Cybercrime Investigation
Study plans 2016-2017 - IMT4130 - 7.5 ECTS

On the basis of

IMT4114 Introduction to Digital Forensics or IMT4012 Digital Forensics 1 or IMT4009 Digital Forensic Methodology, or equivalent.

Expected learning outcomes


  • Candidates develop deep understanding in the methodology, technology and application of digital forensics in cybercrime investigation.
  • Candidates are expected to reach an advanced level of knowledge in the broad spectrum of digital evidence, analysis methods and tools.
  • The course is oriented towards profound theoretical background, where the students learn contemporary techniques, best practices, and advanced topics.


  • Candidates are capable of analyzing existing theories, methods and interpretations in the field of digital forensics and working independently on solving theoretical and practical problems related to cybercrime investigation.
  • Candidates can use relevant methods in independent studies and development in digital forensics.
  • Candidates are capable of performing critical analysis of various literature sources and applying them in structuring and formulating problem-oriented reasoning in cybercrime investigation.
  • Candidates are capable of carrying out an independent limited study or development project in cybercrime investigation under supervision, following the applicable ethical rules.

General competence:

  • Candidates are capable of analyzing relevant professional and research ethical problems in cybercrime investigation.
  • Candidates are capable of applying their knowledge and skills in new fields, in order to accomplish advanced tasks and projects in cybercrime investigation.
  • Candidates can work independently and are familiar with terminology of cybercrime investigation.
  • Candidates are capable of discussing professional problems, analyses and conclusions in the field of digital forensics, both with specialists and with general audience.
  • Candidates are capable of contributing to innovation and innovation processes.


  • Digital Forensics Ontology
  • File carving and reconstruction
  • Multi-media forensics
  • Malware Forensics: static, dynamic, content
  • Memory Forensics
  • Fraud detection and analysis
  • Open source Intelligence and Internet forensics
  • Cloud forensics
  • Search for digital evidence
  • Selected topics, as for example: Identity Theft, Bitcoin and Dark Net investigation
  • Guest lectures, as for example: Cooperate Forensics, Embedded device forensics,
  • Laboratory to forensic case scenarios, investigation report and mock trail

Teaching Methods

Laboratory work
Net Support Learning

Form(s) of Assessment

Written exam, 3 hours

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by internal examiner. An external examiner will be used every 5th year. Next time in 2019.

Re-sit examination

Ordinary re-sit examination in August.

Examination support


Teaching Materials

The following textbook is the primary reference. Additional sources, e.g. presentation material and 10 selected papers will be provided during the course.

M.Ligh, S.Adair, B.Hartstein and M.Richard (2010). Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.

Replacement course for

IMT4022 Digital Forensics 2.