Windows Forensics
2014-2015 - IMT4013-PHS - 10 ECTS

Expected learning outcomes

Knowledge

After completing the course the candidate possesses knowledge of:

  • Identification, handling and examination of various Windows-based computing devices
  • Technical details of the Windows operating system in order to investigate computer incidents
  • Methods and techniques for collecting and analyzing data from Windows computer systems
  • Methodologies to track user-based activities for further usage in investigations
  • Legal, privacy and ethical aspects to be considered in investigations

Skills

After completing the course the candidate can:

  • Collect and analyze digital evidence on Windows computer systems
  • Search Windows computer systems for evidence and recover deleted data
  • Navigate and investigate the Windows registry
  • Obtain information on the Windows system and user/group profiles
  • Investigate pagefile, system memory and unallocated space
  • Evaluate and apply relevant methods, techniques and tools in all phases of the investigation of Windows computer systems

General Competency

After completing the course the candidate can:

  • Emerge with greater insight and confidence in the professional role
  • Show personal responsibility for tasks in the investigation of electronic evidence
  • Identify and evaluate ethical dilemmas in work performance
  • See digital forensics in a broader proactive and reactive context

Topic(s)

  • Windows filesystem and artifacts, e.g. Windows XP, Vista, Windows 7 and Windows 8
  • Windows system information and registry forensics
  • Users profiles and user forensic data, e.g. access, program execution, download
  • Memory, pagefile and unallocated space analysis
  • Eventlog, prefetch and recycle-bin analysis
  • Browser forensics and examination of browser artifacts
  • Law and ethics
  • Crime prevention policing

Teaching Methods

Excurcions
Lectures
Other

Teaching Methods (additional text)

Other (Independent study)

Other (Essay/Article writing)

The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own start time and follow their progress. The program is estimated to be approx. 280 hours.

 

The teaching methods emphasis a student-centered learning via Internet, including 10 online, on-demand lectures and the use of a virtual computer lab. In this course, students will work on realistic forensic case scenarios to promote hands-on experiences in the proper acquisition, preparation, analysisy, reconstruction and reporting/presentation of electronic trace evidence on Windows computer systems. The forensic case scenarios and trail investigations take place in a virtual environment. The working methods of the course is intended to provide students with a close link between theory and practice. The students will report his/her work in an essay/article that is part of the assessment.

A distributed online learning platform at Gjøvik University College and the Norwegian Police University College is used in the administration and implementation of the course.

Form(s) of Assessment

Other

Form(s) of Assessment (additional text)

Assessment consists of two parts, that are each weighted 50%:

  • Individual home exam over 8 hours (50%)
  • Assessment of the essay/article with up to 2000 words (50%)

Both parts must be passed.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by internal examiner.

Re-sit examination

A new term paper must be provided and the examination must be re-sat next semester.

Examination support

Dictionary

Coursework Requirements

The following course requirements must be met and approved before students can take the exam:

  • Up to three tests related to specific topics

Teaching Materials

The following textbooks are part of the curriculum. Which pages in the books are to be studied as part of the curriculum is emphasized in each lesson. The reading will be limited to a maximum of 600 pages.

  • Brian Carrier (2005): File System Forensic Analysis, ISBN-10: 0321268172 | ISBN-13: 978-0321268174
  • Harlan Carvey (2012): Windows Forensic Analysis Toolkit, Third Edition: Advanced Analysis Techniques for Windows, ISBN-10: 1597497274 | ISBN-13: 978-1597497275
  • Harlan Carvey (2011): Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry,  ISBN-10: 1597495808 | ISBN-13: 978-1597495806

Cory Altheide (2011): Digital Forensics with Open Source Tools, ISBN-10: 1597495867 | ISBN-13: 978-1597495868

Additional information

The course is delivered by PHS (Politihøgskolen), first time in academic year 2015/2016. The course is only available to students in the MISEB Study Programme (Experienced master in Information Security/Cybercrime).