Digital Forensics II
2011-2012 - IMT4022 - 10 ECTS


  • BSc level basics in operating systems, data communication and network security
  • IMT4012 Digital Forensics I or IMT3551 Digital Forensics or equivalent.

Expected learning outcomes

The course develops deep understanding in the methodology, technology and application of digital forensics. Students are expected to reach an advanced level of knowledge in the broad spectrum of digital evidence, analysis methods and tools.

The course is oriented towards profound theoretical background, where the students learn contemporary techniques and advanced research topics.


  • Forensics and Incident Response
  • Microsoft Windows Host Forensic
  • Unix and Linux Host Forensics
  • Live Forensics and RAM Analysis
  • Network and Cloud Forensics
  • Botnet and Malware Analysis
  • Mobile and Embedded Device Analysis
  • Securing Evidence, Cryptanalysis and Anti-Forensics
  • Steganography
  • eDiscovery: Fingerprinting, Correlation, and Search

Teaching Methods

Laboratory work

Form(s) of Assessment


Form(s) of Assessment (additional text)

An overall evaluation based on a 100 point scale, where project work counts up to 50 points and final exam (3 hours) counts up to 50 points (at least 18 at the written exam MUST be obtained). Conversion from 100 point scale to A-F scale according to recommended conversion table. In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Internal examiner

Re-sit examination

For the final exam: Ordinary re-sit examination.

Coursework Requirements


Teaching Materials

Keith J. Jones, Richard Bejtlich, Curtis W. Rose: Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, 2005, (0-321-24069-3)

Dan Farmer and Wietse Venema: Forensic Discovery, Addison-Wesley, 2005 (ISBN 0-201-63497-x)

Presentation material and selected academic papers

Additional information

Knowledge of Linux is an advantage

In case there will be less than 5 students that will apply for the course, it will be at the discretion of the head of the study program whether the course will be offered or not an if yes, in which form.