• Assessment will be Forensics Case Study and Research Assignment

• Blackboard
• Unconfirmed practical marks when available

This unit aims to:

• A1 to develop in-depth understanding of both the theoretical and practical issues in the field of cyber threat hunting and cyber investigation;
• A2 to consolidate knowledge of various computer systems and understand their importance in an incident handling and cyber investigation;
• A3 to develop necessary skills, methodologies and processes to detect cyber incidents and conduct in-depth computer and network investigation;
• A4 to develop an understanding of how the compromise of a system may be detected;
• A5 to develop an understanding of how data on systems may be analysed and evidence collated in a rigorous and defensible manner.
• A6 to develop an understanding of and ability to implement and analyse specific forms of non-virulent malware

By the end of the unit, a candidate will be able to:

• LO1 Develop a hunting and investigation plan for a range of different cyber environments;
• LO2 Identify residual remnants of attacker tools, tactics and procedures in enterprise networks;
• LO3 Collect and preserve evidence from a variety of traditional and modern computing platforms;
• LO4 Critically analyse various cyber incidents and hunt for remnants of threat actors' activities in file system, memory and network data;
• LO5 Analyse and document investigation results of collected evidence from emerging computing platforms.

Enterprise​ ​Threat​ ​Hunting​ ​and​ ​Incident​ ​Management

• Overview​ ​of​ ​Incident​ ​handling​ ​and​ ​threat​ ​hunting​ ​tools,​ ​techniques​ ​and​ ​procedures,
  Identification​ ​of​ ​compromised​ ​systems,​ ​Detecting​ ​active​ ​and​ ​passive​ ​malware,​ ​
  Incident handling​ ​and​ ​incident​ ​management​ ​frameworks

Data​ ​Collection​ ​and​ ​Forensics​ ​Imaging​ ​process

• File​ ​system​ ​data​ ​collection​ ​and​ ​preservation​ ​techniques,​ ​Memory​ ​imaging​ ​and​ ​volatile
  data​ ​preservation,​ ​Collection​ ​of​ ​network​ ​flow​ ​data,​ ​Mobile​ ​device​ ​imaging​ ​and​ ​evidence collection,​ ​Remote​ ​data​ ​acquisition​ ​techniques

File​ ​System​ ​Analysis

• File​ ​system​ ​timestamps​ ​analysis,​ ​Master​ ​File​ ​Table​ ​(MFT)​ ​investigation,​ ​Detecting​ ​and
  recovery​ ​of​ ​deleted​ ​files,​ ​Volume​ ​shadow​ ​copy​ ​analysis,​ ​Event​ ​log​ ​analysis
  Memory​ ​Analysis
• Identification​ ​of​ ​rouge​ ​processes,​ ​DLLs​ ​and​ ​file​ ​handles,​ ​Detection​ ​of​ ​suspicious​ ​drivers
  and​ ​in-memory​ ​Windows​ ​Registry​ ​examination,​ ​Advanced​ ​memory​ ​investigation​ ​with Volatility,​ ​Code​ ​injection,​ ​malware​ ​and​ ​rootkit​ ​hunting​ ​in​ ​memory

Network​ ​Data​ ​Analysis

• NetFlow​ ​data​ ​analysis,​ ​Analysis​ ​of​ ​encrypted​ ​network​ ​data,​ ​Wireless​ ​network​ ​forensics, FTP,​ ​HTTP,​ ​SMTP,​ ​DNS​ ​data​ ​analysis
  Intrusion​ ​Forensics
• Evidence​ ​of​ ​execution​ ​analysis,​ ​Timeline​ ​analysis,​ ​Analysis​ ​of​ ​adversaries​ ​lateral movements,​ ​Understanding​ ​malware​ ​persistence​ ​mechanisms
  

• All sessions are conducted in a secure environment. This may mean the standard programming environment or via laptops issued solely for the purposes of the module use. Each session starts with introducing the theoretical foundations relevant to adversarial activities of interest and relevant artefacts. Afterwards, we set up an environment to replicate the adversaries' tactics, techniques and procedures. Generated artefacts of adversaries' activities are then collected and analysed. Finally, collected artefacts are analysed based on their evidential value and the session is completed with a discussion about lessons learned in that session.
• The practical exam(s) will evaluate students' ability to conduct in-depth threat hunting on different platforms and extract artefacts from memory, file system and network data in a forensically sound manner. Students will also be required explain what they are doing, and to be able to articulate ethical issues applicable to what they've done;
• The lectures and lab sessions are sufficiently diverse to cover LO1, LO2, LO3, LO4 and LO5.