Digital Forensics & Cybercrime Investigation
Information technology permeates all aspects of society and has become critical to industry, government, and individual well-being. Securing the vital services and structures and ensuring availability of trustworthy information whenever and wherever it is required has become a field of intensive interdisciplinary research, development and application in the recent years. At the same time, information security has become an area of extensive commercial activity with thousands of companies developing and marketing various services and products for information and communication technology (ICT), e.g. computer systems, communication networks, and software applications. The experience-based master in information security provides the students with complex skills within a specific area of specialization, as well as the theoretical background and attitudes necessary to succeed in this challenging yet eminently rewarding application domain.
Area(s) of specialization
Criminal investigations involving computer technology is significantly growing. This applies to both new types of crime as well as traditional crimes that are now being committed by the use of new computer technology. Typical examples are the use of digital media and communication equipment in connection with drug trafficking, sexual offenses, threats and persecution, human trafficking and economic crime. The increasing use of information technology has resulted in new challenges in terms of legislation and law enforcement methods, both nationally and internationally. It is therefore important that the accrued expertise to investigate digital evidence and to prevent cybercrime can be provided on the basis of an understanding of information and communication technology, the implementation of the rule of law as well as the protection and assurance of privacy.
The purpose of education is to contribute to the forensic investigation of digital evidence and cybercrime by using forensically sound methods and tools that promote the rule of law and protect privacy. The specialized education is seen in a the wider context of information and cyber security in order to leverage cooperation and exchange between various stakeholders, e.g. ICT and critical infrastructure providers, cooperate-forensic investigators and incident responders, law enforcement, national security and defense. The objectives of the study program are achieved through a curricula based on courses reflecting current best practices, established standards and new developments in the field, reflecting both profound practical work experiences, development work and research activities of the teaching staff. The study program is closely related to practitioners from specialized application domains, e.g. the Norwegian Police University College, as well as the academic research community at Gjøvik University College (GUC) and the Norwegian Information Security laboratory (NISlab).
Norwegian Police University College (PHS)
The Norwegian Police University College (PHS) is the central education and training institution for police and county-administrative agencies in Norway, with a board as its highest authority. Administratively, PHS resides under the Norwegian Police Directorate, and its task is to provide basic education and training for service in the police or county administration, as well as further and continuing training for employees of the agency. PHS conduces research, development and dissemination of research results within technical disciplines. The objective of PHS is to educate reflective police officers, both men and women, to act independently and analytically, and to be conscious of their own opinions, attitudes and choices in their everyday work. PHS is responsible for the following courses in this program:
IMT4401-PHS Open Source Forensics
IMT4501-PHS Windows Forensics
IMT4504-PHS Apple-device Forensics
Gjøvik University College (GUC)
NISlab is the information security group at GUC. In the beginning of 2014 the core group consists of about 10 senior professors what will be extended continuously. The group offers B.Sc, M.Sc. and Ph.D. studies in information security (IS) with dedicated specializations, e.g. IS technology and management, digital forensics, and biometrics. NISlab/GUC conducts international competitive research in several areas of information and cyber security. NISlab is a member of the Forum for Research and Innovation in Security and Communication (FRISC), a Norwegian network of institutions dedicated to cutting-edge research in information security. NISlab is also heading the national research school COINS (Research School of Computer and Information Security) comprising, e.g. the University of Oslo, University of Bergen, and NTNU among others. NISlab has strong international relations and its collaboration network includes more than 20 academic institutions from more than 10 countries worldwide.
The experience-based master program (90 ECTS credits) is available as a part-time study program. The part-time study plan is over three years in order to accommodate for special needs of individuals in police service, government or business workforce. (See a recommended course planning in Table 1 – 2 below.) The entire program is taught in English, and the degree awarded upon completion is:
- «Experience-Based Master in Information Security/Specialization Track». The program has one specialization track in the study year 2014/2015:
- «Digital Forensics and Cybercrime Investigation».
The program does not qualify the students to proceed to Ph.D. studies.
Expected learning outcomes
- The candidate possesses advanced knowledge in the field of information security in general and the following particular specialization topics:
- Digital Forensics and Cybercrime Investigation: Socio-technical modeling of cybercrime
- Digital forensics methodology
- Acquisition and handling of digital evidence
- Open source forensics
- Windows forensics
- Apple-device forensics
- Cybercrime investigation
- Forensic intelligence and data analytics
- Legal and privacy aspects.
- The candidate possesses thorough knowledge of the theory, best practices and methods in the field of information security, digital forensics and cybercrime investigation.
- The candidate is capable of applying knowledge in new areas within the field of information security, digital forensics and cybercrime investigation.
- The candidate is familiar with current state-of-the-art in the field of information security, digital forensics and cybercrime investigation.
- The candidate possesses thorough knowledge of methodology, needed to plan and carry out application and development projects in the field of information security, digital forensics and cybercrime investigation.
- The candidate is capable of analyzing existing theories, methods and interpretations of theories within the field of information security, digital forensics and cybercrime investigation as well as independently carrying out investigations and solving theoretical and practical problems.
- The candidate is capable of using independently relevant methods in fact-finding and development in the domain of information security, digital forensics and cybercrime investigation. These methods include literature study, critical thinking, logical reasoning and performing methodologically sound experiments together with interpreting their results.
- The candidate is capable of performing critical analysis of different information sources and applying the results of that analysis in academic and practical reasoning, structuring and formulating theoretical and application-specific problems. • The candidate is capable of carrying out a plan of a specialization project under supervision.
