Open Source Forensics
Study plans 2016-2017 - IMT4012-PHS - 10 ECTS

On the basis of

NCFI2 or similar, see admisson criteria for MISEB studyprogram, courses delivered by PHS

Expected learning outcomes


  • After completing the course the candidate possesses knowledge of:
  • The importance of open source software in the investigation
  • New methods and techniques used in the investigation
  • Legal and ethical issues
  • Automation of techniques
  • The benefit of being able to customize the tool in relation to specific challenges


  • After completing the course the candidate can:
  • Utilize the potential of tools written in open source
  • Master command interpreters
  • Assess tools for adapting to different situations
  • Develop Open source tools for efficient investigation within the rule of law
  • Understand scripts written by others and adapt them to your context
  • Validate proprietary and open tools

 General Competence

  • After completing the course the candidate can:
  • Emerge with greater insight and confidence in the professional role
  • Show personal responsibility for tasks in the investigation of electronic tracking
  • Identify and evaluate ethical dilemmas in work performance
  • See a record in a bigger prevention and investigation purposes


  • Linux operating system, commands, and tools
  • Linux filesystem and forensic artifacts
  • Scripting and programming for investigators
  • Building own forensic toolkit applications
  • Forensic tool testing and quality assurance
  • Linux analysis and data recovery techniques
  • Investigation and forensic analysis
  • Law and ethics
  • Crime prevention policing

Teaching Methods

Mandatory assignments

Teaching Methods (additional text)

Lectures and exercises delivered by PHS, through PHS´s digital learning system (It´s Learning/PingPong)

Other: Independent study

The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own study time and follow their progress. The program is estimated to be approx. 280 hours.

In the course student-centered learning activities on the internet are emphasized, including 10 online, on-demand lectures and the use of a virtual computer lab. The learning activities shall contribute to the learning outcome of the students, and in particular emphasize the relationship between theory and practice.

In this course, students will build their forensic toolkit from scratch, which also takes place in a virtual environment. Throughout the course students will construct their forensic toolkit gradually and end with a complete machine that is specially adapted to needs of a digital forensic investigator. Students will be guided through the various required steps in the process.

A distributed online learning platform at NTNU and the Norwegian Police University College is used in the administration and implementation of the course.

Form(s) of Assessment


Form(s) of Assessment (additional text)

Assessment consists of two parts, pass decision is on cumulative grade of both parts:

  • Individual home exam over 8 hours (50%)
  • Assessment of the student configuration of its own laptop computer (50%)

Both parts must be passed.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

External examiner (1 or 2). Assessment by PHS.

Re-sit examination

At the discression of PHS.

A new computer installation must be provided and the examination must be re-sat.

Examination support


Coursework Requirements

The following course requirements must be met and approved before students can take the exam:

  • Up to three tests related to specific topics

Teaching Materials

The following textbooks are the primary material in the course curriculum.

  • Altheide, C. & Carvey, H. (2011). Digital Forensics with Open Source Tools. Waltham, MA: Syngress
  • Cameron, N. (2005). Learning the bash Shell: Unix Shell Programming. Sebastopol: O'Reilly Media

Additional information

This course is delivered by PHS (Politihøgskolen).

Only available to students in the MISEB studyprogram (Experience based master in Information Security), track Digital Forensics and Cybercrime Investigation.