Cybercrime Investigation
2015-2016 - IMT4502 - 10 ECTS


IMT3551 Digital Forensics, or IMT4012 Digital Forensics 1, or IMT4009 Digital Forensic Methodology,or equivalent.

Expected learning outcomes


  • Candidates develop deep understanding in the methodology, technology and application of digital forensics in cybercrime investigation.
  • Candidates are expected to reach an advanced level of knowledge in the broad spectrum of digital evidence, analysis methods and tools.
  • The course is oriented towards profound theoretical background, where the students learn contemporary techniques, best practices, and advanced topics.


  • Candidates are capable of analyzing existing theories, methods and interpretations in the field of digital forensics and working independently on solving theoretical and practical problems related to cybercrime investigation.
  • Candidates can use relevant methods in independent studies and development in digital forensics.
  • Candidates are capable of performing critical analysis of various literature sources and applying them in structuring and formulating problem-oriented reasoning in cybercrime investigation.
  • Candidates are capable of carrying out an independent limited study or development project in cybercrime investigation under supervision, following the applicable ethical rules.

General Competence

  • Candidates are capable of analyzing relevant professional and research ethical problems in cybercrime investigation.
  • Candidates are capable of applying their knowledge and skills in new fields, in order to accomplish advanced tasks and projects in cybercrime investigation.
  • Candidates can work independently and are familiar with terminology of cybercrime investigation.
  • Candidates are capable of discussing professional problems, analyses and conclusions in the field of digital forensics, both with specialists and with general audience.
  • Candidates are capable of contributing to innovation and innovation processes.


  • Learn to conduct online investigations without revealing your identity
  • Analyze JavaScript, PDFs, and Office documents for suspicious content
  • Build a low-budget malware lab with virtualization or bare bones hardware
  • Set up an advanced memory forensics platform for malware analysis
  • Identify and investigate distributed botnets and worms
  • Ethical hacking and penetration testing methodologies
  • Identity theft and identity fraud 
  • Collect digital evidence from international open sources, e.g. the Internet
  • Cloud forensics and criteria for cloud forensic capability

Teaching Methods

Mandatory assignments

Teaching Methods (additional text)

Other (Lab exercises)

Other (Independent study)

Other (Essay/Article writing)

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are recorded. Intensive lab exercises are offered in two blocks over one week each, i.e. four days / four hours. Participation in the lab exercises on campus is recommended even for distant students. Nevertheless, the lab exercises are recorded also, so that the course is open for both, campus and remote students. All the course material will be available on Internet through GUC’s learning management system (ClassFronter).

Form(s) of Assessment


Form(s) of Assessment (additional text)

Assessment consists of two parts, pass decision is on cumulative grade of both parts:

  • Part 1 is a written examination (3 hours), accounting for 67% of grade
  • Part 2 is an essay/article, accounting for 33% of grade.

The essay/article is evaluated by an internal examiner.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by internal examiner. An external examiner will be used every 4th year. Next time 2015.

Re-sit examination

For the written exam: Re-sit August 2016

Examination support

D: No printed or hand-written support material is allowed. A specific basic calculator is allowed.

Coursework Requirements

Announced at course start

Teaching Materials

The following textbook is the primary references. Additional sources, e.g. presentation material and 10 selected papers will be provided during the course.

M.Ligh, S.Adair, B.Hartstein and M.Richard (2010). Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.

Additional information

This course is based on and overlapping the existing IMT4022 Digital Forensics 2.