module specification

CC5066 - Network Forensics and Incident Response (2021/22)

Module specification Module approved to run in 2021/22
Module title Network Forensics and Incident Response
Module level Intermediate (05)
Credit rating for module 15
School School of Computing and Digital Media
Total study hours 150
35 hours Assessment Preparation / Delivery
70 hours Guided independent study
45 hours Scheduled learning & teaching activities
Assessment components
Type Weighting Qualifying mark Description
Coursework 70%   CW a practical case study 1500 words online submission
Unseen Examination 30%   1 hour unseen written exam
Running in 2021/22
Period Campus Day Time Module Leader
Spring semester North Tuesday Afternoon

Module summary

This module addresses the growing demand from Corporate, SME and law enforcement for skilled practitioners in Network Forensics and Incident Response. Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes to act professionally within cybersecurity incident such as data breach, hacking and malware-related threat. This module will cover the entire forensics process from information gathering, legal evidence, and intrusion detection. The aim of the module is to provide students with both theoretical and practical hands on experience in capturing, recording and analysis of network events in order to discover evidential information about the source of security attacks.

Prior learning requirements

Successful completion of level 4 or equivalent


 • Background of Network Forensics and Incident response, the use of electronic evidence, and scientific techniques in computer and mobile forensic investigations. [LO1, LO2]

• Investigate network/cyber incident, on-site, Remote and live context. [LO1, LO3]
• Apply commercial and open source tools for forensics acquisition, preservation and examination of cyber incidents. LO4, LO5]
• Professional guidelines and policies in the discipline of network forensics, Incident response such as those defined in the CREST Cyber Security Incident Response Guide. [LO5, LO6]
• Incident Response process from developing a plan, Incident Management and Triage, Escalation and decision making, technical response and Post incident review. [LO1, LO2, LO3]
• the usage of Network Forensics platforms and frameworks e.g. SIFT, Security Onion, EnCase, FTK. [LO5]
• TCP/IP network stack from a forensic investigation view, NetFlow and Packet and Traffic Analysis using NFDUMP, TCPDUMP, NetMINER and WIRESHRK. [LO4, LO5]
• Network Protocol Analysis. Advanced Network Protocol Analysis, Advanced Trace Analysis, IDS Signature Detection, and Security Threat Network Traces. [LO4, LO5]
• Log Capture/Analysis, and Time-lining. Creating large-scale data infrastructure and analysis methods such as Big Data, SIEM and cross-log analysis. [LO1, LO3]
• Business continuity issues in network forensic and incident investigation scenarios, reporting findings and recommendations. [LO5, LO6]

Balance of independent study and scheduled teaching activity

• A process of personal development planning takes place throughout the course to help students to think about and make sense of what is being learnt and why, plan ahead and relate to what has been learned and their own future.
• Students will be expected and encouraged to produce such as reflective commentaries and graduation statements on the learning activities and tasks that they carry out to complete their work.
• Students are invited to include PDP via learning journals, case books, annotated sketchbooks, and/or blog environment.

Learning outcomes

By the end of this module, students should be able to:
LO1. Develop an advanced knowledge of key network/cyber-incident forensic investigation principles and methods related to incident response and malware analysis.
LO2. discuss the basic principles of cyber incident investigation and describe the role digital forensics plays in deterring and detecting cybercrime;
LO3. Develop a broader understanding of Threat Timelining This involves networks and host traces around key threats, such as DDoS, malware infection and data loss;
LO4. appreciate and explain the basic tools including the hardware and software, required in the investigations and different sources of evidence (servers, RAID, cloud, routers, etc ).
LO5. Practically perform a full network/cyber forensic investigation from capturing evidence to analyse and evaluate digital evidence obtained during cyber incident investigations and apply appropriate legal and procedural principles to that evidence.
LO6. Provide an interpretation of that digital evidence in a report and communicate/ present findings in such ways that they meet the standards expected in both corporate proceedings and court of law.

Assessment strategy

Coursework is a report (1500 words) for case study practical cyber incident investigation. Students will be using professional tools and frameworks available in the cyber security  lab to conduct a forensic investigation and conclude the investigation by a report to be submitted online. The coursework is designed to enhance learning by offering a case study in network investigation and the opportunities to put in practice the skills acquired during the workshops [LO5,6].

The workshop materials, activities and informal feedback opportunities in the class and workshops will be used to support student learning and provide the impetus for tackling coursework.

Formative assessment and feedback opportunities will be provided to develop student understanding of the subject.
The summative exam will be used to assess students’ deeper understanding of the concepts [LO1-5] and will be inspired (similar but lighter version from AccessData Certified Investigator exam) which is one of the entry level certification which tests the investigators basic knowledge of AccessData's Forensic Toolkit, FTK Imager, Registry Viewer, and Password Recovery Toolkit.


Module Reading List:

Core Text:
• Gerard Johansen,  2020, Digital forensics and incident response: incident response techniques and procedures to respond to modern cyber threats, 2nd Edition, Packt Publishing
• Nipun Jaswal, 2019, Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tool, Packt Publishing
• Nelson B. & Philips A. & Enfinger F. & Steuart C., 2016, Guide to Computer Forensics and Investigations, 5th edition, Cengage Learning Course Technology
Other Texts:
• Davidoff, S., Ham, J. (2012) Network Forensics-Tracking Hackers through Cyberspace. ISBN: 0132564718
• Brunty, J., Helenek, K. (2012). Social Media Investigation for Law Enforcement. ISBN: 1455731358
• Datt, S. (2016) Learning Network Forensics. ISBN: 9781785282126.
• IEEE transactions on information forensics and security, IEEE Signal Processing Society, 2006 Quarterly
• Digital forensics magazine [electronic resource], TR Media, Quarterly, Began with Issue 01 (Nov. 2009)
Electronic Databases:
• Westlaw, UK [electronic resource], Sweet and Maxwell
Social Media Sources: N/A
Other: None