Supervisor

Suitable for

Abstract

Remove registry analysis, social network analysis, dashcam analysis, ADD AI in DFI, Event correlation

1          Enhancing Forensic Analysis of Program Execution Artefacts

In digital forensics, accurate reconstruction of program execution is essential for inferring user intent and establishing timelines of activity. Investigators rely on Windows artefacts including ShellBags (folder view metadata indicating Explorer navigation), Jump Lists (recent/frequent file and task associations per application), Prefetch files (.pf records of application launches, load counts, and paths), and registry entries (e.g., UserAssist for execution frequency and timestamps).

Existing tools often adopt a narrow, artefact-specific focus—e.g., dedicated ShellBag parsers or Prefetch extractors—resulting in fragmented insights that hinder efficient correlation and holistic interpretation.

This project proposes a prototype tool to address these limitations by unifying analysis of these execution-related artefacts. Core functionality will parse and extract relevant metadata from each source. Optional enhancements include: (1) integration as a custom ingest module within Autopsy for streamlined workflow; and (2) automated correlation across artefacts and supplementary sources (e.g., event logs, browser history) using temporal alignment and semantic matching techniques.

Outputs will prioritise investigator usability, featuring structured reports, interactive timelines, and visualisations to support rapid comprehension.

The approach draws on established forensic principles (e.g., ACPO guidelines) and is informed by data fusion and multi-source correlation methods in digital forensics research, including timeline-based event reconstruction frameworks (e.g., TER-Model) and tools like Plaso that aggregate heterogeneous artefacts for coherent event sequencing.

Implementation in Python will enable evaluation on controlled datasets, with benchmarking against standalone parsers for improved completeness and efficiency.

How to apply

I normally receive good interest in my projects. I do not offer a first come first serve, but select candidates based on suitability. Please provide any information you can, preferably a CV to help me make this decision.

2          Multi-Source Correlation for Event Reconstruction in Digital Forensics

In digital forensics, events—discrete occurrences such as system logins, file accesses, application launches, or security alerts—offer critical evidence of user and system activity. Primarily captured in Windows Event Logs (e.g., Security.evtx for audits, Application.evtx for errors, System.evtx for operational changes), events are also embedded in ancillary sources like browser history (navigation timestamps), Prefetch files (execution events), Jump Lists (task initiations), and ShellBags (folder interactions). Isolated analysis of these yields partial timelines, as inter-source linkages (e.g., an event log entry for a process start correlating with prefetch metadata) are underexplored, impeding anomaly detection and evidentiary validation.

This project develops a prototype tool and method to correlate events from at least two sources, prioritising Event Logs while extracting and normalising timestamps, identifiers, and contextual attributes from complementary artefacts. Core deliverables include: a correlation technique using temporal synchronisation and event ontology mapping; a parsing tool for selected sources; an automated timeline reconstruction algorithm; and evaluation on simulated datasets for accuracy, recall, and scalability.

Optional enhancements may include Autopsy integration via ingest modules and expansion to additional event-rich sources (e.g., registry or network logs).

Grounded in forensic standards (ACPO principles) and informed by multi-source data fusion research—such as Plaso's super timelines for artefact aggregation and the TER-Model for standardised event sequencing—the prototype will be implemented in Python, with empirical benchmarking against standalone log analysers.

How to apply

I normally receive good interest in my projects. I do not offer a first come first serve, but select candidates based on suitability. Please provide any information you can, preferably a CV to help me make this decision.

3          Enhancing Visualisation of Technical Controls and Uncertainty in Cyber Attack Graphs

Cyber attack graphs model sequential attacker actions leading to system compromise, visualising vulnerabilities, pathways, and potential defences. Foundational research by Lallie, Debattista, and Bal (e.g., empirical reviews of over 180 attack graphs/trees and practitioner-preferred visual syntax configurations) highlights the lack of standardised representations, particularly for integrating technical controls (e.g., firewalls, patches, access restrictions) and uncertainty (e.g., probabilistic exploit success, incomplete knowledge).

This project builds on an existing cyber attack graph framework developed by the supervisor. The student will explore alternative visual and structural designs for representing controls (e.g., overlay annotations, conditional edges, mitigation nodes) and uncertainty (e.g., probabilistic weights, confidence intervals, fuzzy notations). These designs will be applied to real-world case studies of cyber attacks, generating revised attack graphs for each.

