DIGITAL FORENSIC INVESTIGATION

SHE Level 3
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code M3I125239
Module Leader Nebrase Elmrabit
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Cyber Security Operations or equivalent

Summary of Content

With today's ever-changing technologies and environments, it is inevitable that security professionals will deal with some form of cybercrime. This module focuses on the essentials that a forensic investigator must know to investigate core digital crime incidents successfully. The module extends knowledge beyond conventional static computer forensics analysis by applying the methodology to develop the principles surrounding preliminary case considerations and the collection of evidence left behind by malicious activity. The module is practical in nature. Utilising case studies and scenarios, students will be guided through the process of conducting a digital forensic investigation. This course will enable the student to be able to undertake a forensic investigation using current forensic tools. The ethical and professional issues/requirements of the Digital Forensics practitioner are incorporated throughout the syllabus. Students are guided through real-world scenarios featuring structured inquiry based learning. The percentage of Work Based Learning for this module, as represented by the proportion of the Activity Types which take place off campus, is 78%. The percentage of Work Based Assessment for this module is 50%.

Syllabus

Legal & Ethical Principles with Computer Crime Legal and ethical expectations in the gathering, analysing, preservation and presentation of digital evidence. Types of computer crime investigated. Forensic and Investigative Essentials Digital forensics for incident responders. Incident response and forensics. Application of Forensic Principles The principles of forensic science for determining significance of evidence, reconstructing fragments of data and drawing conclusions based on evidence found through hypothesis generation and confirmation. Forensic Examination of Digital Systems Forensic techniques in the examination of operating systems. Advanced file analysis approaches, network forensics, data hiding and hostile code, encryption and forensics, investigation of fraud, data recovery. Future directions in the field. File System Forensic Analysis File system fundamentals. Timeline analysis. File system and data layer examination. Metadata layer examination. File name layer examination. File sorting and hash comparisons. Forensic Artefact Analysis Analysis concepts. Event log analysis. Web browser forensics. Methodology to analyze and solve challenging cases.

Learning Outcomes

On successful completion of this module a student should be able to:1. Explain the methodologies, principles and guidelines associated with digital forensic investigations, including the methods for identifying, preserving and recovering digital evidence.2. Evaluate and select appropriate tools and techniques for the detection and prevention of digital crime.3. Undertake digital forensic analysis by applying appropriate computer and network forensics tools and the basic principles of digital forensics.4. Describe how to approach forensic investigations from static, mounted, live and network perspectives.5. Discuss the issues surrounding the collection of volatile data and explain how to identify computer forensic artefacts.

Teaching / Learning Strategy

Work Based Education aims to maximise the direct and digitally mediated contact time with students by practicing teaching and learning strategies that use authentic work based scenarios and encourage action learning, enquiry based learning, problem based learning and peer learning. All these approaches aim to directly involve the students in the process of learning and to encourage sharing of learning between students. The module team will determine the level and accuracy of knowledge acquisition at key points in the delivery, inputting when necessary either directly or with the support of external experts who will add to the authenticity, the credibility and application of the education and learning in the workplace. The Learning and Teaching Strategy is informed by the University's Strategy for Learning. The course material will be introduced through online presentations as well as guided reading material made available on GCULearn. These are supported by practical exercises, and there will be seminars on campus which will allow students to discuss key concepts and issues with peers and tutors. Students will be expected to undertake a significant level of independent study within the workplace, including practical activities, and links will be provided to appropriate external material such as articles, podcasts and videos to supplement the module content. Students will be encouraged to reflect upon the theoretical learning within the workplace and the application of newly learned concepts to the work environment, and this will form part of the module assessment. Students will receive feedback on their performance throughout the module through undertaking the practical assignments and tutorial exercises and participating in the seminars.

Indicative Reading

Carrier, B.(2005), File system Forensic Analysis, Addison Wesley. Carvey, H. (2009) Windows Forensic Analysis, Syngress Casey, E. (2009), Handbook of Digital Forensics and Investigation, Academic Press Casey (2011) Digital Evidence and Computer Crime Forensic Science, Computers, and the Internet, 3rd Edition. Elsevier.

Transferrable Skills

Logical thinking and problem solving. Critical analysis. Communication skills (electronic, written, oral and listening) necessary to make effective presentation of a technical nature (information, ideas, problems and their solutions) to a range of audiences. Creativity, innovation and independent thinking. Reliability, integrity, honesty and ethical awareness. Ability to prioritise tasks and time management (organising and planning work) Interpersonal skills, the ability to work as a member of a team (work with and relate effectively to others) recognising the different roles within a team and different ways of organising teams (leadership).

Module Structure

Activity Total Hours
Assessment (FT) 20.00
Lectures (FT) 24.00
Independent Learning (FT) 108.00
Practicals (FT) 24.00
Seminars (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Coursework 1 n/a 50.00 35% Practical based assignment
Exam (Exams Office) 2.00 50.00 35% Unseen written exam