Module title: Host-Based Forensics

SCQF level: 11:
SCQF credit value: 20.00
ECTS credit value: 10

Module code: CSN11125
Module leader: Gordon Russell
School School of Computing
Subject area group: Computer Systems
Prerequisites

N/A

2017/8, Trimester 1, Face-to-Face, Edinburgh Napier University
Occurrence: 001
Primary mode of delivery: Face-to-Face
Location of delivery: MERCHISTON
Partner: Edinburgh Napier University
Member of staff responsible for delivering module: Gordon Russell
Module Organiser:


Learning, Teaching and Assessment (LTA) Approach:
The overall approach is to first focus on general operating system skills for accessing, manipulating, & managing system and user disk-based data, as well as system administrative skills needed to support physical disk & disk image analysis [LO1]. These skills are then joined with an operating system level understanding of how data is stored by users & operating systems, giving the student an understanding of user and operating system level information available for analysis [LO2]. This leads onto forensic methods for extracting information [LO3] from systems and using that information as part of a forensic analysis process [LO4]. The general teaching approach is to make use of lectures to give examples and case studies. These highlight the need for particular approaches and techniques, and make use of commands to tackle the issues presented. The practicals follow up on the lectures, providing syntax and practice on the situations and commands discussed.
Lectures also explore the theoretical aspects of the systems which underpin operating systems and related activities. For each topic, the design of that system is investigated, and weaknesses and strengths identified. In addition, current research into that area is also discussed. For instance, web browsing on a user system is examined to show information stored, and how it is dynamically managed. Browser exploits are considered, which could lead to false forensic information being present which could lead to erroneous forensic analysis results. This could be evaluated in terms of current exploit trends and post forensics data validation.
Distance learning mode - no lectures or practical sessions will be timetabled. Lecture material will rely on student directed study of online material, including a suggested study schedule. Theoretical material covered in lectures will be available electronically. Lab activities can be completed online using our web-based interactive environments from anywhere in the internet.

Formative Assessment:
The University is currently undertaking work to improve the quality of information provided on methods of assessment and feedback. Please refer to the section on Learning and Teaching Approaches above for further information about this module’s learning, teaching and assessment practices, including formative and summative approaches.

Summative Assessment:
The University is currently undertaking work to improve the quality of information provided on methods of assessment and feedback. Please refer to the section on Learning and Teaching Approaches above for further information about this module’s learning, teaching and assessment practices, including formative and summative approaches.

Student Activity (Notional Equivalent Study Hours (NESH))
Mode of activityLearning & Teaching ActivityNESH (Study Hours)
Face To Face Lecture 24
Face To Face Centrally Time Tabled Examination 24
Independent Learning Guided independent study 152
Total Study Hours200
Expected Total Study Hours for Module200


Assessment
Type of Assessment Weighting % LOs covered Week due Length in Hours/Words
Digital Examination (not Centrally Timetabled) 30 1,2 7 HOURS= 1.5, WORDS= 0
Practical Skills Assessment 40 3,4 13 HOURS= 2, WORDS= 0
Report 30 3,4 15 HOURS= 0, WORDS= 2000
Component 1 subtotal: 100
Component 2 subtotal: 0
Module subtotal: 100

Description of module content:

This module will cover elements of operating system disk-level architectures, such as Windows and Linux. This will allow students to study how operating systems store system and user data, and thus students will gain an understanding as to what information could technically be held on such systems. This data could include user files, as well as user activities such as login session data, browsing histories, operating system manipulation, and general user interactions with a variety of operating system tools. This understanding will be expanded through theoretical knowledge and practical exercises in extracting information from systems, using a variety of open source and commercial forensic analysis tools, and documenting the results of such a process using consistent and thorough evidential procedures. This includes the production of event timelines, as well as the analysis of system logs, operating system state, file systems, and application data. The module will also consider the ethical and professional issues related to digital forensics.

Learning Outcomes for module:

On completion of this module, students will be able to:

LO1: Develop the analytical and practical skills needed to access, process, and manipulate disk-based user and operating system data using standard operating system commands.

LO2: Identify and evaluate the key transient and persistent information which may be held in operating system disk images.

LO3: Develop analytical skills related to the academic principles and practical skills required to analyse a range of end host devices using current forensic tools and techniques.

LO4: Research, design, implement, evaluate and critically analyse end host devices as part of a complex forensic investigation.

Indicative References and Reading List - URL:

Core - B CARRIER (2005) FILE SYSTEM FORENSIC ANALYSIS: ADDISON WESLEY, 1st ed. - ISBN: 0321268172
Core - H CARVEY (2009) WINDOWS FORENSIC ANALYSIS DVD TOOLKIT: SYNGRESS, 2nd ed. - ISBN: 1597494224
Core - D HOLME ET AL (2008) MCITP ENTERPRISE ADMINISTRATOR CORE REQUIREMENTS: MICROSOFT PRESS, 1st ed. - ISBN: 0735625727
Core - C POGUE (2008) UNIX AND LINUX FORENSIC ANALYSIS DVD TOOLKIT: SYNGRESS, 1st ed. - ISBN: 1597492698
Click here to view the LibrarySearch.