course-details-portlet

IMT4114

Introduction to Digital Forensics

Assessments and mandatory activities may be changed until September 20th.

Credits 7.5
Level Second degree level
Course start Spring 2027
Duration 1 semester
Language of instruction English
Location Gjøvik
Examination arrangement Aggregate grade

About

About the course

Course content

  • Digital investigations and stakeholders roles.
  • Digital evidence: acquisition, admissibility, and authenticity.
  • Chain of custody, evidence integrity and forensic soundness.
  • File system and live system forensics.
  • Timeline analysis and event reconstruction.
  • Internet and network forensics.
  • Forensic tools and automation.
  • Reporting and presenting findings.
  • Expert witness role and cybercrime law.
  • Computational forensics.
  • Use of machine learning in digital forensics.
  • Forensic readiness and proactive measures.
  • Selected advanced topics (if time permits).

Learning outcome

After successfully completing the course, the students have obtained the following learning outcomes:

Knowledge:

  • The candidate possesses thorough understanding of digital forensics methodology and the requirements for collecting, preserving, and documenting digital evidence in a manner that ensures integrity and admissibility.
  • The candidate has good understanding of the requirements for maintaining evidence integrity and chain of custody, including secure storage, proper documentation, and compliance with legal and procedural standards throughout the investigation process.
  • The candidate has insight into principles, procedures, and core concepts of forensic standards and best practices, including the importance of validating and testing forensic tools to ensure reliability and accuracy.
  • The candidate possesses knowledge of the overall process for establishing and maintaining a digital forensic lab environment, including requirements for infrastructure, security controls, and compliance with organisational and legal guidelines.
  • The candidate has good understanding of the role of expert witnesses and how digital evidence is presented, evaluated, and challenged in legal proceedings.
  • The candidate possesses knowledge of policies, standards, and guidelines for implementing forensic controls and understands their role in ensuring proper evidence handling, documentation, and reporting in digital forensic investigations.
  • The candidate has good understanding of legal, privacy, and ethical considerations in digital forensic investigations, including data protection obligations and responsible handling of sensitive information.

Skills:

  • The candidate is able to perform forensic acquisition of digital evidence from computer and network media using appropriate tools and procedures.
  • The candidate is capable of applying live system forensic techniques and evaluate the order of volatility to prioritise evidence collection.
  • The candidate is able to conducting evidence analysis, including timeline analysis and reconstruction of events, based on acquired data.
  • The candidate can produce clear and scientifically structured documentation of forensic acquisition and analysis processes.
  • The candidate is able to apply forensic principles when working with practical examples and scenarios relevant to digital investigations.
  • The candidate is capable of performing basic stakeholder analysis, risk assessment, and forensic triage in limited and well-defined contexts.
  • The candidate can assess the suitability of forensic methods and tools for specific investigative scopes and organisational policies.

General competence:

  • The candidate is capable of analysing business, legal, ethical, and case-specific requirements when planning and conducting a digital forensic investigation.
  • The candidate has developed competence in understanding forensic analysis and incident response processes and their interdependencies.
  • The candidate can work independently and demonstrates familiarity with digital forensics terminology and concepts.
  • The candidate is able to communicate and discuss professional challenges such as documentation, decision-making, implementation plans, and corrective actions with forensic experts, IT specialists, and managers.
  • The candidate has developed learning skills to acquire new knowledge and techniques in a self-directed manner.
  • The candidate can contribute to innovative approaches and improvements in digital forensic practices.
  • The candidate is able to actively participate and collaborate effectively within a group setting.

Learning methods and activities

  • Lectures.
  • Group work.
  • Laboratory work.
  • Guest lectures.
  • Asynchronous e-learning (recorded lectures and materials).
  • Other exercises (if time permits).

Additional information:

  • The course offers flexibility for both on-campus and remote students. Lectures will be conducted in person on the Gjøvik campus and will be streamed/recorded to remote students.
  • Lectures and other types of learning material, such as recordings of lectures, will be offered through our Learning Management System (LMS), i.e. Canvas.
  • Communication between the teachers and the students, and among the students, will be facilitated by the LMS.
  • Completion and submission of mandatory group assignments (approved/not approved) and a final written deliverable are required. The group work culminates in a document with an academic structure similar to a scientific article. Specific requirements for these assignments and deliverable will be communicated to students through the LMS.
  • If individual participation and contributions within a group are uneven, or if some students do not complete their assigned tasks, the course coordinator may take corrective actions. This could include evaluating individual performance separately, which may result in individual grades for the group work component.
  • Laboratory sessions will be conducted on-campus at the Gjøvik campus to provide hands-on experience. Students who attend remotely are not required to be physically present for these sessions. All sessions will be streamed and recorded to ensure full accessibility for remote participants.

Compulsory assignments

  • Mandatory group assignment

Further on evaluation

The course evaluation consists of two parts:

  1. Written exam (51/100): A 3-hour individual exam that may include open-ended questions, short-answer questions, and/or multiple-choice questions. No external materials are allowed.
  2. Project report (49/100): A collaborative project report that requires mandatory group assignments throughout the course.

The mandatory group assignments are evaluated on an approved/not approved basis. The specific requirements for these assignments will be communicated to the students through the LMS. All mandatory group assignments must be completed and approved in order to pass the project report component.

Both the written exam and project report is graded A-F, according to the NTNU grading scale: https://i.ntnu.no/wiki/-/wiki/English/Grading+scale.

The written exam accounts for 51% of the final grade, while the project report accounts for 49%. To pass and get an overall grade for the course, you need to obtain a grade of E or higher in both parts, and complete all the group submissions successfully.

Students may complete the group project report and the written exam in different semesters. These components are independent, and there is no requirement to take them in the same term.

Re-sit examination:

  • Ordinary re-sit examination for the written exam (3 hours) is in August. Depending on the number of students or at the discretion of the course coordinator, the examination format may be changed from written to oral.
  • No re-sit examination for the project report. Group work is only possible the next time the course is running.

If a student does not pass some or all of the course components, such as the written exam or project report, they must re-take those components.

Students wishing to improve their course grade can re-take the written exam. However, for the project report component, students must participate in the group work again as a whole the next time the course is running.

Specific conditions

Admission to a programme of study is required:
Information Security (MIS)
Information Security (MISD)
Information Security (MISEB)

Course materials

Coursebook: Årnes, André, ed. Digital forensics. John Wiley & Sons, 2017.

Other learning material such as conference/journal research articles, (guest) lectures, and other supplementary materials are available via LMS.

Credit reductions

Course code Reduction From
IMT4012 5 sp Autumn 2017
IMT3551 5 sp Autumn 2017
This course has academic overlap with the courses in the table above. If you take overlapping courses, you will receive a credit reduction in the course where you have the lowest grade. If the grades are the same, the reduction will be applied to the course completed most recently.

Subject areas

  • Information Security

Contact information

Course coordinator

Lecturers

Department with academic responsibility

Department of Information Security and Communication Technology

Timetable

Timetable

Calendar view
List view
Show detailed timetable in TP Download .ics file iCal

Examination

Examination

Examination arrangement: Aggregate grade
Grade: Letter grades

Ordinary examination - Spring 2027

Written exam
Weighting 51/100 Examination aids Code E Duration 3 hours Exam system Inspera Assessment Place and room Not specified yet.
Group report
Weighting 49/100 Exam system Inspera Assessment

Re-sit examination - Summer 2027

Written exam
Weighting 51/100 Examination aids Code E Duration 3 hours Exam system Inspera Assessment Place and room Not specified yet.

All about examinations at NTNU