Module Descriptors
CYBER EVENT INVESTIGATION
COCS50743
Key Facts
Digital, Technology, Innovation and Business
Level 5
30 credits
Contact
Leader: Christopher Howard
Email: C.Howard@staffs.ac.uk
Hours of Study
Scheduled Learning and Teaching Activities: 78
Independent Study Hours: 222
Total Learning Hours: 300
Assessment
- Individual Assignment weighted at 50%
- Written Report - 2000 words weighted at 50%
Module Details
Module Learning Outcomes
On successful completion of the module you will be able to:
1. DEMONSTRATE CRITICAL UNDERSTANDING OF METHODS AND PROCEDURES USED WITHIN DIGITAL FORENSIC EXAMINATION.
Communication
Knowledge & Understanding
Learning
2. EXPLAIN AND EVALUATE THE OPERATION OF FORENSIC TOOLS AND THE INTERPRETATION OF RESIDENT DATA.
Analysis
Communication
Knowledge & Understanding
3. IDENTIFY AND RECOVER OBFUSCATED DATA USING FORENSICALLY SOUND TECHNIQUES.
Analysis
Learning
Problem Solving
4. ANALYSE A TRAIL OF DIGITAL EVIDENCE TO IDENTIFY A HISTORY OF EVENTS LEADING TO THE INTERPRETATION OF EVIDENCE LOCATIONS AND TAXONOMY.
Analysis
Knowledge & Understanding
Reflection
5. EVALUATE THE INTERACTION OF FILE SYSTEM COMPONENTS, THE RESIDENT DATA AND THE INTERPRETATION OF THE DIGITAL EXAMINATION TOOLS.
Application
Reflection
1. DEMONSTRATE CRITICAL UNDERSTANDING OF METHODS AND PROCEDURES USED WITHIN DIGITAL FORENSIC EXAMINATION.
Communication
Knowledge & Understanding
Learning
2. EXPLAIN AND EVALUATE THE OPERATION OF FORENSIC TOOLS AND THE INTERPRETATION OF RESIDENT DATA.
Analysis
Communication
Knowledge & Understanding
3. IDENTIFY AND RECOVER OBFUSCATED DATA USING FORENSICALLY SOUND TECHNIQUES.
Analysis
Learning
Problem Solving
4. ANALYSE A TRAIL OF DIGITAL EVIDENCE TO IDENTIFY A HISTORY OF EVENTS LEADING TO THE INTERPRETATION OF EVIDENCE LOCATIONS AND TAXONOMY.
Analysis
Knowledge & Understanding
Reflection
5. EVALUATE THE INTERACTION OF FILE SYSTEM COMPONENTS, THE RESIDENT DATA AND THE INTERPRETATION OF THE DIGITAL EXAMINATION TOOLS.
Application
Reflection
Module Indicative Content
The module will address the following topics:
- The procedure to Incident response, e.g. preparing an item of evidential value for examination
- Creating a forensically sound image of a seized drive using a range of digital imaging tools
- Capturing a forensically sound image of the RAM and identifying volatile evidence
- Identifying file system components and the state of the evidence.
- Identifying the difference between resident and non-resident data and procedures required to recover each data type.
- Identifying file system encryption and methods of decrypting/identifying the location of the encryption key
- Performing file signature analysis and verifying the authenticity of digital evidence.
- Examining the structure of restore points
- Rebuilding the registry and identifying hives that contain key information.
- Conducting hash analysis, adding, and utilising NSRL sets.
- Examining a range of operating systems and identifying the location of user related artefacts
- Examining smart devices using a range of digital examination tools and identifying user related and operating system related artefacts.
- The procedure to Incident response, e.g. preparing an item of evidential value for examination
- Creating a forensically sound image of a seized drive using a range of digital imaging tools
- Capturing a forensically sound image of the RAM and identifying volatile evidence
- Identifying file system components and the state of the evidence.
- Identifying the difference between resident and non-resident data and procedures required to recover each data type.
- Identifying file system encryption and methods of decrypting/identifying the location of the encryption key
- Performing file signature analysis and verifying the authenticity of digital evidence.
- Examining the structure of restore points
- Rebuilding the registry and identifying hives that contain key information.
- Conducting hash analysis, adding, and utilising NSRL sets.
- Examining a range of operating systems and identifying the location of user related artefacts
- Examining smart devices using a range of digital examination tools and identifying user related and operating system related artefacts.
