One practical-based portfolio assessment (100%, 3000 words excluding appendices) – learning outcomes 1-4, to include a number of practical exercises on a simulated scenario of malware having compromised an Enterprise network.

Managing Incidents and the IR lifecycle
Forensic Readiness
Rapid incident response analysis and breach assessment
Windows live incident response
Memory analysis during incident response
Timeline analysis
In-depth windows NTFS file system examination to detect APT groups and advanced insider threats
Network Forensics
Detection of anti-forensics

The material will be presented through a combination of directed self-study, recorded lectures, on-line materials in Blackboard, practical exercises that can be conducted using the server infrastructure and VPN to provide access to platforms for practical exercises, asynchronous handling of queries via email and discussion board, but also synchronous surgery sessions (with access to on-line virtual infrastructure) and skype as necessary.

Remote access to laboratory resources (VPN access),
Access to purposely built VMs

• Michael Hale Ligh et. al. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley. 2014. ISBN 1118825098
• Jason Luttgens. Matthew Pepe. Kevin Mandia. Incident Response & Computer Forensics, Third Edition. McGraw-Hill Osborne Media. 2014. ISBN 0071798684
• Don Murdoch. Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder. Second Edition. CreateSpace Independent Publishing Platform. 2014. ISBN 1500734756

1. Demonstrate critical knowledge of the tools, methods and procedures used in order to effectively detect, contain, and remediate against a variety of adversaries. (Enquiry, Knowledge and Understanding, Reflection)
2. Research and critically evaluate malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue. (Application, Knowledge and Understanding, Reflection)
3. Practical understanding of the techniques for tracking user and attacker activity second-by-second on the system you are analysing through in-depth timeline analysis. (Analysis, Enquiry, Problem Solving).
4. Conceptual understanding of DFIR that enables the student to use collected data to perform effective intrusion remediation across the entire enterprise. (Knowledge and Understanding, Problem Solving, Reflection)