Course content

- Digital investigations, stakeholders and their roles
- Digital evidence, e.g. acquisition, admissibility, authenticity
- Chain of custody, evidence integrity and forensic soundness
- File and live system forensics
- Timeline analysis
- Forensic reconstructions
- Internet and network forensics
- Automation and forensic tools
- Reporting and presenting evidence
- Expert witness and cyber crime law
- Computational forensics
- Forensic readiness
- Advanced topics if time permits

Learning outcome

Knowledge:
- Digital Forensics methodology with a solid understanding of requirements for handling digital evidence
- Requirements and impact on maintaining evidence integrity and chain of custody
- Principles, procedures, and the basic concepts of forensic standards and best practices, e.g. forensic tool testing
- The overall process for establishment and maintenance of a digital forensic lab environment
- The role of expert witnesses and digital evidence in the context of legal proceedings
- The role of policies, standards and guidelines for controls and is capable of applying his/her knowledge in case studies
- Legal, privacy and ethical aspects of digital forensics investigations.

Skills:
- Forensic acquisition of digital evidence from computer and network media
- Live system forensics and evaluation of order of volatility
- Evidence analysis with timeline analysis and forensic reconstruction
- Scientific documentation of forensic acquisition and analysis
- Applying forensic principles on practical case-studies
- Performing stakeholder analysis, risk assessment and forensic triage on limited case-studies
- Evaluating the applicability of forensic methods and tools for various controls given a certain scope and policy for the control

General competence:
- Capability of analyzing business, legal, ethical and case-specific requirements for planning and conducting a digital forensics investigation
- Understanding of forensic analysis and incident response processes
- Working independently and familiarity with digital forensics terminology
- Capability of discussing professional problems such as documentation, decision making processes, implementation plans, operations, reviews and corrective actions, with forensic experts, IT specialists and general managers
- Learning skills to continue acquiring new knowledge and skills in a largely self-directed manner
- Ability to contribute to innovative thinking and innovation processes

Learning methods and activities

- Lectures
- Group work
- Lab work
- E-learning
- Project work

Additional information:
- This course is given on campus Gjøvik and will be accessible for off-campus/remote students (including Trondheim). The lectures will be live-streamed and made available as a recording for offline viewing through the university's learning management system. Each student is free to choose the pedagogic arrangement that best suits her/his own requirement. More information about this course will be provided on the first lecture and in our learning management systems.

- Students should follow/attend the lab work sessions and complete all required hand-ins. The lab sessions will be live-streamed to remote students and be made available as recordings for offline viewing. More information about the lab sessions will be provided closer to its planned schedule.

- Group-wise oral presentation of selected paper and project work must be approved for the group/project work as a whole to be approved.

- Group projects, exercises and remote teaching assistance are guiding on demand.

Coursework requirements:
- None for sitting the written exam.

Compulsory assignments

• Coursework Requirements

Specific conditions

Course materials

Course book (Digital Forensics, André Årnes ed.), lectures, other presentations/supplementary materials and selected papers.

Credit reductions