The methodology employs mixed methods: graph construction and visualisation prototyping, followed by qualitative evaluation through participant studies assessing clarity, usability, cognitive effectiveness, and communicative power of the representations.

Outcomes will identify superior visual conventions for conveying complex attack scenarios and defences, advancing cyber threat modelling. Successful contributions may support ongoing publication efforts with the supervisor.

Grounded in cognitive visualisation principles, perceptual psychology in graph comprehension, and probabilistic threat modelling, the work aligns with CyBOK knowledge areas across risk management, secure systems architecture, and adversarial behaviours.

Implementation will leverage graph visualisation libraries (e.g., Graphviz, Cytoscape.js) for prototyping and empirical user studies.

How to apply

I normally receive good interest in my projects. I do not offer a first come first serve, but select candidates based on suitability. Please provide any information you can, preferably a CV to help me make this decision.

4          Automated CyBoK Alignment of CVs and Module Descriptions for NCSC Certification using Machine Learning

The Cyber Security Body of Knowledge (CyBoK) defines 19 knowledge areas that underpin NCSC certification of academic programmes and professional qualifications. Mapping CVs or module descriptions to CyBoK remains a manual, subjective, and non-scalable process.

This project develops a machine-learning prototype for automated semantic matching and certification-recommendation generation. The student will create a synthetic dataset of CVs and module descriptions (generated via LLM-based templating and prompting to ensure controlled, balanced CyBoK coverage while preserving realism and privacy). An expert panel (drawn from the supervisory team and/or cybersecurity educators/practitioners) will then produce gold-standard manual alignments, scoring coverage, gaps, and recommendation strength for each artefact.

The same synthetic artefacts will be processed by the ML pipeline (transformer embeddings, semantic similarity, and supervised classification) to generate automated outputs. Rigorous evaluation will compare model predictions directly against panel assessments using standard metrics (precision, recall, F1-score, Cohen’s κ for agreement) to quantify accuracy, consistency, and bias.

Collaboration with the supervisory team provides domain expertise for annotation guidelines, panel moderation, and iterative refinement. The work is grounded in established synthetic-data generation methods for NLP evaluation and human-expert gold-standard validation frameworks used in ontology matching and competency mapping.

Implementation in Python (Hugging Face Transformers, scikit-learn) will enable reproducible benchmarking and extension to real (anonymised) data.

How to apply

I normally receive good interest in my projects. I do not offer a first come first serve, but select candidates based on suitability. Please provide any information you can, preferably a CV to help me make this decision.

 

5          Comparative Analysis of Cybersecurity Degree Programmes Against CyBoK: Trends in the UK, US, and Beyond

The Cyber Security Body of Knowledge (CyBoK) delineates 19 foundational knowledge areas (KAs) for cybersecurity education, serving as a benchmark for NCSC certification in the UK and informing global curricula. Despite its adoption, systematic cross-national analyses of university degree programmes remain limited, with existing studies (e.g., Nautiyal et al., 2020 on UK certification; Catal et al., 2022 on skills gaps) highlighting regional disparities in coverage, such as deeper emphasis on adversarial behaviours in US programmes versus risk management in the UK.

This project conducts a comparative analysis of cybersecurity undergraduate/postgraduate degrees in the UK, US, and one additional country (e.g., Australia), mapping module descriptions to CyBoK KAs to identify trends, gaps, and evolutions. The student will curate a dataset of publicly available module descriptors from university websites (via ethical web scraping or APIs), employing NLP techniques for semantic mapping (e.g., BERT embeddings for similarity scoring against CyBoK definitions).

Core deliverables: automated mapping tool; quantitative trend analysis (e.g., KA coverage frequencies, temporal shifts using archived data); qualitative insights on regional differences; and visualisation of findings (e.g., heatmaps).

Grounded in ontology matching and curriculum analysis research (e.g., comparative frameworks in CSEC2017 vs. CyBoK), the prototype will be implemented in Python (Hugging Face Transformers, scikit-learn), evaluated on precision/recall against expert-annotated samples, and benchmarked against manual assessments.

How to apply

I normally receive good interest in my projects. I do not offer a first come first serve, but select candidates based on suitability. Please provide any information you can, preferably a CV to help me make this decision.