Module Details

Module Code: COMP9038
Title: Incident Response & Forensics
Long Title: Incident Response & Forensics
NFQ Level: Expert
Valid From: Semester 2 - 2022/23 ( January 2023 )
Duration: 1 Semester
Credits: 10
Field of Study: 4811 - Computer Science
Module Delivered in: 2 programme(s)
Module Description: Computer misuse in organisations typically fall into two general categories. Either a computer is leveraged to commit a crime or itself is a target for crime. This module will focus on the computer itself as the victim of crime and the examination of computer systems that have been remotely attacked, which is commonly referred to as Incident Response (IR). As part of this module data acquisition and recovery techniques will be examined to support forensic investigations and the tools, policies and procedures that are useful in the field of IR.
 
Learning Outcomes
On successful completion of this module the learner will be able to:
# Learning Outcome Description
LO1 Discuss the main technical approaches and challenges associated with IR.
LO2 Investigate the current legal frameworks and data privacy laws relevant to the field of IR.
LO3 Develop an Incident Response (IR) plan for an organisation with the aim of improving a firm’s security posture.
LO4 Gather static data from a computer or storage device with the aim of preserving evidence.
LO5 Acquire volatile memory and data using advanced tools and techniques.
LO6 Interpret data collected as part of a forensic investigation.
LO7 Analyse the main exploitation mitigation techniques for modern day operating systems.
Dependencies
Module Recommendations

This is prior learning (or a practical skill) that is strongly recommended before enrolment in this module. You may enrol in this module if you have not acquired the recommended learning but you will have considerable difficulty in passing (i.e. achieving the learning outcomes of) the module. While the prior learning is expressed as named MTU module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).

Incompatible Modules
These are modules which have learning outcomes that are too similar to the learning outcomes of this module. You may not earn additional credit for the same learning and therefore you may not enrol in this module if you have successfully completed any modules in the incompatible list.
No incompatible modules listed
Co-requisite Modules
No Co-requisite modules listed
Requirements

This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.

Students should have a very good knowledge of Operating Systems, and be comfortable while working at the command line in both a Windows and Linux environment.
 
Indicative Content
Incident Response
Incident Response theory. Challenges associated with IR. Lifecycle of Incident Responce, Policies, Procedures, Tools and commands useful in various OS's, WMIC, Powershell, SysInternals Tools. Planning for an IR: Pre-Incident Preparation, Scoping an Incident, Remediation. Acquiring data from many systems.
EDiscovery
Laws relating to the capture of static and dynamic data. EDiscovery issues. Laws related to monitoring communications and traffic data during an incident. Disclosure of stored communications and documents. EU and Global legal frameworks.
Data Acquisition
Imaging, dd, dc3dd, FTK, hardware, software, volatile data, imaging live and dead systems, chain of custody.
File Systems
FAT, NTFS, exFAT, ext2/3, ext4, superblock, timings, filesystem storage, metadata, inodes.
Windows Internals
The Registry, Typical Windows Processes such as lsass, winlogin, explorer, svchost.
Forensic Analysis
Data Carving, Timeline Analysis, supertimelines, unallocated data, slack space, Host Block Area, Windows Registry Keys, restore points, ShellBags,Finding evidence of file opening/download/execution, physical location, external device usage, browser usage, account login/logout.
Memory Forensics
Acquiring a memory image, hibernation files and crash dumps, memory dump formats, Processes and drivers in memory, event logs, registry, network artefacts in memory, kernel forensics, locating malware and code injection, use of volatility and/or rekall.
Exploitation Mitigation
EMET, Stack canaries, DEP, ASLR, SEHOP, Control Flow Guard, Null Pointer Dereference, Isoltae Heap, Deferred Free.
Other Topics
Forensic analysis of Smartphones, USB sticks, Counter Forensics.
Module Content & Assessment
Assessment Breakdown%
Coursework100.00%

