Search our site
Search our site

Network and Mobile Forensics

  • Module code: CI6275
  • Year: 2018/9
  • Level: 6
  • Credits: 30
  • Pre-requisites: CI5235 Ethical Hacking
  • Co-requisites: None

Summary

This is a core module in the Cyber Security and Digital Forensics field. You will apply methodologies for acquiring, preserving, analysing and documenting digital evidence discovered in the Cyber Crime and Digital Forensics module (CI4315), to network and mobile environments. This includes acquiring volatile digital evidence running on live computers, forensically processing data packets from networks and extracting digital evidence from mobile devices.

Aims

  • To provide an understanding of network forensics and to allow hands-on practice professionally and ethically on investigating networks.
  • To convey students the skills to analyse and apply practices, techniques, and tools for collecting volatile data from live systems; and to highlight the importance of collecting volatile data before it is lost or changed on a system. 
  • To provide a conceptual and practical introduction to mobile forensics as applied to devices hosting various mobile operating systems.

Learning outcomes

On successful completion of the module, students will be able to:

  • Demonstrate knowledge and practical competence of using forensic tools and techniques to acquire, preserve and document live and network digital evidence.
  • Demonstrate knowledge and practical competence of using forensic tools and techniques to acquire, preserve and document mobile digital evidence.
  • Analyse and interpret live, network and mobile digital evidence.

Curriculum content

  • Live data forensics
    • Introduction, overall process
    • Post-mortem versus live forensics
    • Pros and cons of system shutdown
    • Order of volatility
  • Live data collection
    • System date and time
    • Current network connections, open TCP or UDP ports
    • Users currently logged on, running processes and services
  • Live response tools
    • Sysinternals (Pslist, listDLLs, PSLoggedOn)
    • WFT
  • RAM acquisition and analysis tools (eg. volatility) 
  • Network analysis
    • Network-related attacks, network traffic, logs (text-based logs, event-logs)
    • Firewalls, routers, sniffers, intrusion detection systems
    • Tools (eg. Wireshark, PyFlag)
    • Cloud-based systems
  • An introduction to mobile forensics
    • Acquisition methods overview
      • Practical steps
      • Obstacles and limitations
    • Android acquisition methods
      • Physical
      • Logical and cloud
    • iOS acquisition methods
      • Physical
      • Logical and cloud acquisition
    • Windows Phone acquisition methods
      • Windows 8, 8.1, 10, and RT Tablets
      • Windows 10 Mobile
    • BlackBerry acquisition methods
    • Mobile forensic tools and case studies

Teaching and learning strategy

This module, being part of the innovative Cyber Security and Digital Forensics course, utilises a workshop-centered teaching and learning strategy, in which practical exercises and problem-centered technical challenges are supported by short participatory lectures and group discussions. Workshops are typically structured as a three-hour lab-based session, interspersed with 3 short (20 minute) participatory lecture sessions and are designed to encourage an open, collaborative and active student learning environment.

Content delivered in workshop sessions, are based on and reinforced by recommended reading, study guides and learning resources that are available on Canvas, which duly serves as a learning, sharing, feedback and communication hub for this module. Core teaching and learning strategies for this module are described as follows:

  • The topics of mobile, live and network forensics are introduced through "step by step" tutorials and supported with participatory lectures and practical labs. Practical learning and discovery are emphasised through "DIY" (Do It Yourself) practical challenges.
  • Learning and discovery are reinforced through a DIY (Do It Yourself) practical approach, in which students self-enhance their volatile digital evidence acquisition, forensic data packet analysis and mobile digital evidence acquisition skills.
  • Active learning and skills retention for mobile, live and network forensics topics, are supported by formative self-study assessments, videos and interactive presentations that can be accessed on Canvas.

Breakdown of Teaching and Learning Hours

Definitive UNISTATS Category Indicative Description Hours
Scheduled learning and teaching 75 x short (20-minute) participatory lectures 25 x three-hour laboratories 100
Guided independent study Independent and directed reading. Online learning materials and study notes. 200
Total (number of credits x 10) 300

Assessment strategy

To help students on this module achieve their full potential, formative assessment opportunities will be provided as appropriate throughout the module. Examples of formative assessments include worked exercises which emulate aspects of the major assessment and lab work. Feedback on coursework represents an additional opportunity for formative learning and will be given in writing and/or verbally. Formative feedback will be provided in various forms (eg. one-to-one short feedback sessions or group feedback). Formative feedback is designed to inform student preparation for summative assessments which may be within the same module or feed forward across the degree programme. The summative assessment for this module is 70% coursework, which typically consists of mobile forensics coursework (including case studies); and live and network forensic coursework (including case studies). Coursework will typically include demonstrable artefacts. The remaining 20% is allocated to a time limited practical exam, in which students undertake forensic investigations in the context of a given scenario, and then answer a series of questions based to their analysis and interpretations.

Mapping of Learning Outcomes to Assessment Strategy (Indicative)

Learning Outcome Assessment Strategy
1) Demonstrate knowledge and practical competence of using forensic tools and techniques to acquire, preserve and document live and network digital evidence. Mobile forensic coursework.
2) Demonstrate knowledge and practical competence of using forensic tools and techniques to acquire, preserve and document mobile digital evidence. Live and network forensics coursework
3) Analyse and interpret live, network and mobile digital evidence. Practical exam

Elements of Assessment

Description of Assessment Definitive UNISTATS Categories Percentage
Mobile forensic coursework Coursework 35%
Live and network forensics coursework Coursework 35%
Practical exam Practical exam 30%
Total (to equal 100%) 100%

Achieving a pass

It IS NOT a requirement that any element of assessment is passed separately in order to achieve an overall pass for the module.

Bibliography core texts

Messier, R (2017). "Network Forensics", John Wiley & Sons

Reiber, L (2016). "Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation", McGraw-Hill Education

Bibliography recommended reading

Afonin, O et.al. (2016). "Mobile Forensics - Advanced Investigative Strategies". Packt Publishing.

Buchanan, W. J (2011). "Introduction to Security and Network Forensics", Taylor and Francis

Anson, S (2007). "Mastering Windows Network Forensics and Investigation". Sybex.

Mahalik, H et.al. (2016). "Practical Mobile Forensics". Packt Publishing.

Davisdoff, S (2012). "Network Forensics: Tracking Hackers Through Cyberspace". Prentice Hall

Lillard, T.V (2010). "Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data". Syngress

Undergraduate study

Find a course

Course finder

Find a course
>