Skip to main content Skip to navigation

Module Catalogue

WM3E5-15 Cyber Forensics

Department
WMG
Level
Undergraduate Level 3
Module leader
Maria Papadaki
Credit value
15
Module duration
14 weeks
Assessment
100% coursework
Study locations
  • University of Warwick main campus, Coventry Primary
  • Distance or Online Delivery

Download as PDF

Introductory description

Cyber security teams are routinely called on to investigate incidents ranging from the downtime of critical resources such as servers and networks to complex cyber-attacks which lead to loss of resources, reputational damage and potential fines. A digital investigation is the process of identifying and analysing the causes of incidents and providing a robust and comprehensive response and explanation to stakeholders on the cause of an incident and the steps that can be taken to mitigate against it occurring again in the future. The endpoint of a digital investigation is often a report which must clearly, cogently and convincingly attribute the root cause of the incident, whilst at the same time being easily understood by lay audiences which range from members of a court to chief executives in an organisation. This ability to organise important information and present it professionally and clearly is a key skill within the cyber security domain.

Module web page

Module aims

This module outlines the steps that an investigator must follow in a wide range of incidents and equips participants with the skills required to apply scientific techniques and industry-standard tools to a digital investigation and present convincing results. The module draws on case studies of example incidents which require investigation. Participants perform an investigation through the stages of evidence analysis and report writing. Throughout this process, participants are introduced to the range of tools available during an investigation and issues relating to the admissibility of evidence produced by these tools. Participants gain a thorough understanding of how the mode of investigation differs between different types of investigation, for instance, corporate and criminal investigations. Participants are made acutely aware of the importance of drawing the correct inference from digital evidence and the significant challenges faced by investigators, namely that digital data is fragile, its quantity may be overwhelming, it may be transient or volatile, it may not be legally accessible, it may not be technically accessible, and its structure may be unclear.

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

  • Digital Evidence. The nature of evidence, chain of custody, contamination.; specific features of digital evidence, fragility and integrity, hashing; capturing, preserving, replicating.
  • Interpreting. structure of digital material in a variety of forms; structure of stored material; volumes, partitions, filesystems, deleted material, persistence of earlier material; other sources of stored digital material (phones, cameras etc).
  • Tools and techniques. Validation and verification, scientific process; selected standard tools (imaging, carving, triage), capabilities and limitations; open source, commercial.
  • Investigation. briefing document. Record keeping, contemporaneous notes, negative / absence and positive / presence findings. Valid inferences, testing of non­standard techniques in novel situations. Analysing memory forensics, analysing network forensics. Anti-forensics.
  • Presentation. Eye­witness, expert witness testimony, responsibility.
  • Incident response and management. Preparation, trusted toolset; issues, maintaining power vs cutting power, transmitting devices, live systems, encrypted storage.
  • Intrusion detection methods. intrusion response, management and handling; intrusion analysis, monitoring and logging.
  • Judicial systems. Jurisdiction (national vs international context), agencies; cyber­specific issues, geo­locale of actor, agent, data, communications, agency cooperation; the scope of criminal, civil and enterprise investigations; ACPO guidelines.

Learning outcomes

By the end of the module, students should be able to:

  • Apply digital forensic tools and techniques to solve given problems. [CITP 2.1.10, 2.2.3]
  • Investigate digital artefacts against a realistic brief, preserving, analysing and interpreting the evidence. [CITP 2.3.2] [AHEP4 C9]
  • Evaluate the capability to perform incident management and incident response. [CITP 2.1.4, 2.1.7]
  • Distinguish the complexities of jurisdiction in the cyber domain. [CITP 2.1.13]

Indicative reading list

Hoo, K.-K. R. and Dehghantanha, A. (eds) (2017) Contemporary digital forensic investigations of cloud and mobile applications. Amsterdam: Syngress is an imprint of Elsevier. Available at: http://encore.lib.warwick.ac.uk/iii/encore/record/C__Rb3102957.
Lallie, H.S., 2020. Dashcam forensics: A preliminary analysis of 7 dashcam devices. Forensic Science International: Digital Investigation, 33, p.200910
Carvey, H., Altheide, C., “Digital Forensics with Open Source Tools”, Syngress; Illustrated edition, (2011). ISBN: 1597495867
Casey, E. (2010) Handbook of digital forensics and investigation. Amsterdam: Academic. Available at: http://encore.lib.warwick.ac.uk/iii/encore/record/C__Rb3102958

View reading list on Talis Aspire

Research element

There is a strong emphasis on the development, growth and enhancement of individual research skills so as to provide participants with the high level research knowledge, skills and competencies needed to undertake an independent, original piece of research. The module content draws upon and highlights research within the domain and the module assessment requires participants to perform further research before preparing a response to the assessment task.

