Digital Forensics Methodology
2014-2015 - IMT4009 - 5 ECTS

Expected learning outcomes

After successfully completing the course possesses detailed knowledge in digital forensics methodology, and has acquired skilled and general competences as follows:

Knowledge

  • Digital Forensics methodology with a solid understanding of requirements for handling digital evidence
  • Requirements and impact on maintaining evidence integrity and chain of custody
  • Principles, procedures, and the basic concepts of forensic standards and best practices, e.g. forensic tool testing
  • The overall process for establishment and maintenance of a digital forensic lab environment
  • The role of expert witnesses and digital evidence in the context of legal proceedings
  • The role of policies, standards and guidelines for controls and is capable of applying his/her knowledge in case studies
  • Legal, privacy and ethical aspects of digital forensics investigations

 Skills

  • Forensic acquisition of digital evidence from computer and network media
  • Live system forensics and evaluation of order of volatility
  • Evidence analysis with timeline analysis and forensic reconstruction
  • Scientific documentation of forensic acquisition and analysis
  • Applying forensic principles on practical case-studies
  • Performing stakeholder analysis, risk assessment and forensic triage on limited case-studies
  • Evaluating the applicability of forensic methods and tools for various controls given a certain scope and policy for the control

 General competence

  • Capability of analyzing business, legal, ethical and case-specific requirements  for planning and conducting a digital forensics investigation
  • Understanding of forensic analysis and incident response processes
  • Working independently and familiarity with digital forensics terminology
  • Capability of discussing professional problems such as documentation, decision making processes, implementation plans, operations, reviews and corrective actions, with forensic experts, IT specialists and general managers
  • Learning skills to continue acquiring new knowledge and skills in a largely self-directed manner
  • Ability to contribute to innovative thinking and innovation processes

Topic(s)

  • Digital investigations, stakeholders and their roles
  • Digital evidence, e.g. acquisition, admissibility, authenticity
  • Chain of custody, evidence integrity and forensic soundness
  • File and live system forensics
  • Timeline analysis
  • Forensic reconstructions
  • Internet and network forensics
  • Automation and forensic tools
  • Reporting and presenting evidence
  • Expert witness and cybercrime law
  • Advanced topics if time permits

Teaching Methods

Lectures
Laboratory work
Project work
Other

Teaching Methods (additional text)

  • Lectures
  • Exercises
  • Project work
  • Others (Essay/Article writing)
  • Others (Independent study) !

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (Fronter).

Form(s) of Assessment

Oral presentation
Written exam, 3 hours
Evaluation of Project(s)

Form(s) of Assessment (additional text)

An overall evaluation based on a 100 point scale, where project work counts 40 points, oral presentation counts 20 points, and final exam (3 hours) counts 40 points. Conversion from 100 point scale to A-F scale according to recommended conversion table. In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by an internal examiner. An in addition an external examiner will be used within 4 years.

Re-sit examination

For the final written exam: Ordinary re-sit examination.

Coursework Requirements

Announced at course start

Teaching Materials

Textbook will be announced at course start

Presentation material and 8 selected papers

Additional information

The course is only available to students in the MISEB Study Programme (Experienced master in Information Security/Cybercrime).

This course (IMT4009) is equivalent to IMT4012 Digital Forencics 1.