IY3S607 - Advanced Digital Investigation Techniques 01 Sep 2022 - 31 Aug 2028 | Version 5
Associated Module Information
| Module Code: | IY3S607 | ||
|---|---|---|---|
| Module Title: | Advanced Digital Investigation Techniques | ||
| Faculty: | Faculty of Computing, Engineering and Science | ||
| Faculty Group: | Cyber Security | ||
| Faculty Sub Group: | Cyber Security | ||
| Module Leader: | Gareth Davies | ||
| Module Team: | Andrew Bellamy, Rachael Medhurst | ||
| First Intended Intake: | SEP 2013 | Final Year of Intake: | 2016 |
| Date Closed: | |||
| Credit Value: | 20 | Credit Level: | 6 |
| Language: | English | ||
| Percentage of Module Taught in Welsh: | 0 | ||
| Equivalent Module: | |||
| HECOS codes: | 100385 - computer forensics | ||
| HECOS Code Weighting: | 100 | ||
Document Version Information
| Version | 5 |
|---|---|
| Valid From | 01 Sep 2022 |
| Valid To | 31 Aug 2028 |
Module Aims
To provide detailed technical knowledge of the advanced techniques associated with evidence collection and analysis from a range of evidence sources.
To develop the student's ability to perform computer forensics at an advanced level.
Content Summary
The focus of this module is to provide students with the required technical knowledge and skills to perform a
forensic analysis:
An examination of the issues surrounding damaged media:
HDD Damage and related issues
Evidential integrity in live investigations; the challenging issue of preserving evidential integrity will be discussed.
Detection and assessment of the impact of malware
Forensic investigation of specialised systems; Investigation of specialised computing platforms, examples may
include; gaming systems, embedded and ad-hoc systems.
Assessing the reliability of digital evidence; Reliance on abstract artifacts as evidence could be challenging.
The implications of the nature of electronic evidence will be discussed and methods for assessing its reliability will be
presented.
Examples of specialist investigations:
Presentation of case studies of specific investigations.
Future directions of computer forensics; Evolving trends in the area of incident investigation.
Tools and technologies for the future.
Legal concerns and the Daubert Standard:
- BS EN ISO/IEC 17020:2012
- BS EN ISO/IEC 17025:2005
Challenges of Live Forensics
Benefits of independent forensic reconstruction
Top-down processes:
- re-evaluate
- search for support
- search for evidence
- search for relations
- search for information
physical data acquisition:
- mobile phone data acquisition
- chip-off techniques
- Advanced data recovery
Digital forensics analysis tools
Forensic case creation and evidence validation
Application Forensics:
Web browsers
- URL history
- form data
- temporary files
- downloaded files
- cookies
Windows registry
Operating System Analysis:
Storage Forensics
Data abstraction layers
- physical media
- block device
- file system
- application artifacts
Data Acquisition
- encryption concerns
- technical challenges
- Encrypted file analysis techniques
Filesystem Analysis (Windows)
- Blocks
- Files
- Filesystems
- File metadata analysis
Block device analysis
- Partitions
- Logical Volumes
Data recovery & File content Carving
- carving techniques
- fragmentation
- slack space
Artifact Analysis
- cryptographic hashing
- block-level analysis
- Evidence identification and analysis
Learning and Teaching Methods
| Activity Type | Hours |
|---|---|
| Lecture | 24 |
| Tutorial | 24 |
| Independent Study | 80 |
| Directed Study | 72 |
| Total Hours Selected | 200 |
Learning Outcomes
| # | Learning Outcome |
|---|---|
| LO1 | To demonstrate at an advanced level a detailed understanding of advanced computer forensicconcepts concentrating on the analysis, interpretation and extraction of digital evidence. |
| LO2 | To demonstrate at an advanced level the ability to conduct an investigation on unfamiliar data sources using appropriate tools and techniques. |
Module Requisites
N/A
Assessment Criteria
| Assessment Category | Assessment Type | Description | Duration | Word Count | Weight (%) | Best of? | Pass Mark |
|---|---|---|---|---|---|---|---|
| Asynchronous Assessment | Report 1 | A written report that draws on knowledge and material from across a whole programme | 0 | 2000 | 50 | No | 40 |
| Synchronous Online Assessment (Exam) | Online Open Book Examination (Not Proctored) 1 | A test of knowledge and understanding through previously seen or unseen questions. Students may access resources (specified or unspecified) during the examination, delivered online and time constrained to not more than 3 hours. | 120 | N/A | 50 | No | 40 |
Assessment Matrix
| Assessment Type | Learning Outcomes | ||
|---|---|---|---|
| LO1 | LO2 | ||
| Report 1 | ✔ | ✔ | |
| Online Open Book Examination (Not Proctored) 1 | ✔ | ✔ | |