Digital Forensics I
2010-2011 - IMT4012 - 5 ECTS


BSc level basics in operating systems, data communication and network security.

Expected learning outcomes

The course develops detailed understanding in the methodology of digital forensics. It also introduces the core principles and common terminology in digital forensics. Students will be expected to gain advanced knowledge in order to survey a digital crime scene as well as to acquire, analyze, and present digital evidence in a forensically sound manner.

The course is oriented towards practice, where the students learn advanced techniques of digital evidence analysis useful in computer, network and Internet forensics. In the lectures, advanced digital forensics methods are taught and in the laboratory sessions, their usage in practice is exercised thoroughly.


  • Digital investigations and evidence
  • Chain of custody and forensic soundness
  • Timeline analysis
  • Live system forensics
  • File system forensics
  • Forensic reconstructions
  • Advanced topics if time permits

Teaching Methods

Laboratory work

Form(s) of Assessment


Form(s) of Assessment (additional text)

An overall evaluation based on a 100 point scale, where project work counts up to 50 points and final exam (3 hours) counts up to 50 points (at least 18 at the written exam MUST be obtained). Conversion from 100 point scale to A-F scale according to recommended conversion table. In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Internal examiner

Re-sit examination

For the final exam: Ordinary re-sit examination.

Coursework Requirements


Teaching Materials

Dan Farmer and Wietse Venema: Forensic Discovery, Addison-Wesley, 2005 (ISBN 0-201-63497-x)

Presentation material and selected academic papers

Additional information

Knowledge of Linux is an advantage.

In case there will be less than 5 students that will apply for the course, it will be at the discretion of the head of the study program whether the course will be offered or not an if yes, in which form.

The policy of the Gjøvik University College is that a student that takes a subject at the 3000 level cannot take the subject with the same name at the 4000 level. 100% overlap between IMT3551 and IMT 4012.