Research Interests

Digital Forensics

Cyber Security

Internet of Things (IoT)

Smart Home Forensics

Research Projects
DPhil Thesis

IoT Forensics


In the past, SCADA systems have been isolated from the Internet. Due to their increasing connectivity to the enterprise network and the use of ethernet TCP/IP on devices these systems have become more exposed to external threats. The Stuxnet malware attack has provided strong evidence for the development of a need for a forensic capability to aid a thorough post incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This make them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. We argue that the program code is an important forensic artefact that can be used to determine the attackers motives and provide threat intelligence that could be shared with other SCADA sites. The main contributions of this paper is to determine whether existing PLC debugging and communication tools have any forensic properties to acquire the program code of the PLC.from In order to determine if it has any forensic properties we will using an existing Computer Forensics Tool Testing Framework (CFFTS) by NIST. Our results indicate that by acquiring the program code from the memory of the PLC we were able to identify the attackers motive. The findings from using NIST's CFTTF to test PLC Logger showed it had failed half of the tests suggesting that it its current state it has limited potential, unless the shortcomings were addressed


In my spare time I like to understand various attack scenarios and looking at various types of malware and understanding the different techniques currently available to analyse malware. Beyond studying I enjoy running and learning to program. I am also the IT Officer of Kellogg College MCR My research interests include cyber security and digital forensics on Supervisory Control and Data Acquisition Systems (SCADA) and Critical National Infrastructures (CNIs), malware analysis and Internet of Things (IoTs). I previously worked as a Research Engineer with Airbus Group Innovations (previously known as EADS Innovation Works). My focus in R&D is on Industry Control Systems Cyber Security and Digital Forensics. My role was to work on European funded and the Welsh Foundation research projects. As part of my role I implemented the digital forensic testbed and the SIEM AlienVault for research purposes.

WISE(Welsh Foundation Project)

This was a welsh foundation funded research project, I was tasked to carry out research in Security Event Management Systems

SCADA Cyber Security Lifecycle (SCADA-CSL). Funded by Foundation Wales – Welsh Government and Airbus Innovations

This was a welsh foundation funded research project, I was tasked to carry out research in Intrusion Detection Systems (IDS) for SCADA systems

European COntrol System Security Incident Analysis Network(ECOSSIAN) FP7 EU Project

This project is a EU funded research project working with over 20 companies across the EU. The mission of ECOSSIAN is to improve the detection and management of highly sophisticated cyber security incidents and attacks against critical infrastructures by implementing a pan-European early warning and situational awareness framework with command and control facilities.

MSc Dissertation: Malware Analysis of the Zeus Trojan

With online banking being used by more people, the increasing popularity means that there are increasing threats to online banking security. One of these threats if from malware, where attackers use this to target end users computers, infecting them with malware such as trojans with the aim of steals banking credentials. Currently the most popular trojan used by cybercriminals is the Zeus, which infects around 100,000 computers. The main concerns about Zeus is that it is becoming stronger as updates are regularly made increasing its capabilities. Zeus not only steals banking credentials but also any sensitive information on the target computer such as Windows email account information, digital certificates etc. The intention of this study is to identify the threat Zeus trojan poses to online banking users and compare it against Zeus version 1. The study carried out an analysis of Zeus trojan version to look at the behaviour when the trojan has been executed. Code analysis was carried out to analyse the binary looking at the text strings and the functioning of the trojan, this was performed using dissembler and debugger tools OllyDbg and IDA Pro. The behaviour analysis was carried out to examine modifications made to the registry, and to identify any files that were added. This was carried out using the tools Process Monitor, Process Explorer, PEiD and Autorun by executing Zeus in a controlled environment. This study found that Zeus tried to steal numerous credentials of the target through many applications on the system such as FTP, cookies, digital certificates, Windows mail. It also has many other powerful data capturing features such as keylogging and screen capture. It was also found that Zeus was capable of altering many system settings including lowering the of the security settings in Internet Explorer. In conclusion this study found that code injection occurred through processes Explorer.exe, Taskhost.exe, Dwn.exe and Conhost.exe. During the installation of the Zeus trojan files were created with filenames and directories with random names and made a registry entry that enables Zeus to execute automatically at the startup. The inter process communication method used mutexes and named pipes with random names in order that more than one version of Zeus could infect the system.