Module Additional Assessment Details
1. Individual assignment covering Learning Outcomes 1, 2, and 5, that consists of:
Production of an evidence handling policy that enables the student to examine and evaluate forensic methodologies used to acquire and authenticate a forensically sound image in preparation for an evidence focused handling class test. (length 1 hour). For the class test students will be given an exhibit and asked to answer questions related to creating a forensically sound image of the hard drive, or re-image an image if appropriate. Students will also be required to verifying the integrity of the created forensic copy and identify the location of user related artefacts present within the exhibit. Weighting 50%.
2. A written report that will assess learning outcomes 3 and 4. The report will be based upon discussing an examination technique using three digital examination tools. 2000 words. Weighting 50% (This will be the final assessment item to be submitted)
Production of an evidence handling policy that enables the student to examine and evaluate forensic methodologies used to acquire and authenticate a forensically sound image in preparation for an evidence focused handling class test. (length 1 hour). For the class test students will be given an exhibit and asked to answer questions related to creating a forensically sound image of the hard drive, or re-image an image if appropriate. Students will also be required to verifying the integrity of the created forensic copy and identify the location of user related artefacts present within the exhibit. Weighting 50%.
2. A written report that will assess learning outcomes 3 and 4. The report will be based upon discussing an examination technique using three digital examination tools. 2000 words. Weighting 50% (This will be the final assessment item to be submitted)
Module Learning Strategies
26 hours of lectures and 52 hours of practical/tutorials. You will be required to complete background reading prior to each tutorial. The background reading will help you underpin the practical demonstrations on the module. A large proportion of the tutorial sessions will be problem based. Students will be given case studies and carefully prepared computer images to simulate various crimes to examine. Once the examination is completed students are expected to report upon their findings using appropriate court approved forensic reporting. Where appropriate students will be given formative assessments to complete and evaluate with their peers.
Module Texts
Data Protection Act 2018 and GDPR 2018 ISO/IEC/IEEE 29148:2011
Conklin, W. (2016). Principles of computer security. New York: McGraw-Hill Education. ISBN:0071835970 9780071835978.
Easttom, C. (2016). Computer security fundamentals. 3rd edn. Indianapolis, IN: Pearson Education. ISBN: 078975746x; 9780789757463.
HM Government, National Cyber Security Strategy 2016 to 2021, Published on Nov. 2016, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/-national_cyber_security_strategy_2016.pdf
International Organization for Standardization, ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements".
ISO 8000-8:2015 Data quality -- Part 8: Information and data quality: Concepts and measuring
Johnson, T.A. (2015). Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare. ISBN-13: 978-1-48223923-2
Kostopoulos, G.K. (2017). Cyberspace and Cybersecurity, 2nd edn. Auerbach Publications. ISBN: 9781351653077.
Meyers, M. (2016). Comptia A+ Certification All-In-One Exam Guide, 9th edn. McGraw-Hill Education. ISBN: 9781259589515.
Wu, C. and Irwin, J. (2016). Introduction to computer networks and cybersecurity. Hoboken: CRC Press., ISBN:1466572140
Conklin, W. (2016). Principles of computer security. New York: McGraw-Hill Education. ISBN:0071835970 9780071835978.
Easttom, C. (2016). Computer security fundamentals. 3rd edn. Indianapolis, IN: Pearson Education. ISBN: 078975746x; 9780789757463.
HM Government, National Cyber Security Strategy 2016 to 2021, Published on Nov. 2016, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/-national_cyber_security_strategy_2016.pdf
International Organization for Standardization, ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements".
ISO 8000-8:2015 Data quality -- Part 8: Information and data quality: Concepts and measuring
Johnson, T.A. (2015). Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare. ISBN-13: 978-1-48223923-2
Kostopoulos, G.K. (2017). Cyberspace and Cybersecurity, 2nd edn. Auerbach Publications. ISBN: 9781351653077.
Meyers, M. (2016). Comptia A+ Certification All-In-One Exam Guide, 9th edn. McGraw-Hill Education. ISBN: 9781259589515.
Wu, C. and Irwin, J. (2016). Introduction to computer networks and cybersecurity. Hoboken: CRC Press., ISBN:1466572140
Module Resources
Access to the cyber Lab
Forensic Analysis software such as EnCase, and FTK
Access to digital forensic hardware (e.g. Fastblock writeblocking kits)
Access to forensic exhibits (e.g. hard drives prepared by tutor.)
Forensic Analysis software such as EnCase, and FTK
Access to digital forensic hardware (e.g. Fastblock writeblocking kits)
Access to forensic exhibits (e.g. hard drives prepared by tutor.)
Module Special Admissions Requirements
Prior study of a Level 4 30 credit Network/Forensic/Security Module