Accessibility statement

Forensic Analysis of Cyber Incidents - COM00115M

« Back to module search

  • Department: Computer Science
  • Module co-ordinator: Mr. Angus Marshall
  • Credit value: 10 credits
  • Credit level: M
  • Academic year of delivery: 2022-23

Module will run

Occurrence Teaching cycle
A Spring Term 2022-23

Module aims

This module provides an introduction to computer forensic analysis, sufficient to enable a student to understand the disciplines and processes required to obtain and preserve evidence, and the practical skills necessary to conduct and report a basic forensic examination. The module is set in the context of security incident response, and includes both the examination of computers which may have been the origin or victim of unwanted user action, and also the preliminary investigation and classification of malware.

Module learning outcomes

At the end of the module the student will understand:

  • the requirements that must be met to allow evidence to be presented in court, and standard approaches to the forensic processes to support such requirements.
  • how to produce reports which communicate complex technical analyses to a non-expert audience
  • how low-level elements of a computer system (CPU, memory management, processes, file systems) give rise to persistent evidence of how a system has been used.
  • how to to prepare for, and conduct analysis of digital systems in order to produce evidence for a range of purposes
  • data structures used by browsers, and evaluate evidence of Internet browsing obtained from this source.
  • how to make reasoned judgments about the protection and functionality required of systems used to investigate potential malware

Module content

Evidence and the Courtroom

  • The legal system, courts, process and roles.
  • Types of evidence.
  • Witnesses of fact, or Experts?
  • Admissibility and the computer forensic processes
  • Surviving cross-examination.
  • Writing forensic reports.

The possibility of forensic evidence

  • Computer architectures.
  • Disk Partitions and File Systems.
  • Data files, formats and their recognition and interpretation.
  • The recovery of 'deleted' data from file systems and databases.
  • Searching for Evidence.

Operating System Artefacts

  • Investigative preliminaries: system, time, user accounts and devices.
  • Evidence from the Windows Registry.
  • Establishing User Histories.

Evidence of Internet Use

  • Network configuration and use.
  • Databases: ESE and SQLite.
  • Browsing History Recovery.
  • Opportunities: Evidence of Private Browsing.

Security Incidents

  • Operational Security.
  • Incident readiness and response.


Task Length % of module mark
Technical Report
N/A 100

Special assessment rules



Task Length % of module mark
Technical Report
N/A 100

Module feedback

Written feedback will be provided in accordance with standard policy for all module open assessments of our MSc programmes. This is usually within 3 weeks of the submission date.

Indicative reading

*** Casey, Eoghan, Handbook of digital forensics and investigation [electronic resource], Academic Press, 2010

Bond, Catherine, The expert witness: a practical guide, Shaw, 2007

Carvey, Harlan A., Windows forensic analysis toolkit [electronic resource] : advanced analysis techniques for Windows 8, Syngress, 2014

Sanderson, Paul. SQLite Forensics. Paul Sanderson, 2018

The information on this page is indicative of the module that is currently on offer. The University is constantly exploring ways to enhance and improve its degree programmes and therefore reserves the right to make variations to the content and method of delivery of modules, and to discontinue modules, if such action is reasonably considered to be necessary by the University. Where appropriate, the University will notify and consult with affected students in advance about any changes that are required in line with the University's policy on the Approval of Modifications to Existing Taught Programmes of Study.