess their understanding of material and to develop their learning strategy. The subject discipline is continuously developing, evolving and changing and as a result students will be expected to keep up to date with developments through independent research. Students will be encouraged to adopt an independent learning style, acquiring and applying knowledge through their own research and enquiry, supported by a series of guided activities and exercises. Students will be encouraged to share the findings of their research through seminar presentations and participation in on-line discussions with the rest of the student cohort. The material presented in this module is potentially damaging if used maliciously and the capabilities developed in this module have potential for harm. Academics will emphasise the professional expectations of students and of persons working in this domain as well as stressing the students' ethical and moral responsibilities to themselves and others, including the School and the University.

Indicative Reading

Carrier, B.(2005), File system Forensic Analysis, Addison Wesley. Carvery, H. (2011) Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry, Syngress. Carvey, H. (2009) Windows Forensic Analysis, Syngress Casey, E. (2009), Handbook of Digital Forensics and Investigation, Academic Press Farmer, D & Venema, W. (2004) Forensic Discovery, Addison Wesley. Russinovich, M.E. and Solomonm, D.A. (2009) Windows Internals, Microsoft Press Casey (2011) Digital Evidence and Computer Crime Forensic Science, Computers, and the Internet, 3rd Edition. Elsevier. Malin, Casey, Aquilina (2012) Malware Forensics Field Guide for Windows Systems, Syngress In addition to the references above several online resources (blogs, journals, websites, etc.), which reflect up to date understanding in the field, will be provided to students.

Transferrable Skills

TRADITIONAL ACADEMIC SKILLS - ability to apply knowledge, logical thinking, critical analysis, problem-solving, written and spoken communication, ability to use numerical data and research skills PERSONAL DEVELOPMENT SKILLS - self-discipline, self-reliance, awareness of strengths and weaknesses, creativity, independence, knowledge of international affairs, desire to go on learning, ability to reflect, reliability, integrity, honesty and regard for others ENTERPRISE OR BUSINESS SKILLS - ability to prioritise tasks, time management, interpersonal skills, presentational skills, ability to work in teams and leadership skills, flexibility, innovation, independence and risk-taking.

Module Structure

Activity Total Hours
Independent Learning (FT) 120.00
Assessment (FT) 20.00
Tutorials (FT) 12.00
Lectures (FT) 24.00
Practicals (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Coursework 1 0.00 40.00 35% Practical Lab work
Exam (Exams Office) 2.00 60.00 35% Unseen written exam