SCQF Level: 10
Module Code: CMP416
Credit Value: 20
Term: Term 1
School: School of Arts, Media and Games
This module will look at the forensic investigation of computer (e.g. TCP/IP) and mobile phone networks. Starting with an understanding of the underlying communications technologies, the module will develop a comprehensive, systematic approach to the discovery and examination of evidence from both end-user devices (e.g phones, tablets etc.) and the networking infrastructure itself.
The aim of this module is to provide the student with an understanding of the sources of evidence associated with the use of mobile phone and network technologies. It will focus on how to recover, analyse and present that evidence in a forensically sound manner.
By the end of this module the student should be able to:
1. Critically appraise a computer forensic investigation involving evidence from mobile and network sources with respect to the legal definitions of computer misuse.
2. Devise an appropriate professional level plan for such a forensic investigation and carry out this plan within a context of a specific scenario using appropriate digital forensic tools.
3. Critically analyse and evaluate the results of a mobile and network based digital forensic investigation.
1 Mobile Phone technologies and networks
How do mobile/wireless networks work? What are the implications for their forensic investigation?
2 Principles and limitations of mobile operation
GSM based networks, GPRS, 3rd/4th generation, UMTS networks, Data carrying capabilities and user access methods.
3 Forensic analysis of end-user devices
Acquisition of evidence from end-user devices (e.g. phones, tablets, etc.) Phone, SIM and memory data, use of tools to extract data, SMS
4 Cellsite Analysis
Data stored within the network. Mobile trail. Location-aware devices and tracking data.
5 Mobile Phone Data mining
Ideas of gaining behaviour patterns for stored data. Data mining techniques.
6 Header 6
Evaluate techniques for the gathering, analysis and use of network based evidence - session data, alert data, statistical data. Tools and techniques - packet tools for real-time capture and analysis, log analysis tools, custom written tools.
7 Network integrity
Evaluate the effects of viruses and internal and external attacks on the network. Develop strategies to prevent and detect these.
8 Live incident response
Gathering and analysing volatile and non-volatile data from a system in real-time - e.g. network connections, open ports, routing tables, users, processes, services, open files
9 Intrusion detection systems
Benefits and limitations. False positives. Critical analysis of data. Tuning
10 Server side forensics
Evaluate techniques for analysing and filtering logs and data from firewalls, DNS, web caches, email.
Statement on Teaching, Learning and Assessment
Content will be presented by a mixture of lectures and practicals. Assessment will be by means of coursework reports on laboratory work and case studies. Lectures constitute 12 of 36 hours class contact. The remainder, 67%, is lab or tutorial work of an experimental or investigative nature. Class contact time comprises lectures, tutorials/seminars and supervised laboratory work, amounting to 24% of the module time. The remainder, 74%, is independent study or assessment. A purpose-built and regularly-updated module website is used to provide links to lecture notes, laboratory tasks, assessment briefs, operational matters, and external information. Student project or lab work and student-suggested links are incorporated as and when appropriate. Week 7 of the term will include structured feedback week activities where students will present their evaluation of the network security incidents analysed in the previous weeks and receive feedback on their efforts. This will inform their evaluation of the security incidents in the remainder of the module and assessment.
Teaching and Learning Work Loads
|Supervised Practical Activity||39|
|Unsupervised Practical Activity||0|
Credit Value – The total value of SCQF credits for the module. 20 credits are the equivalent of 10 ECTS credits. A full-time student should normally register for 60 SCQF credits per semester.