Open Source Forensics
2015-2016 - IMT4012-PHS - 10 ECTS

Expected learning outcomes


  • After completing the course the candidate possesses knowledge of:
  • The importance of open source software in the investigation
  • New methods and techniques used in the investigation
  • Legal and ethical issues
  • Automation of techniques
  • The benefit of being able to customize the tool in relation to specific challenges



  • After completing the course the candidate can:
  • Utilize the potential of tools written in open source
  • Master command interpreters
  • Assess tools for adapting to different situations
  • Develop Open source tools for efficient investigation within the rule of law
  • Understand scripts written by others and adapt them to your context
  • Validate proprietary and open tools


General Competency

  • After completing the course the candidate can:
  • Emerge with greater insight and confidence in the professional role
  • Show personal responsibility for tasks in the investigation of electronic tracking
  • Identify and evaluate ethical dilemmas in work performance
  • See a record in a bigger prevention and investigation purposes


  • Linux operating system, commands, and tools
  • Linux filesystem and forensic artifacts
  • Scripting and programming for investigators
  • Building own forensic toolkit applications
  • Forensic tool testing and quality assurance
  • Linux analysis and data recovery techniques
  • Investigation and forensic analysis
  • Law and ethics
  • Crime prevention policing

Teaching Methods

Mandatory assignments

Teaching Methods (additional text)



Other (Independent study)

Other (Lab exercises)

The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own study time and follow their progress. The program is estimated to be approx. 280 hours.

In the course student-centered learning activities on the internet are emphasized, including 10 online, on-demand lectures and the use of a virtual computer lab. The learning activities shall contribute to the learning outcome of the students, and in particular emphasize the relationship between theory and practice.

In this course, students will build their forensic toolkit from scratch, which also takes place in a virtual environment. Throughout the course students will construct their forensic toolkit gradually and end with a complete machine that is specially adapted to needs of a digital forensic investigator. Students will be guided through the various required steps in the process.

A distributed online learning platform at Gjøvik University College and the Norwegian Police University College is used in the administration and implementation of the course.

Form(s) of Assessment


Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by internal examiner and external examiner.

Re-sit examination

A new computer installation must be provided and the examination must be re-sat next semester.

Examination support


Coursework Requirements

The following course requirements must be met and approved before students can take the exam:

  • Up to three tests related to specific topics

Teaching Materials

The following textbooks are the primary material in the course curriculum.

  • Altheide, C. & Carvey, H. (2011). Digital Forensics with Open Source Tools. Waltham, MA: Syngress
  • Cameron, N. (2005). Learning the bash Shell: Unix Shell Programming. Sebastopol: O'Reilly Media
  • Dawson, M. (2010). Python Programming for the Absolute Beginner. Course Technology PTR

Additional information

This course is delivered by PHS (Politihøgskolen)