• Assessment will be Forensics Case Study and Research Assignment

• Blackboard
• Unconfirmed practical marks when available

This unit aims to:

• A1 to develop in-depth understanding of both the theoretical and practical issues in the field of cyber threat hunting and cyber investigation;
• A2 to consolidate knowledge of various computer systems and understand their importance in an incident handling and cyber investigation;
• A3 to develop necessary skills, methodologies and processes to detect cyber incidents and conduct in-depth computer and network investigation;
• A4 to develop an understanding of how the compromise of a system may be detected;
• A5 to develop an understanding of how data on systems may be analysed and evidence collated in a rigorous and defensible manner.
• A6 to develop an understanding of and ability to implement and analyse specific forms of non-virulent malware

By the end of the unit, a candidate will be able to:

• LO1 Develop a hunting and investigation plan for a range of different cyber environments;
• LO2 Identify residual remnants of attacker tools, tactics and procedures in enterprise networks;
• LO3 Collect and preserve evidence from a variety of traditional and modern computing platforms;
• LO4 Critically analyse various cyber incidents and hunt for remnants of threat actors' activities in file system, memory and network data;
• LO5 Analyse and document investigation results of collected evidence from emerging computing platforms.

Enterprise Threat Hunting and Incident Management

• Overview of Incident handling and threat hunting tools, techniques and procedures,
  Identification of compromised systems, Detecting active and passive malware,
  Incident handling and incident management frameworks

Data Collection and Forensics Imaging process

• File system data collection and preservation techniques, Memory imaging and volatile
  data preservation, Collection of network flow data, Mobile device imaging and evidence collection, Remote data acquisition techniques

File System Analysis

• File system timestamps analysis, Master File Table (MFT) investigation, Detecting and
  recovery of deleted files, Volume shadow copy analysis, Event log analysis
  Memory Analysis
• Identification of rouge processes, DLLs and file handles, Detection of suspicious drivers
  and in-memory Windows Registry examination, Advanced memory investigation with Volatility, Code injection, malware and rootkit hunting in memory

Network Data Analysis

• NetFlow data analysis, Analysis of encrypted network data, Wireless network forensics, FTP, HTTP, SMTP, DNS data analysis
  Intrusion Forensics
• Evidence of execution analysis, Timeline analysis, Analysis of adversaries lateral movements, Understanding malware persistence mechanisms
  

• All sessions are conducted in a secure environment. This may mean the standard programming environment or via laptops issued solely for the purposes of the module use. Each session starts with introducing the theoretical foundations relevant to adversarial activities of interest and relevant artefacts. Afterwards, we set up an environment to replicate the adversaries' tactics, techniques and procedures. Generated artefacts of adversaries' activities are then collected and analysed. Finally, collected artefacts are analysed based on their evidential value and the session is completed with a discussion about lessons learned in that session.
• The practical exam(s) will evaluate students' ability to conduct in-depth threat hunting on different platforms and extract artefacts from memory, file system and network data in a forensically sound manner. Students will also be required explain what they are doing, and to be able to articulate ethical issues applicable to what they've done;
• The lectures and lab sessions are sufficiently diverse to cover LO1, LO2, LO3, LO4 and LO5.