Access to the digital forensic Lab
Forensic Analysis software such as EnCase, FTK
Access to digital forensic hardware (Fastblock writeblocking kits)
Access to exhibits (hard drives prepared by tutor.)

Guide to Computer Forensics and Investigations, Nelson B, A. Phillips, et. al, , 2010, Thompson, ISBN: 1435498836

Forensic Computing: A Practitioners Guide Second Edition 2010 Sammes T, B. Jenkinson, , , Springer-Verlag, ISBN: 184996596

Windows Forensic Analysis DVD Toolkit 2nd Edition Carvey, H, , Syngress, 2010 ISBN: 9781597494229

Good Practice Guide for Computer based evidence, version 7, Association of Chief Police Officers (ACPO) of England, Wales and Northern Ireland

The assessment of the module will consist of two elements

1. Group assignment covering learning outcomes 1,2, 5, that consists of
a) production of an evidence handling policy that enables each student to examine and evaluate the forensic methodologies used to acquire and authenticate the forensically sound image in preparation for the evidence handling class test. Weighting 30%
b) practical evidence handling class test (length 1 hour). You will be given an exhibit and will be asked to answer questions related to creating a forensically sound image of the hard drive, or re-image an image if appropriate. They will also be required to verifying the integrity of the created forensic copy and identify the location of user related artefacts present within the exhibit. Weighting 20%.
(This will be the first assessment item to be submitted )

2. A written report that will assess learning outcomes 3 and 4. The report will be based upon discussing an examination technique using three digital examination tools. 3000 words. Weighting 50% (This will be the final assessment item to be submitted)

The procedure of Incident response, preparing an item of evidential value for examination
Creating a forensically sound image of a seized drive using a range of digital imaging tools
Capturing a forensically sound image of the RAM and identify volatile evidence
Identify file system components and the state of the evidence.
Identify the difference between resident and non-resident data and procedures required to recover each data type.
Identify file system encryption and methods of decrypting/identifying the location of the encryption key
Performing file signature analysis and verifying the authenticity of digital evidence.
Examining the structure of restore points
Rebuilding the registry and identifying hives that contain key information.
Conducting hash analysis, adding and utilising NSRL sets.
Examining a range of operating systems and identify the location of user related artefacts
Examining smart devices using a range of digital examination tools and identifying user related and operating system related artefacts.

Prior study of a Level 4 30 credit Network/Forensic/Security Module

26 hours of lectures and 52 hours of practical/tutorials. You will be required to complete background reading prior to each tutorial. The background reading will help them underpin the practical demonstrations. A large proportion of the tutorial sessions will be problem based. Students will be given case studies and carefully prepared computer images simulation various crimes to examine. Once the examination is completed the students are expected to report upon their finding using appropriate court approved forensic reporting. Where appropriate you will be given informative assessment to complete and evaluate with their peers.