Subject specific skills

This module covers the following Skills based on the latest published DTS DA standard (ST0119):

  • Apply relevant security and resilience techniques to a digital and technology solution. For example, risk assessments, mitigation strategies (S9)
  • Report effectively to colleagues and stakeholders using the appropriate language and style, to meet the needs of the audience concerned (S13)
  • Apply relevant legal, ethical, social and professional standards to a digital and technology solution (S15)
  • Use appropriate cyber security technology, tools and techniques in relation to the risks identified (S44)

Also, students will demonstrate:

  • An understanding of assessing the business impact of an incident.
  • An understanding of disaster recovery planning and the importance of business continuity policy.
  • The ability to conduct and manage a digital investigation.
  • An awareness of the auditing and the importance of security controls

Transferable skills

Communication skills
Problem-solving
Professionalism
Critical thinking
Teamwork and collaboration

Study time

Type Required
Lectures 10 sessions of 1 hour (7%)
Practical classes 20 sessions of 1 hour (13%)
Work-based learning 15 sessions of 1 hour (10%)
Online learning (independent) 5 sessions of 1 hour (3%)
Other activity 5 hours (3%)
Private study 35 hours (23%)
Assessment 60 hours (40%)
Total 150 hours

Private study description

Pre-block exercises given on Moodle.
Post-block problem sets released on Moodle.
Free open source virtual environment in which to conduct experiments

Other activity description

NA

Costs

No further costs have been identified for this module.

You must pass all assessment components to pass the module.

Assessment group A1
Weighting Study time Eligible for self-certification
Assessment component
Coursework 60% 36 hours Yes (extension)

Students will be provided with an investigation brief and typically provided with a 'digital forensic image' (a bit-for-bit copy of a suspect's hard disk). Students will be required to conduct an investigation and report on the result
Reassessment component is the same
Assessment component
Coursework 40% 24 hours Yes (extension)

Students will be provided with an incident outline. Participants will be required to outline how an organisation should respond to the given incident, providing very clear advice to colleagues at C or E level.
Reassessment component is the same
Feedback on assessment

Feedback given as appropriate to the assessment type:

  • verbal feedback given during seminar/tutorial sessions
  • formative feedback on the individual contributions
  • written feedback on the final individual reports

Courses

This module is Core for:

  • DWMS-H655 Undergraduate Digital and Technology Solutions (Cyber) (Degree Apprenticeship)
    • Year 3 of H655 Digital and Technology Solutions (Cyber) (Degree Apprenticeship)
    • Year 4 of H655 Digital and Technology Solutions (Cyber) (Degree Apprenticeship)

This module is Optional for:

  • DWMS-H652 Undergraduate Digital and Technology Solutions (Data Analytics) (Degree Apprenticeship)
    • Year 3 of H652 Digital and Technology Solutions (Data Analytics) (Degree Apprenticeship)
    • Year 4 of H652 Digital and Technology Solutions (Data Analytics) (Degree Apprenticeship)
  • DWMS-H653 Undergraduate Digital and Technology Solutions (Network Engineering) (Degree Apprenticeship)
    • Year 3 of H653 Digital and Technology Solutions (Network Engineering) (Degree Apprenticeship)
    • Year 4 of H653 Digital and Technology Solutions (Network Engineering) (Degree Apprenticeship)
  • DWMS-H654 Undergraduate Digital and Technology Solutions (Software Engineering) (Degree Apprenticeship)
    • Year 3 of H654 Digital and Technology Solutions (Software Engineering) (Degree Apprenticeship)
    • Year 4 of H654 Digital and Technology Solutions (Software Engineering) (Degree Apprenticeship)