Course content

Windows filesystem and artifacts, e.g. Windows XP, Vista, Windows 7 and Windows 8

Windows system information and registry forensics

Users profiles and user forensic data, e.g. access, program execution, download

Memory, pagefile and unallocated space analysis

Eventlog, prefetch and recycle-bin analysis

Browser forensics and examination of browser artifacts

Law and ethics

Crime prevention policing

Learning outcome

KnowledgeAfter completing the course the candidate possesses knowledge of:

Identification, handling and examination of various Windows-based computing devices

Technical details of the Windows operating system in order to investigate computer incidents

Methods and techniques for collecting and analyzing data from Windows computer systems

Methodologies to track user-based activities for further usage in investigations

Legal, privacy and ethical aspects to be considered in investigations

SkillsAfter completing the course the candidate can:

Collect and analyze digital evidence on Windows computer systems

Search Windows computer systems for evidence and recover deleted data

Navigate and investigate the Windows registry

Obtain information on the Windows system and user/group profiles

Investigate pagefile, system memory and unallocated space

Evaluate and apply relevant methods, techniques and tools in all phases of the investigation of Windows computer systems

General CompetenceAfter completing the course the candidate can:

Emerge with greater insight and confidence in the professional role

Show personal responsibility for tasks in the investigation of electronic evidence

Identify and evaluate ethical dilemmas in work performance

See digital forensics in a broader proactive and reactive context

Learning methods and activities

Nettbasert Læring|Annet

Utfyllende informasjon:

The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own start time and follow their progress within the semester. The course program is estimated to be approx. 280 hours.The teaching methods emphasis a student-centered learning via Internet, including 10 online, on-demand lectures and the use of a virtual computer lab. In this course, students will work on realistic forensic case scenarios to promote hands-on experiences in the proper acquisition, preparation, analysisy, reconstruction and reporting/presentation of electronic trace evidence on Windows computer systems. The forensic case scenarios and trail investigations take place in a virtual environment. The working methods of the course is intended to provide students with a close link between theory and practice. The students will report his/her work in an essay/article that is part of the assessment.A distributed online learning platform at the Norwegian Police University College (PHS) is used in the administration and implementation of the course (PHS´s It´s Learning/PingPong).

Obligatoriske arbeidskrav:

The following requirements have to be fulfilled and approved before students may sit the exam:

Two mandatory assignments.

One web-based campus week.

Compulsory assignments

• Coursework Requirements

Specific conditions

Recommended previous knowledge

NFCI2, admission criteria for MISEB studyprogram, courses delivered by PHS

Course materials

Elrick, D (2014): Forensic Examination of Windows Supported File Systems,

USA. Chapter 13 (26 pages). ISBN 978-1497358355

Sammes, T., Jerkinson B. (2007): Forensic Computing - A practitioner's

Guide. UK: Springer. Chapter 6. (61 pages). ISBN 978-1-84628-397-0

A number of specific web resources and research articles will be provided

to students during the course. These will form part of the mandatory

reading requirements and will be examinable. There are 87 pages of

mandatory literature from books and approximately 400 pages from
lessons, web resources and research papers.