The aim of this module is to familiarise students with concepts and techniques in the area of computer and network forensics, and memory forensics. Although the focus is on technical issues, legal issues will also be discussed, as a forensics investigator needs to collect and analyse information in a scientifically valid way, but also present it in court. The assessment of this module includes a two-task coursework (hand-in in week 6 and hand-out in week 12) and a class test in the exam period. 

1. Perform file system and disk structures analysis in a variety of environments, operating systems and storage media. 
    

2. Analyse the rules of evidence and the link between technology and business processes in the context of gathering evidence, and investigators duty to the courts. 
    

3. Utilise a comprehensive range of forensic tools and techniques for network and system analysis. 
    

4. Conduct digital forensic investigations that conform to accepted professional and ethical standards based on the investigative process: identification, preservation, examination, analysis, and reporting. 
    

5. Distil complex data-sources into management friendly reports using a range of visualisation tools and techniques. 
    

6. Assess, critically evaluate and reflect upon UK law (RIPA, Computer Misuse Act, GDRP, Data Protection) and current issues in computer forensics. 

This module will be delivered through a combination of traditional lecture and flipped learning with a blend of lectures, supervised lab sessions, workshops, face to face small group sessions (e.g. help classes, feedback sessions), and team meetings as appropriate. 

Understanding of: 

File structures both in a Linux environment and Windows. 

Disk structures, computer memory and storage media. 

Rules of evidence. 

Security logging and pattern matching for detection. 

The link between technology and business processes in the context of gathering evidence. 

The investigator’s duty to the courts. 

Current issues in computer forensics.  

Network protocols, evidence discovery from the network. 

Analyse packet and flow data captured across the network. 

UK Computer Law, (RIPA, Computer Misuse Act, GDPR, Data Protection). 

Expert Testimony 

Use of a range of forensic and network tools and techniques to describe systems under investigation; obtain a forensic image of persistent data and volatile data. 

Application of forensic methodology, tools and techniques to successfully solve a forensic incident and extract files from network packet captures etc, allowing follow-on malware analysis or definitive data loss determinations. 

Use of historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping. 

Examination of traffic from common network protocols to identify patterns of activity or specific actions that warrant further investigation. 

Incorporation of log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past. 

Examination of proprietary network protocols to determine what actions occurred on the endpoint systems. 

Analysis of wireless network traffic to find evidence of malicious activity. 

Use of visualization tools and techniques to distil vast, complex data sources into management-friendly reports. 

Writing a forensic report. 

There are two points of assessment in this module. 

An examination (ILOs 1-6) will test the student’s knowledge and understanding of the theoretical aspects of the course. 

A coursework includes two tasks: 

1. Forensic case examination: A case study that will give students an opportunity to use their knowledge and understanding, and ability to implement some of the taught course content, in the context of a compromised disk image. They will perform forensic analysis of a compromised disk image and produce a technical report and a court report (LO 3 and 6). 

2. Network- related case examination: An analysis of captured network traffic and extraction of compromised packets, practicing network forensic analysis. They will produce detailed a technical report of the digital forensic analysis and a court report (LO 3, 4 and 5). 

Formative assessments will take place during the semester prior to summative assessment and regular feedback will be provided to students in the form of model answers and group discussions of common issues in formative assessment submissions. 

Students will be provided with reassessment opportunities in line with University regulations. 

The module covers: 

Fundamentals of Digital forensics, Chain of custody 

File system, disk analytics, FAT, NTFS, File signature analysis 

Forensic investigation methodology and incident response, forensics tools for various OSes 

Live forensic and memory forensic analysis 

Windows forensics (Registry analysis), Linux forensics, media analysis 

Computer forensics investigation law, ACPO, data protection, first responder, etc. 

Network fundamentals protocols (HTTP, TCP/IP, ARP, ICMP, DNS, DHCP), network forensics tools (tcpdump, Wireshark, tshark, etc.), TLS, VPNs 

Network traffic analysis, host-side artifacts, packet capture and analysis 

Mobile device forensics, unified device, android forensics, wireless forensics and IoT forensics 

Issues and challenges in digital forensics, report writing