Digital Forensics
2012-2013 - IMT3551 - 5sp

Anbefalt forkunnskap

The following courses or equivalent background is required:
- IMT2282- Operativsystemer
- IMT2431- Datakommunikasjon og nettverkssikkerhet

Forventet læringsutbytte

Students are able to explain the fundamental principles of digital forensics. The students are able to survey a digital crime scene and to acquire, analyze and present digital evidence in a forensically sound manner. The students are further expected to be able to scientifically document theoretical and experimental results related to forensic investigations, and to evaluate the validity of evidence presented by another party. After completion of the course, the student shall demonstrate the following competency:

Digital Forensics methodology with a solid understanding of requirements for handling digital evidence, with an emphasis on evidence integrity and chain of custody

-Forensic acquisition of digital evidence from computer and network media
-Live system forensics and evaluation of order of volatility
-Evidence analysis with timeline analysis and forensic reconstruction
-Scientific documentation of forensic acquisition and analysis

General Competency
-Legal aspects of cyber crime and cyber crime investigations
-The role of expert witnesses and digital evidence in the context of legal proceedings

Emnets temaer

  • Digital investigations and evidence
  • Chain of custody and forensic soundness
  • Timeline analysis
  • Live system forensics
  • File system forensics
  • Forensic reconstructions
  • Internet and network forensics
  • Cybercrime law
  • Advanced topics if time permits

Pedagogiske metoder


Pedagogiske metoder (fritekst)

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (ClassFronter).


Muntlig fremføring
Skriftlig eksamen, 3 timer
Vurdering av prosjekt(er)


An overall evaluation based on a 100 point scale, where project work counts 40 points, oral presentation counts 20%, and final exam (3 hours) counts 40 points. Conversion from 100 point scale to A-F scale according to recommended conversion table. In specific circumstances, emneansvarlig can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.


Bokstavkarakterer, A (best) - F (ikke bestått)


Evaluated by internal examiner, external examiner is used periodically (every four years, next time in 2015/2016)

Utsatt eksamen (tidl. kontinuasjon)

For the final exam: Ordinary re-sit examination.

Tillatte hjelpemidler (gjelder kun skriftlig eksamen)


Obligatoriske arbeidskrav

Announced at course start


  • Textbook will be announced at course start
  • Presentation material and 5 selected papers


IMT3711 Digital Forensic Science

Supplerende opplysninger

The course is held in English. Knowledge of Linux is an advantage.

In case there will be less than 5 students that will apply for the course, it will be at the discretion of Studieprogramansvarlig whether the course will be offered or not an if yes, in which form.