- The candidate is capable of completing an independent study and development project of moderate size under supervision (example: the master thesis), adhering to the current code of professional conduct and ethics in academic fieldwork.
- The candidate is capable of analyzing professional and academic problems.
- The candidate is capable of using knowledge and skills to carry out advanced tasks and projects.
- The candidate is capable of imparting comprehensive independent work in the field of information security. The candidate also masters the terminology in the field of information security and his/her area of specialization.
- The candidate is capable of communicating academic issues, analysis and conclusions both with experts in the field of information security and with the general audience.
- The candidate emerge with greater insight and confidence in the professional role.
- The candidate can show personal responsibility for tasks in his/her field of specialization.
- The candidate can identify and evaluate ethical dilemmas in the conducting work.
- The candidate is capable of seeing his/her role in a broader perspective of information security, crime prevention, investigation and prosecution.
- The candidate is capable of contributing to innovation and innovation processes.
The students are allowed to travel abroad to study for their master theses. Both NISlab and PHS have strong links to many of the leading international academic groups, educational and training facilities, as well as investigation and forensic laboratories. Students are encouraged to contact the program director or their individual supervisor in the course «Research-project planning» to ask for advice on relevant internships and travel opportunities.
- Personnel working in police service and law enforcement in the Nordic countries who have digital forensics and cybercrime investigation as their primary work task.
- Personnel in Nordic public services or inspectorates who deal with the investigation of ICT incidents and digital trace evidence.
An applicant must have a relevant bachelors degree and a grade point average of at least C. Relevant degrees are:
- Bachelor degree in police studies or bachelors degree from The Norwegian Defence University College (NDUC)
Bachelor degree, Cand. Mag. degree or other relevant degrees (see § 3-4 Lov om universiteter og høyskoler) in another field relevant for information security within digital forensics and cyber crime
- Passed the syllabus of Nordic Computer Forensics Investigators Level 2 (NCFI 2) or equivalent education.
- Two years of practical work experience within the area of digital forensics and cybercrime investigation.
Gjøvik University College in close cooperation with the Police University College may grant admission to applicants based on relevant education and training, which has to be well demonstrated.
The whole study program is accessible for campus and remote students. It is mainly organized as a web-based, online program where students are quite flexible in choosing their study progression. The teaching methods emphasis a student-centered learning via Internet. The study program is delivered via an online learning-management system with a focus on pedagogical methods that generates student activity, such as a virtual computer laboratory. The working methods of the program are intended to provide students with individual learning primarily yet may also opt for peer interactions, and in particular highlight the link between theory and practice. For example, selected hands-on laboratory exercises, e.g. tools training and the final master-theses presentation, can be arranged onsite at GUC/PHS or through live web conference.
The program has one track (path of study):«Digital Forensics and Cybercrime Investigation». A subset of 15 ECTS run in parallel with the«Master in Information Security». These are the courses «Digital Forensics Methodology» and «Socio-technical Modeling of Cybercrime» that are providing foundations of information and cybersecurity, and in particular leverage the mutual understanding and cooperation among professionals in tidily interconnected working domains. Lectures in the course on «Scientific Methodology» are co-located with the«Master in Information Security». These lectures prepare students on the methodological aspects of writing their master thesis.
Digital Forensics and Cybercrime Investigation will have five mandatory courses, see table below. Students can apply for approval of an individual study plan, e.g. Master-level courses from other institutions may be included as electives or may substitute mandatory courses at the discretion of the study-program director.
The recommended course structure for full- and three-year partite study is given in Table 1 – 2 below. Part-time students may compose their study progression individually as long as the trackspecific requirements mentioned above and any course inter-dependencies are respected. All previous courses have to be completed before starting work on the master thesis (an exception of 10 missing credits may be tolerated at the discretion of the director of the study program, but only if the missing credits are not relevant for the topic of the master thesis). For further details please see the particular course descriptions or contact the program director and course responsible.
• Project work
• Essay/Article writing
• Independent study
• Lab exercises
The Experience-Based Master program in Information Security/Digital Forensics and Cybercrime Investigation makes extensive use of flexible distance study methods. Every course contains the whole study material in digital form available online, via a learning-management system available to the students once enrolled in the program.
Audio recordings of the lectures are available online in most subjects contained in the study program. Selected courses provide (offline) video recordings or (online) video streaming of the lectures is also, whenever technical possibilities allow this. Many courses use online or home exams. Selected exams may require physical presence on campus.
The students are expected to have access to an updated computer and broadband Internet connection. Software that is needed is mostly freely available on the Internet. As for the practical computer skills, it is expected that the students are capable of using any contemporary operating system (Microsoft Windows, GNU/Linux, Mac OS, etc.) both with a graphical user interface and a command-line interface.
Table of subjects
Experienced-based Master in Digital Forensics & Cybercrime Investigation (3-year part-time)
|Coursecode||Course name||C/E *)||ECTS each. semester|
|IMT4009||Digital Forensics Methodology||C||5|
|IMT4012-PHS||Open Source Forensics||C||10|
|IMT4402||Socio-technical Modeling of Cybercrime||C||5|
|IMT4883||Experience–based Specialization Project||C||5|
|Elective, 10 ECTS||E||10|
|Elective, 10 ECTS||E||10|
|Elective, 10 ECTS||E||10|
|IMT4905||Experience-based Master’s Thesis||C||15||15|
Elective Courses for Experienced-based Master in Digital Forensics & Cybercrime Investigation
|Coursecode||Course name||C/E *)||ECTS each. semester|
|IMT4505-PHS||Forensic Tool Development||E||10|
|IMT4503||Forensic Intelligence and Data Analytics||E||10|