The University of Sheffield
Department of Computer Science

COM6016 Cyber Threat Hunting and Digital Forensics

Summary The module provides an in depth view of threat hunting in memory, file system and network data and an introductory analysis of malicious programs. Practical sessions will elaborate on key concepts of incident handling, cyber threat hunting and digital investigation along with detailed analysis of real world case studies. We will also introduce some unusual and non-virulent types of malware.
Session Autumn 2021/22
Credits 15
  • Assessment will be Practical Exam and Research Assignment
Lecturer(s) Dr Olakunle Olayinka

This unit aims to:

  • A1 to develop in-depth understanding of both the theoretical and practical issues in the field of cyber threat hunting and cyber investigation;
  • A2 to consolidate knowledge of various computer systems and understand their importance in an incident handling and cyber investigation;
  • A3 to develop necessary skills, methodologies and processes to detect cyber incidents and conduct in-depth computer and network investigation;
  • A4 to develop an understanding of how the compromise of a system may be detected;
  • A5 to develop an understanding of how data on systems may be analysed and evidence collated in a rigorous and defensible manner.
  • A6 to develop an understanding of and ability to implement and analyse specific forms of non-virulent malware

By the end of the unit, a candidate will be able to:

  • LO1 [A1, A5] Develop a hunting and investigation plan for a range of different cyber environments;
  • LO2 [A2, A4] Identify residual remnants of attacker tools, tactics and procedures in enterprise networks;
  • LO3 [A3, A5] Collect and preserve evidences from variety of traditional and modern computing platforms;
  • LO4 [A2, A5, A6] Critically analyse various cyber incidents and hunt for remnants of threat actors' activities in file system, memory and network data;
  • LO5 [A2, A3, A5, A6] Analyse and document investigation results of collected evidences from emerging computing platforms.

Enterprise​ ​Threat​ ​Hunting​ ​and​ ​Incident​ ​Management

  • Overview​ ​of​ ​Incident​ ​handling​ ​and​ ​threat​ ​hunting​ ​tools,​ ​techniques​ ​and​ ​procedures,
    Identification​ ​of​ ​compromised​ ​systems,​ ​Detecting​ ​active​ ​and​ ​passive​ ​malware,​ ​
    Incident handling​ ​and​ ​incident​ ​management​ ​frameworks

Data​ ​Collection​ ​and​ ​Forensics​ ​Imaging​ ​process

  • File​ ​system​ ​data​ ​collection​ ​and​ ​preservation​ ​techniques,​ ​Memory​ ​imaging​ ​and​ ​volatile
    data​ ​preservation,​ ​Collection​ ​of​ ​network​ ​flow​ ​data,​ ​Mobile​ ​device​ ​imaging​ ​and​ ​evidence collection,​ ​Remote​ ​data​ ​acquisition​ ​techniques

File​ ​System​ ​Analysis

  • File​ ​system​ ​timestamps​ ​analysis,​ ​Master​ ​File​ ​Table​ ​(MFT)​ ​investigation,​ ​Detecting​ ​and
    recovery​ ​of​ ​deleted​ ​files,​ ​Volume​ ​shadow​ ​copy​ ​analysis,​ ​Event​ ​log​ ​analysis
    Memory​ ​Analysis
  • Identification​ ​of​ ​rouge​ ​processes,​ ​DLLs​ ​and​ ​file​ ​handles,​ ​Detection​ ​of​ ​suspicious​ ​drivers
    and​ ​in-memory​ ​Windows​ ​Registry​ ​examination,​ ​Advanced​ ​memory​ ​investigation​ ​with Volatility,​ ​Code​ ​injection,​ ​malware​ ​and​ ​rootkit​ ​hunting​ ​in​ ​memory

Network​ ​Data​ ​Analysis

  • NetFlow​ ​data​ ​analysis,​ ​Analysis​ ​of​ ​encrypted​ ​network​ ​data,​ ​Wireless​ ​network​ ​forensics, FTP,​ ​HTTP,​ ​SMTP,​ ​DNS​ ​data​ ​analysis
    Intrusion​ ​Forensics
  • Evidence​ ​of​ ​execution​ ​analysis,​ ​Timeline​ ​analysis,​ ​Analysis​ ​of​ ​adversaries​ ​lateral movements,​ ​Understanding​ ​malware​ ​persistence​ ​mechanisms
Teaching Method
  • All sessions are conducted in a secure environment. This may mean the standard programming environment or via laptops issued solely for the purposes of the module use. Each session starts with introducing the theoretical foundations relevant to adversarial activities of interest and relevant artefacts. Afterwards, we set up an environment to replicate the adversaries' tactics, techniques and procedures. Generated artefacts of adversaries' activities are then collected and analysed. Finally, collected artefacts are analysed based on their evidential value and the session is completed with a discussion about lessons learned in that session.
  • The practical exam(s) will evaluate students' ability to conduct in-depth threat hunting on different platforms and extract artefacts from memory, file system and network data in a forensically sound manner. Students will also be required explain what they are doing, and to be able to articulate ethical issues applicable to what they've done;
  • The lectures and lab sessions are sufficiently diverse to cover LO1, LO2, LO3, LO4 and LO5.
Feedback Assignments marked using published criteria, submission commented and returned by Blackboard within 3 weeks. Students will meet with their supervisors regularly (and, where relevant, external clients) to discuss progress and problems encountered, and to review issues that arise during the project. Formative feedback will be provided by: a) online quizzes or multiple choice quizzes, for all lectures and related content. b) surgery hours by teaching staff c) verbal feedback in practical sessions. Some practical sessions will also be evaluated by the students themselves with academic prompting and additional contributions where necessary
Recommended Reading Provided from Blackboard site.