Course - Windows Forensics - IMT4013-PHS
IMT4013-PHS - Windows Forensics
About
New from the academic year 2016/2017
Examination arrangement
Examination arrangement: Written exam and Project work
Grade: Letters
Evaluation | Weighting | Duration | Grade deviation | Examination aids |
---|---|---|---|---|
Written exam | 1/2 | 4 timer |
Course content
Windows filesystem and artifacts, e.g. Windows XP, Vista, Windows 7 and Windows 8
Windows system information and registry forensics
Users profiles and user forensic data, e.g. access, program execution, download
Memory, pagefile and unallocated space analysis
Eventlog, prefetch and recycle-bin analysis
Browser forensics and examination of browser artifacts
Law and ethics
Crime prevention policing
Learning outcome
KnowledgeAfter completing the course the candidate possesses knowledge of:
Identification, handling and examination of various Windows-based computing devices
Technical details of the Windows operating system in order to investigate computer incidents
Methods and techniques for collecting and analyzing data from Windows computer systems
Methodologies to track user-based activities for further usage in investigations
Legal, privacy and ethical aspects to be considered in investigations
SkillsAfter completing the course the candidate can:
Collect and analyze digital evidence on Windows computer systems
Search Windows computer systems for evidence and recover deleted data
Navigate and investigate the Windows registry
Obtain information on the Windows system and user/group profiles
Investigate pagefile, system memory and unallocated space
Evaluate and apply relevant methods, techniques and tools in all phases of the investigation of Windows computer systems
General CompetenceAfter completing the course the candidate can:
Emerge with greater insight and confidence in the professional role
Show personal responsibility for tasks in the investigation of electronic evidence
Identify and evaluate ethical dilemmas in work performance
See digital forensics in a broader proactive and reactive context
Learning methods and activities
Nettbasert Læring|Annet
Utfyllende informasjon:
The course will be made accessible for remote students. It is organized as a web-based, online course where students can choose their own start time and follow their progress within the semester. The course program is estimated to be approx. 280 hours.The teaching methods emphasis a student-centered learning via Internet, including 10 online, on-demand lectures and the use of a virtual computer lab. In this course, students will work on realistic forensic case scenarios to promote hands-on experiences in the proper acquisition, preparation, analysisy, reconstruction and reporting/presentation of electronic trace evidence on Windows computer systems. The forensic case scenarios and trail investigations take place in a virtual environment. The working methods of the course is intended to provide students with a close link between theory and practice. The students will report his/her work in an essay/article that is part of the assessment.A distributed online learning platform at the Norwegian Police University College (PHS) is used in the administration and implementation of the course (PHS´s It´s Learning/PingPong).
Obligatoriske arbeidskrav:
The following requirements have to be fulfilled and approved before students may sit the exam:
Two mandatory assignments.
One web-based campus week.
Compulsory assignments
- Coursework Requirements
Further on evaluation
Utfyllende om kontinuasjon:
All parts must be retaken. Re-sit examination for the written exam in August.
Vurderingsformer:
The program is concluded with an examination consisting of two parts:
A project conducted by the students during the last part of the program
A 4-hour written examination
Both parts of the examination must be passed, and are each weighted 50%.
Specific conditions
Admission to a programme of study is required:
Information Security (MISEB)
Recommended previous knowledge
NFCI2, admission criteria for MISEB studyprogram, courses delivered by PHS
Course materials
Elrick, D (2014): Forensic Examination of Windows Supported File Systems,
USA. Chapter 13 (26 pages). ISBN 978-1497358355
Sammes, T., Jerkinson B. (2007): Forensic Computing - A practitioner's
Guide. UK: Springer. Chapter 6. (61 pages). ISBN 978-1-84628-397-0
A number of specific web resources and research articles will be provided
to students during the course. These will form part of the mandatory
reading requirements and will be examinable. There are 87 pages of
mandatory literature from books and approximately 400 pages from
lessons, web resources and research papers.
No
Version: 1
Credits:
10.0 SP
Study level: Second degree level
Term no.: 1
Teaching semester: AUTUMN 2016
Language of instruction: English
-
-
Department with academic responsibility
Department of Information Security and Communication Technology
Examination
Examination arrangement: Written exam and Project work
- Term Status code Evaluation Weighting Examination aids Date Time Examination system Room *
- Autumn ORD Written exam 1/2
-
Room Building Number of candidates
- * The location (room) for a written examination is published 3 days before examination date. If more than one room is listed, you will find your room at Studentweb.
For more information regarding registration for examination and examination procedures, see "Innsida - Exams"