COM6016 Cyber Threat Hunting and Digital Forensics
|| The module provides an in depth view of threat hunting in memory, file system and network data and an introductory analysis of malicious programs.
Practical sessions will elaborate on key concepts of incident handling, cyber threat hunting and digital investigation along with detailed analysis of real world case studies. We will also introduce some unusual and non-virulent types of malware.
- Assessment will be Practical Exam and Research Assignment
||Dr Olakunle Olayinka
This unit aims to:
- A1 to develop in-depth understanding of both the theoretical and practical issues in the field of cyber threat hunting and cyber
- A2 to consolidate knowledge of various computer systems and understand their importance in an incident handling and cyber investigation;
- A3 to develop necessary skills, methodologies and processes to detect cyber incidents and conduct in-depth computer and network
- A4 to develop an understanding of how the compromise of a system may be detected;
- A5 to develop an understanding of how data on systems may be analysed and evidence collated in a rigorous and defensible manner.
- A6 to develop an understanding of and ability to implement and analyse specific forms of non-virulent malware
By the end of the unit, a candidate will be able to:
- LO1 [A1, A5] Develop a hunting and investigation plan for a range of different cyber environments;
- LO2 [A2, A4] Identify residual remnants of attacker tools, tactics and procedures in enterprise networks;
- LO3 [A3, A5] Collect and preserve evidences from variety of traditional and modern computing platforms;
- LO4 [A2, A5, A6] Critically analyse various cyber incidents and hunt for remnants of threat actors'
activities in file system, memory and network data;
- LO5 [A2, A3, A5, A6] Analyse and document investigation results of collected evidences from emerging computing platforms.
Enterprise Threat Hunting and Incident Management
- Overview of Incident handling and threat hunting tools, techniques and procedures,
Identification of compromised systems, Detecting active and passive malware,
Incident handling and incident management frameworks
Data Collection and Forensics Imaging process
- File system data collection and preservation techniques, Memory imaging and volatile
data preservation, Collection of network flow data, Mobile device imaging and evidence collection, Remote data acquisition techniques
File System Analysis
- File system timestamps analysis, Master File Table (MFT) investigation, Detecting and
recovery of deleted files, Volume shadow copy analysis, Event log analysis
- Identification of rouge processes, DLLs and file handles, Detection of suspicious drivers
and in-memory Windows Registry examination, Advanced memory investigation with Volatility, Code injection, malware and rootkit hunting in memory
Network Data Analysis
- NetFlow data analysis, Analysis of encrypted network data, Wireless network forensics, FTP, HTTP, SMTP, DNS data analysis
- Evidence of execution analysis, Timeline analysis, Analysis of adversaries lateral movements, Understanding malware persistence mechanisms
- All sessions are conducted in a secure environment. This may mean the standard programming environment or via laptops issued solely for the purposes of the module use. Each session starts with introducing the theoretical foundations relevant to adversarial
activities of interest and relevant artefacts.
Afterwards, we set up an environment to replicate the adversaries' tactics, techniques and procedures. Generated artefacts of adversaries'
activities are then collected and analysed.
Finally, collected artefacts are analysed based on their evidential value and the session is completed with a discussion about lessons learned
in that session.
- The practical exam(s) will evaluate students' ability to conduct in-depth threat hunting on different platforms and extract artefacts from
memory, file system and network data in a forensically sound manner. Students will also be required explain what they are doing, and to be
able to articulate ethical issues applicable to what they've done;
- The lectures and lab sessions are sufficiently diverse to cover LO1, LO2, LO3, LO4 and LO5.
||Assignments marked using published criteria, submission
commented and returned by Blackboard within 3 weeks. Students will meet with their supervisors regularly (and, where relevant, external clients) to discuss progress and problems encountered,
and to review issues that arise during the project. Formative feedback will be provided by:
a) online quizzes or multiple choice quizzes, for all lectures and related content.
b) surgery hours by teaching staff
c) verbal feedback in practical sessions. Some practical sessions will also be evaluated by the students themselves with academic prompting
and additional contributions where necessary
||Provided from Blackboard site.