Back to list of courses

Back to Cyber Security

Forensic Analysis of Cyber Incidents (FACI)

Course details

Book course online button


This module provides an introduction to computer forensic analysis, sufficient to enable a student to understand the disciplines and processes required to obtain and preserve evidence, and the practical skills necessary to conduct and report a basic forensic examination. The module is set in the context of security incident response, and includes both the examination of computers which may have been the origin or victim of unwanted user action, and also the preliminary investigation and classification of malware. The module will primarily focus on Microsoft Windows as the target operating system; however, the skills developed are more widely applicable. 

At the end of the module you will: 

  • understand the requirements that must be met to allow evidence to be presented in court, and standard approaches to the forensic processes to support such requirements. 
  • produce reports which communicate complex technical analyses to a non-expert audience. 
  • understand how low-level elements of a computer system (CPU, memory management, processes, file systems) give rise to persistent evidence of how a system has been used. 
  • analyse the image of a Microsoft Windows operating system and interpret the resulting evidence in terms of user actions. 
  • understand data structures used by browsers, and evaluate evidence of Internet browsing obtained from this source. 
  • make reasoned judgements about the protection and functionality required of systems used to investigate potential malware. 
  • analyse suspect executable programs, including the use of different types of signature scanners and the review of static and dynamic diagnostic features which indicate if an executable is malicious. 

Who is the course for?

This course is suitable for:

  • practitioners across all domains including aerospace, military, railway, automotive, civil nuclear, civil maritime, medical devices, healthcare, and so on;
  • cyber security consultants;
  • risk analysist/risk managers;
  • those responsible for threat and incident manangers;
  • research analysts.


Typically you will come from a strong computing background, with a degree in computing or relevant experience. If you are unsure about your prior experience, please email us with your details.

How is the course taught?

The course takes place over one week at the University of York. This week consists of a mixture of lectures and practicals, but we expect you to put in around 30 hours of private study.

Over the week, there will be a series of lectures and a number of case studies. The case studies give you the chance to work through an example to reinforce your learning from the lectures. This is also a chance to gain other insights from the experience and knowledge of other delegates. You will also be able to call on the experience and knowledge of our specialised teaching staff during these sessions.  

The module ends with an assessed exercise, which you have the option of completing. It takes approximately 35 hours in addition to the scheduled teaching time and can be completed on or off site. All assessed exercises are open (so you won't take an exam in supervised conditions), and comprise a report, case study, or documented piece of software.

If you choose to take and pass your assessment, your results can count towards the completion of the MSc Cyber Security.

Book your place

Book your place

Make sure you book your place for the next course w/c 28th January 2019.

Before booking please read our Booking Conditions (PDF  , 104kb).

To book your place, please complete the booking form: CPD Booking Form (MS Word  , 92kb) and the accompanying payment form: CPD Payment Form (MS Word  , 50kb) and return to Heather Taylor, our CPD & Postgraduate Programmes Administrator. Payment for your place can be made via credit/debit card or invoice (please email Heather Taylor).

If you have any queries, please contact our course administrator on or call 01904 325536.