This module aims to provide the student with the understanding & skills related to two distinct themes: cyber incident response and digital forensics. The cyber incident response theme concentrates on enabling an organisation to support its critical services in the face of a cyber incident or suspected cyber incident. That incident might be something with strong indicators that something is wrong such as a DDOS attack, or it might be something less obvious such as anomalous behaviour or the discovery of a possible data breach from many months ago.
The incident response lifecycle is covered from preparation, through monitoring, detection, containment, eradication, restoration and post incident review.
The digital forensics part of the module is about drawing the correct inference from the digital data which pervades modern society. It will address both the generic approach to digital forensics and the measures required to conduct a forensic examination of a cyber-physical system.
There are a number of challenges with drawing inference from modern digital data: it is fragile, its quantity may be overwhelming, it may be transient or volatile, it may not be legally accessible, it may not be technically accessible, or its structure may be unclear.
Drawing inference from the data is complicated; attributing inference back to an individual or organisation is especially vexed. Set against these significant challenges is the reality that the digital footprint left by a member of modern society may have been left as a consequence of some wrongdoing.
Digital forensics seeks to overcome the substantial challenges of drawing correct inference from digital data, so that decisions about the identity of the wrongdoer, and the sanctions that follow, may be made with confidence from an informed perspective.
There are a number of principles that have been established by the digital forensics community. From these a range of tools and techniques have been developed for doing standard things in typical circumstances. Analysing the capabilities and limitations of these tools and techniques is an important part of the module.
Representing what has been inferred to a non-specialist audience is also a critical part of any investigation and is practised in the module.