IMT4114 - Introduction to Digital Forensics


Examination arrangement

Examination arrangement: Assignment and written examination
Grade: Letters

Evaluation Weighting Duration Grade deviation Examination aids
Written examination 51/100 3 hours ORDBOK
Approved report 49/100

Course content

- Digital investigations, stakeholders and their roles - Digital evidence, e.g. acquisition, admissibility, authenticity - Chain of custody, evidence integrity and forensic soundness - File and live system forensics - Timeline analysis - Forensic reconstructions - Internet and network forensics - Automation and forensic tools - Reporting and presenting evidence - Expert witness and cyber crime law - Computational forensics - Forensic readiness - Advanced topics if time permits

Learning outcome

Knowledge: - Digital Forensics methodology with a solid understanding of requirements for handling digital evidence - Requirements and impact on maintaining evidence integrity and chain of custody - Principles, procedures, and the basic concepts of forensic standards and best practices, e.g. forensic tool testing - The overall process for establishment and maintenance of a digital forensic lab environment - The role of expert witnesses and digital evidence in the context of legal proceedings - The role of policies, standards and guidelines for controls and is capable of applying his/her knowledge in case studies - Legal, privacy and ethical aspects of digital forensics investigations.

Skills: - Forensic acquisition of digital evidence from computer and network media - Live system forensics and evaluation of order of volatility - Evidence analysis with timeline analysis and forensic reconstruction - Scientific documentation of forensic acquisition and analysis - Applying forensic principles on practical case-studies - Performing stakeholder analysis, risk assessment and forensic triage on limited case-studies - Evaluating the applicability of forensic methods and tools for various controls given a certain scope and policy for the control

General competence: - Capability of analyzing business, legal, ethical and case-specific requirements for planning and conducting a digital forensics investigation - Understanding of forensic analysis and incident response processes - Working independently and familiarity with digital forensics terminology - Capability of discussing professional problems such as documentation, decision making processes, implementation plans, operations, reviews and corrective actions, with forensic experts, IT specialists and general managers - Learning skills to continue acquiring new knowledge and skills in a largely self-directed manner - Ability to contribute to innovative thinking and innovation processes

Learning methods and activities

- Lectures - Group work - Lab work - E-learning - Project work

Additional information:

  • This course is given on campus Gjøvik and will be accessible for off-campus/remote students. The lectures will be live-streamed and made available as a recording for offline viewing through the university's learning management system. Each student is free to choose the pedagogic arrangement that best suits her/his own requirement. More information about this course will be provided on the first lecture and in our learning management systems.
  • Students should follow/attend the lab work sessions and complete all required hand-ins. The lab sessions will be live-streamed to remote students and be made available as recordings for offline viewing. More information about the lab sessions will be provided closer to its planned schedule.
  • Group-wise oral presentation of selected paper and project work must be approved for the group/project work as a whole to be approved.
  • Group projects, exercises and remote teaching assistance are guiding on demand.

Coursework requirements: - None for sitting the written exam.

Compulsory assignments

  • Coursework Requirements

Further on evaluation

Re-sit: - Ordinary re-sit examination in August for the final written exam. Depending on the number of students the re-sit examination can be changed to oral exam.

Forms of assessment: - A group-wise oral presentation of a selected paper and project must be passed for the whole group/project work to pass. - The final grade is an average of the project work and written exam, they count for 49% and 51% respectively, according to the recommended averaging process. Both parts must be completed to receive a final grade. - The final written exam through Inspera

Specific conditions

Compulsory activities from previous semester may be approved by the department.

Admission to a programme of study is required:
Information Security (MIS)
Information Security (MISD)
Information Security (MISEB)

Course materials

Course book (Digital Forensics, André Årnes ed.), lectures, other presentations/supplementary materials and selected papers.

Credit reductions

Course code Reduction From To
IMT4012 5.0 01.09.2017
IMT3551 5.0 01.09.2017
More on the course



Version: 1
Credits:  7.5 SP
Study level: Second degree level


Term no.: 1
Teaching semester:  AUTUMN 2021

Language of instruction: English

Location: Gjøvik

Subject area(s)
  • Information Security
Contact information
Course coordinator: Lecturer(s):

Department with academic responsibility
Department of Information Security and Communication Technology


Examination arrangement: Assignment and written examination

Term Status code Evaluation Weighting Examination aids Date Time Digital exam Room *
Autumn ORD Written examination 51/100 ORDBOK 2021-12-16 09:00 INSPERA
Room Building Number of candidates
Autumn ORD Approved report 49/100



Room Building Number of candidates
  • * The location (room) for a written examination is published 3 days before examination date. If more than one room is listed, you will find your room at Studentweb.

For more information regarding registration for examination and examination procedures, see "Innsida - Exams"

More on examinations at NTNU