Windows Forensics
Study plans 2016-2017 - IMT4013-PHS - 10 ECTS

On the basis of

NFCI2, admission criteria for MISEB studyprogram, courses delivered by PHS

Expected learning outcomes


After completing the course the candidate possesses knowledge of:

  • Identification, handling and examination of various Windows-based computing devices
  • Technical details of the Windows operating system in order to investigate computer incidents
  • Methods and techniques for collecting and analyzing data from Windows computer systems
  • Methodologies to track user-based activities for further usage in investigations
  • Legal, privacy and ethical aspects to be considered in investigations


After completing the course the candidate can:

  • Collect and analyze digital evidence on Windows computer systems
  • Search Windows computer systems for evidence and recover deleted data
  • Navigate and investigate the Windows registry
  • Obtain information on the Windows system and user/group profiles
  • Investigate pagefile, system memory and unallocated space
  • Evaluate and apply relevant methods, techniques and tools in all phases of the investigation of Windows computer systems

General Competence

After completing the course the candidate can:

  • Emerge with greater insight and confidence in the professional role
  • Show personal responsibility for tasks in the investigation of electronic evidence
  • Identify and evaluate ethical dilemmas in work performance
  • See digital forensics in a broader proactive and reactive context


  • Windows filesystem and artifacts, e.g. Windows XP, Vista, Windows 7 and Windows 8
  • Windows system information and registry forensics
  • Users profiles and user forensic data, e.g. access, program execution, download
  • Memory, pagefile and unallocated space analysis
  • Eventlog, prefetch and recycle-bin analysis
  • Browser forensics and examination of browser artifacts
  • Law and ethics
  • Crime prevention policing

Teaching Methods


Teaching Methods (additional text)

The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own start time and follow their progress within the semester. The course program is estimated to be approx. 280 hours.

The teaching methods emphasis a student-centered learning via Internet, including 10 online, on-demand lectures and the use of a virtual computer lab. In this course, students will work on realistic forensic case scenarios to promote hands-on experiences in the proper acquisition, preparation, analysisy, reconstruction and reporting/presentation of electronic trace evidence on Windows computer systems. The forensic case scenarios and trail investigations take place in a virtual environment. The working methods of the course is intended to provide students with a close link between theory and practice. The students will report his/her work in an essay/article that is part of the assessment.

A distributed online learning platform at the Norwegian Police University College (PHS) is used in the administration and implementation of the course (PHS´s It´s Learning/PingPong).

Form(s) of Assessment


Form(s) of Assessment (additional text)

The program is concluded with an examination consisting of two parts:

  • A project conducted by the students during the last part of the program
  • A 4-hour written examination

Both parts of the examination must be passed, and are each weighted 50%.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

External examiner. Evaluated by PHS examiner.

Re-sit examination

All parts must be retaken. Re-sit examination for the written exam in August.

Examination support


Coursework Requirements

The following requirements have to be fulfilled and approved before students may sit the exam:

  • Two mandatory assignments.
  • One web-based campus week.

Teaching Materials

Elrick, D (2014): Forensic Examination of Windows Supported File Systems,
USA. Chapter 13 (26 pages). ISBN 978-1497358355
Sammes, T., Jerkinson B. (2007): Forensic Computing - A practitioner's
Guide. UK: Springer. Chapter 6. (61 pages). ISBN 978-1-84628-397-0
A number of specific web resources and research articles will be provided
to students during the course. These will form part of the mandatory
reading requirements and will be examinable. There are 87 pages of
mandatory literature from books and approximately 400 pages from
lessons, web resources and research papers.

Additional information

This course will be delivered by PHS (Politihøgskolen), only available to students in the MISEB program on the track Digital forensics and cybercrime investigation.