Studying at York
Forensic Analysis of Cyber Incidents - COM00115M
- Department: Computer Science
- Module co-ordinator: Dr. Angus Marshall
- Credit value: 10 credits
- Credit level: M
- Academic year of delivery: 2021-22
- See module specification for other years: 2022-23
Module will run
| Occurrence | Teaching period |
|---|---|
| A | Spring Term 2021-22 |
Module aims
This module provides an introduction to computer forensic analysis, sufficient to enable a student to understand the disciplines and processes required to obtain and preserve evidence, and the practical skills necessary to conduct and report a basic forensic examination. The module is set in the context of security incident response, and includes both the examination of computers which may have been the origin or victim of unwanted user action, and also the preliminary investigation and classification of malware.
Module learning outcomes
At the end of the module the student will understand:
- the requirements that must be met to allow evidence to be presented in court, and standard approaches to the forensic processes to support such requirements.
- how to produce reports which communicate complex technical analyses to a non-expert audience
- how low-level elements of a computer system (CPU, memory management, processes, file systems) give rise to persistent evidence of how a system has been used.
- how to to prepare for, and conduct analysis of digital systems in order to produce evidence for a range of purposes
- data structures used by browsers, and evaluate evidence of Internet browsing obtained from this source.
- how to make reasoned judgments about the protection and functionality required of systems used to investigate potential malware
Module content
Evidence and the Courtroom
- The legal system, courts, process and roles.
- Types of evidence.
- Witnesses of fact, or Experts?
- Admissibility and the computer forensic processes
- Surviving cross-examination.
- Writing forensic reports.
The possibility of forensic evidence
- Computer architectures.
- Disk Partitions and File Systems.
- Data files, formats and their recognition and interpretation.
- The recovery of 'deleted' data from file systems and databases.
- Searching for Evidence.
Operating System Artefacts
- Investigative preliminaries: system, time, user accounts and devices.
- Evidence from the Windows Registry.
- Establishing User Histories.
Evidence of Internet Use
- Network configuration and use.
- Databases: ESE and SQLite.
- Browsing History Recovery.
- Opportunities: Evidence of Private Browsing.
Security Incidents
- Operational Security.
- Incident readiness and response.
Assessment
| Task | Length | % of module mark |
|---|---|---|
| Essay/coursework Technical Report |
N/A | 100 |
Special assessment rules
None
Reassessment
| Task | Length | % of module mark |
|---|---|---|
| Essay/coursework Technical Report |
N/A | 100 |
Module feedback
Written feedback will be provided in accordance with standard policy for all module open assessments of our MSc programmes. This is usually within 3 weeks of the submission date.
Indicative reading
*** Casey, Eoghan, Handbook of digital forensics and investigation [electronic resource], Academic Press, 2010
Bond, Catherine, The expert witness: a practical guide, Shaw, 2007
Carvey, Harlan A., Windows forensic analysis toolkit [electronic resource] : advanced analysis techniques for Windows 8, Syngress, 2014
Sanderson, Paul. SQLite Forensics. Paul Sanderson, 2018
Sitemap
Studying
- Enrolment
- Manage your studies
- Student visa holders
- Develop your skills
- Assessment and examination
- Graduation
- University card
Support and advice
