IY2S503 - Forensic Digital Evidence 01 Sep 2022 - 31 Aug 2028 | Version 5
Associated Module Information
| Module Code: | IY2S503 | ||
|---|---|---|---|
| Module Title: | Forensic Digital Evidence | ||
| Faculty: | Faculty of Computing, Engineering and Science | ||
| Faculty Group: | Cyber Security | ||
| Faculty Sub Group: | Cyber Security | ||
| Module Leader: | Peter Eden | ||
| Module Team: | Andrew Bellamy, Christopher Tubb, Sharan Johnstone, Christopher Manley, Madhu Khurana, Emma Derbi, Joshua Richards, Peter Eden, Richard Ward, Beth Jenkins, Arun Kumar, Rachael Medhurst, Nisha Rawindaran, Mamoun Qasem, Chelsea Cooper | ||
| First Intended Intake: | NOV 2015 | Final Year of Intake: | |
| Date Closed: | |||
| Credit Value: | 20 | Credit Level: | 5 |
| Language: | English | ||
| Percentage of Module Taught in Welsh: | 0 | ||
| Equivalent Module: | |||
| HECOS codes: | 100385 - computer forensics | ||
| HECOS Code Weighting: | 100 | ||
Document Version Information
| Version | 5 |
|---|---|
| Valid From | 01 Sep 2022 |
| Valid To | 31 Aug 2028 |
Module Aims
To provide knowledge of the tools and techniques associated with computer forensics
To develop the students ability to apply computer forensics principles to a range of problems
Content Summary
Digital forensics analysis tools
Forensic case creation and evidence validation
Application Forensics:
Web browsers
- URL history
- form data
- temporary files
- downloaded files
- cookies
Windows registry
Operating System Analysis:
Storage Forensics
- Data abstraction layers
- physical media
- block device
- file system
- application artifacts
Data Acquisition
- logical data acquisition
- block-level acquisition
- cryptographic hashes
encryption concerns
- technical challenges
- Encrypted file analysis techniques
Filesystem Analysis (Windows/Linux/MAC)
- Blocks
- Files
- Filesystems
- File metadata analysis
Block device analysis
- Partitions
- Logical Volumes
Data recovery & File content Carving
- carving techniques
- fragmentation
- slack space
Artifact Analysis
- cryptographic hashing
- block-level analysis
- Evidence identification and analysis
Learning and Teaching Methods
| Activity Type | Hours |
|---|---|
| Lecture | 24 |
| Tutorial | 24 |
| Independent Study | 80 |
| Directed Study | 72 |
| Total Hours Selected | 200 |
Learning Outcomes
| # | Learning Outcome |
|---|---|
| LO1 | To demonstrate the correct usage and the features of a standard forensic analysis tool |
| LO2 | To identify, analyse and extract a wide range of computer forensic artefacts found in Windows, MAC and Linux operating systems and file systems. |
Module Requisites
N/A
Assessment Criteria
| Assessment Category | Assessment Type | Description | Duration | Word Count | Weight (%) | Best of? | Pass Mark |
|---|---|---|---|---|---|---|---|
| Synchronous Onsite Practical Assessment | Practical Test 2 | A practical test, carried out in the laboratory regarding the forensic analysis of a Windows system | 90 | N/A | 60 | No | 40 |
| Synchronous Onsite Practical Assessment | Practical Test 1 | A practical test, carried out in the laboratory regarding the forensic analysis of a Macintosh system | 60 | N/A | 40 | No | 40 |
Assessment Matrix
| Assessment Type | Learning Outcomes | ||
|---|---|---|---|
| LO1 | LO2 | ||
| Practical Test 2 | ✔ | ✔ | |
| Practical Test 1 | ✔ | ✔ | |