Assessments

Coursework
Assessment Type Project % of Total Mark 20
Timing Week 5 Learning Outcomes 1,2,3
Assessment Description
An example assignment that may be set as part of this assessment may be to discuss the field of IR bearing in mind the legal frameworks and data privacy laws relevant to the field.
Assessment Type Project % of Total Mark 30
Timing Week 10 Learning Outcomes 4,5,6
Assessment Description
Given log file data the student may be expected to gather static and volatile data using well known tools and techniques with the aim of preserving evidence that may form part of a forensic investigation.
Assessment Type Project % of Total Mark 50
Timing Sem End Learning Outcomes 4,5,6,7
Assessment Description
This project will evaluate the student's understanding of the exploitation mitigation techniques that may be employed in modern operating systems. The student may be expected to perform a memory extraction on patched and unpatched operating systems and a comparative analysis of the resulting data.
No End of Module Formal Examination
Reassessment Requirement
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.

The University reserves the right to alter the nature and timings of assessment

 

Module Workload

Workload: Full Time
Workload Type Contact Type Workload Description Frequency Average Weekly Learner Workload Hours
Lecture Contact Lecture delivering theory underpinning learning outcomes. Every Week 4.00 4
Lab Contact Lab to support learning outcomes. Every Week 2.00 2
Independent Learning Non Contact Independent learning Every Week 8.00 8
Total Hours 14.00
Total Weekly Learner Workload 14.00
Total Weekly Contact Hours 6.00
Workload: Part Time
Workload Type Contact Type Workload Description Frequency Average Weekly Learner Workload Hours
Lecture Contact Lecture delivering theory underpinning learning outcomes. Every Week 4.00 4
Lab Contact Lab to support learning outcomes. Every Week 2.00 2
Independent Learning Non Contact Independent learning Every Week 8.00 8
Total Hours 14.00
Total Weekly Learner Workload 14.00
Total Weekly Contact Hours 6.00
 
Module Resources
Recommended Book Resources
  • Jason Luttgens, Matthew Pepe, Kevin Mandia. (2014), Incident Response and Computer Forensics, Third Edition, [ISBN: 9780071798686].
Supplementary Book Resources
  • Bill Nelson and Christopher Steuart. (2018), Guide To Computer Forensics And Investigations, 6th. CENGAGE, [ISBN: 9781337568944].
  • Philip Polstra. (2015), Linux Forensics, CreateSpace Independent Publishing Platform, [ISBN: 1515037630].
  • Chet Hosmer. (2014), Python Forensics: A workbench for inventing and sharing digital forensic technology, Syngress, [ISBN: 0124186769].
  • Michael Hale Ligh, Jamie Levy, Aaron Walters, Andrew Case. (2014), The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, Wiley, [ISBN: 1118825098]].
  • Kieth Jones, Richard Betjlich. (2012), Real Digital Forensics, Volume 2, Addison-Wesley, [ISBN: 032168477X].
  • Harlan Carvey. (2011), Windows Registry Forensics, Syngress, [ISBN: 1597495808].
  • Eoghan Casey. (2011), Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Third Edition. Academic Press, [ISBN: 0123742684].
  • Andrew Hoog. (2011), Android Forensics, Syngress, [ISBN: 1597496510].
  • Bill Nelson, Amelia Phillips, Christopher Steuart. (2010), Lab Manual for Nelson/Phillips/Steuart's Guide to Computer Forensics and Investigations, [ISBN: 1435498852].
  • Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard. (2010), Malware Analyst's Cookbook and DVD, Wiley, [ISBN: 0470613033].
  • Brian Carrier. (2005), File system forensic analysis, Addison-Wesley, Upper Saddle River, NJ, [ISBN: 0321268172].
Recommended Article/Paper Resources
Other Resources
 
Module Delivered in
Programme Code Programme Semester Delivery
CR_KINSE_9 Master of Science in Cybersecurity 1 Mandatory
CR_KINSY_9 Postgraduate Diploma in Science in Cybersecurity 1 Mandatory