Module title: Incident Response and Malware Analysis

SCQF level: 11:
SCQF credit value: 20.00
ECTS credit value: 10

Module code: CSN11128
Module leader: Thomas Tan
School School of Computing
Subject area group: Computer Systems


2017/8, Trimester 2, Blended,
Occurrence: 001
Primary mode of delivery: Blended
Location of delivery: MERCHISTON
Member of staff responsible for delivering module: Thomas Tan
Module Organiser:

Learning, Teaching and Assessment (LTA) Approach:
Learning & Teaching methods including their alignment to LOs
• The coursework will involve the research, design, implement, evaluate and critically analyse a complex incidence using data from multi-sources [LO3].
• Full on-line lectures are provided which support deep learning, and with an extensive range of on-line challenges [LO1 and LO2].
• Virtualised cloud infrastructure which implements a corporate infrastructure [LO1, LO2 and LO3]
• Students can download the simulator software at the start of the module, along with an e-Book, teaching pack, and so on. Full on-line support is integrated in the simulator. [LO1 and LO2] The package also contains tests, stimulating challenges, demonstration movies, and automated updates.

Formative Assessment:
Assessment (formative or summative)
There will be two methods of assessment:

• Coursework [50%]. This relates to a coursework on the research, design, implementation, evaluation and critical analysis of complex investigations using data from a range of sources, and make informed choices (LO3).
• Tests [50%]: This involves two tests which relate to the fundamental material covered by the core academic material. The results of the tests will be graded, and fed-back to students to indicate their performance (LO1&2).

Summative Assessment:
see above

Student Activity (Notional Equivalent Study Hours (NESH))
Mode of activityLearning & Teaching ActivityNESH (Study Hours)
Face To Face Lecture 24
Face To Face Practical classes and workshops 24
Independent Learning Guided independent study 152
Total Study Hours200
Expected Total Study Hours for Module200

Type of Assessment Weighting % LOs covered Week due Length in Hours/Words
Project - Practical 50 3 15 HOURS= 16, WORDS= 0
Digital Examination (not Centrally Timetabled) 25 1,2 13 HOURS= 1, WORDS= 0
Digital Examination (not Centrally Timetabled) 25 1,2 8 HOURS= 1, WORDS= 0
Component 1 subtotal: 100
Component 2 subtotal: 0
Module subtotal: 100

Description of module content:

The aim of the module is to develop a deep understanding of advanced areas related to security and live/network forensics, with a strong focus on virtualised environments that will allow graduates to act professionally within incident response and in malware/threat analysis. An outline of the main areas includes:
• Threat Timelining This involves networks and host traces around key threats, such as DDoS, malware infection and data loss.
• Host Investigation Evidence Gathering: Windows, Linux, Android and Mac OS.
• System Architectures, Services and Devices. Networked infrastructures (Servers/Firewall/IDS/ Syslog).
• Network Protocol Analysis. Advanced Network Protocol Analysis, Advanced Trace Analysis, IDS Signature Detection, and Security Threat Network Traces.
• Log Capture/Analysis, and Time-lining. Creating large-scale data infrastructure and analysis methods such as Big Data, SIEM and cross-log analysis .
• Malware Forensics. Code Analysis, Host/Network Analysis, Reverse Engineering. Mobile/x86 architecture, Machine Code Analysis, Vulnerability Analysis and Sandboxed Analysis.
• Malware Analysis. Encoding methods. Static/Dynamic Analysis. Disassembly. Obfuscation. Behaviour Analysis. Encoding methods.
• Advanced Malware Analysis. Anti-disassembly, anti-debugging, packers and unpackers, malware launching, malware signatures, and shell code analysis.
• Data Hiding Data hiding methods, tunnelling, and disk encryption.
• Current Related Research.

Learning Outcomes for module:

Upon completion of this module you will be able to:
LO1: Develop an advanced knowledge of key security/digital forensic principles and methods related to incident response and malware analysis.
LO2: Develop analytical skills related to the key academic principles and practical skills required to understandcomplex investigations using data from a range of sources, and make informed choices.
LO3: Research, design, implement, evaluate and critically analyse an advanced system to a given set of security and/or digital forensic requirements, with a focus on virtualised environments.

Indicative References and Reading List - URL:

Core - SIKORSKI AND HONIG (2012) PRACTICAL MALWARE ANALYSIS, 1st ed. - ISBN: 9781593272906
Click here to view the LibrarySearch.