Digital Forensics 2
Study plans 2016-2017 - IMT4022 - 10 ECTS


  •  BSc level basics in operating systems, data communication and network security
  •  IMT4012 Digital Forensics 1 or IMT3551 Digital Forensics or equivalent.

Expected learning outcomes


  • Candidates develop deep understanding in the methodology, technology and application of digital forensics in cybercrime investigation.
  • Candidates are expected to reach an advanced level of knowledge in the broad spectrum of digital evidence, analysis methods and tools.
  • The course is oriented towards profound theoretical background, where the students learn contemporary techniques, best practices, and advanced topics.


  • Candidates are capable of analyzing existing theories, methods and interpretations in the field of digital forensics and working independently on solving theoretical and practical problems related to cybercrime investigation.
  • Candidates can use relevant methods in independent studies and development in digital forensics.
  • Candidates are capable of performing critical analysis of various literature sources and applying them in structuring and formulating problem-oriented reasoning in cybercrime investigation.
  • Candidates are capable of carrying out an independent limited study or development project in cybercrime investigation under supervision, following the applicable ethical rules.

General competence:

  • Candidates are capable of analyzing relevant professional and research ethical problems in cybercrime investigation.
  • Candidates are capable of applying their knowledge and skills in new fields, in order to accomplish advanced tasks and projects in cybercrime investigation.
  • Candidates can work independently and are familiar with terminology of cybercrime investigation.
  • Candidates are capable of discussing professional problems, analyses and conclusions in the field of digital forensics, both with specialists and with general audience.
  • Candidates are capable of contributing to innovation and innovation processes.


  • Learn to conduct online investigations without revealing your identity
  • Analyze JavaScript, PDFs, and Office documents for suspicious content
  • Build a low-budget malware lab with virtualization or bare bones hardware
  • Set up an advanced memory forensics platform for malware analysis
  • Identify and investigate distributed botnets and worms
  • Ethical hacking and penetration testing methodologies
  • Identity theft and identity fraud
  • Collect digital evidence from international open sources, e.g. the Internet
  • Cloud forensics and criteria for cloud forensic capability

Teaching Methods

Laboratory work
Project work

Teaching Methods (additional text)

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are recorded. Intensive lab exercises are offered in two blocks over one week each, i.e. four days / four hours. Participation in the lab exercises on campus is recommended even for distant students. Nevertheless, the lab exercises are recorded also, so that the course is open for both, campus and remote students. All the course material will be available on Internet through GUC’s learning management system (ClassFronter).

Form(s) of Assessment

Written exam, 3 hours
Evaluation of Project(s)

Form(s) of Assessment (additional text)

Assessment consists of two parts, pass decision is on cumulative grade of both parts:

  • Part 1 is a written examination (3 hours), accounting for 67% of grade
  • Part 2 is an essay/article, accounting for 33% of grade.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

The essay/article is evaluated by an internal examiner. The written examination is evaluated by an internal examiner, an external examiner will be used every 4th year for the written examination.

Re-sit examination

For the written exam: Re-sit examination in August. The project, if passed, need not be re-submitted.

Examination support

Dictionary, simple calculator

Coursework Requirements

Announced at course start

Teaching Materials

The following textbook is the primary references. Additional sources, e.g. presentation material and 10 selected papers will be provided during the course.

  • M.Ligh, S.Adair, B.Hartstein and M.Richard (2010). Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.

Additional information

Knowledge of Linux is an advantage

In case there will be less than 5 students that will apply for the course, it will be at the discretion of the head of the study program whether the course will be offered or not an if yes, in which form.