Module title: Incident Response and Malware Analysis

SCQF level: 11:
SCQF credit value: 20.00
ECTS credit value: 10

Module code: CSN11129
Module leader: Thomas Tan
School School of Computing
Subject area group: Cyber Security and Networking


2019/0, Trimester 2, Blended,
Occurrence: 002
Primary mode of delivery: Blended
Location of delivery: MERCHISTON
Member of staff responsible for delivering module: Thomas Tan
Module Organiser:

Learning, Teaching and Assessment (LTA) Approach:
Learning & Teaching methods including their alignment to LOs
• The coursework will involve the research, design, implement, evaluate and critically analyse a complex system to a given set of security and/or digital forensic requirements [LO3].
• Full on-line lectures are provided which support deep learning, and with an extensive range of on-line challenges [LO1 and LO2].
• Virtualised cloud infrastructure which implements a corporate infrastructure (LO1, LO2 and LO3)
• Students can download the simulator software at the start of the module, along with an e-Book, teaching pack, and so on. Full on-line support is integrated in the simulator. [LO1 and LO2] The package also contains tests, stimulating challenges, demonstration movies, and automated updates.
• On-line support is given through Skype Messenger and email.

Formative Assessment:
Assessment (formative or summative)
There will be two methods of assessment:

• Coursework [50%]. This relates to a coursework on the research, design, implementation, evaluation and critical analysis of a complex system to a given set of security and/or digital forensic requirements (LO3).
• Tests [50%]: This involves two tests which relate to the fundamental material covered by the core academic material. The results of the tests will be graded, and fed-back to students to indicate their performance (LO1&2).

Summative Assessment:
as above

Student Activity (Notional Equivalent Study Hours (NESH))
Mode of activityLearning & Teaching ActivityNESH (Study Hours)
Face To Face Lecture 24
Face To Face Practical classes and workshops 24
Independent Learning Guided independent study 152
Total Study Hours200
Expected Total Study Hours for Module200

Type of Assessment Weighting % LOs covered Week due Length in Hours/Words
Digital Examination (not Centrally Timetabled) 25 1,2 8 HOURS= 1, WORDS= 0
Digital Examination (not Centrally Timetabled) 25 1,2 13 HOURS= 1, WORDS= 0
Project - Practical 50 3 15 HOURS= 16, WORDS= 0
Component 1 subtotal: 100
Component 2 subtotal: 0
Module subtotal: 100

Description of module content:

The aim of the module is to develop a deep understanding of advanced areas related to security and live/network forensics, with a strong focus on virtualised and Cloud-based environments that will allow graduates to act professionally within incident response and in malware/threat analysis. An outline of the main areas includes:
• Threat Analysis. This involves an in-depth analysis of a range of current threats, such as DDoS, Botnets, trojans, and so on.
• System Architectures, Services and Devices. Networked infrastructures (Servers/Firewall/IDS/ Syslog).
• Network Forensics. Advanced Network Protocol Analysis, Advanced Trace Analysis, IDS Signature Detection, and Security Threat Network Traces.
• Live Forensics. Code Analysis, Host/Network Analysis, Reverse Engineering. Mobile/x86 architecture, Machine Code Analysis, Vulnerability Analysis, Sandboxed Analysis.
• Log Capture/Analysis, and Time-lining. Creating large-scale data infrastructure and analysis methods such as Big Data, SIEM and cross-log analysis (such as Splunk).
• Malware Analysis. Static/Dynamic Analysis. Disassembly. Obfuscation. Behaviour Analysis. Encoding methods.
• Data Hiding and Data Loss Detection/Prevention. Data hiding methods, detection methods, tunnelling, and disk encryption.
• Host Investigation Evidence Gathering: Windows, Linux, Android and Mac OS.
• Current Related Research.

Learning Outcomes for module:

Upon completion of this module, you will be able to:
LO1: Develop an advanced knowledge of key security/digital forensic principles and methods related to incident response and malware analysis.
LO2: Develop analytical skills related to the key academic principles and practical skills required to understand data hiding/loss within a virtualised networked infrastructure.
LO3: Research, design, implement, evaluate and critically analyse an advanced system to a given set of security and/or digital forensic requirements, with a focus on virtualised environments.

Indicative References and Reading List - URL:
Contact your module leader