Examination arrangement

Course content

• Digital investigations, stakeholders and their roles.
• Digital evidence, e.g. acquisition, admissibility, authenticity.
• Chain of custody, evidence integrity and forensic soundness.
• File and live system forensics.
• Timeline analysis.
• Forensic reconstructions.
• Internet and network forensics.
• Automation and forensic tools.
• Reporting and presenting evidence.
• Expert witness and cyber crime law.
• Computational forensics.
• Forensic readiness.
• Advanced topics if time permits.

Learning outcome

Knowledge:

• Digital Forensics methodology with a solid understanding of requirements for handling digital evidence.
• Requirements and impact on maintaining evidence integrity and chain of custody.
• Principles, procedures, and the basic concepts of forensic standards and best practices, e.g. forensic tool testing.
• The overall process for establishment and maintenance of a digital forensic lab environment.
• The role of expert witnesses and digital evidence in the context of legal proceedings.
• The part of policies, standards and guidelines for controls and is capable of applying their knowledge in case studies.
• Legal, privacy and ethical aspects of digital forensics investigations.

Skills:

• Forensic acquisition of digital evidence from a computer and network media.
• Live system forensics and evaluation of order of volatility.
• Evidence analysis with timeline analysis and forensic reconstruction.
• Scientific documentation of forensic acquisition and analysis.
• Applying forensic principles on practical case studies.
• Performing stakeholder analysis, risk assessment and forensic triage on limited case-studies.
• Evaluating the applicability of forensic methods and tools for various controls given a specific scope and policy for the control.

General competence:

• Capability of analyzing business, legal, ethical and case-specific requirements for planning and conducting a digital forensics investigation.
• Understanding of forensic analysis and incident response processes.
• Working independently and familiarity with digital forensics terminology.
• Capability of discussing professional problems such as documentation, decision-making processes, implementation plans, operations, reviews and corrective actions, with forensic experts, IT specialists and general managers.
• Learning skills to continue acquiring new knowledge and skills in a largely self-directed manner.
• Ability to contribute to innovative thinking and innovation processes.
• Active participation and collaboration within a group setting.

Learning methods and activities

• Lectures.
• Guest lectures.
• E-learning.
• Group work.
• Laboratory work.
• Other exercises, if time permits.

Additional information:

• The course offers flexibility for both on-campus and remote students, allowing each student to choose the learning format that best suits their needs. Lectures will be conducted in person on the Gjøvik campus and will be streamed/recorded to remote students.
• Lectures and other types of learning material, such as recordings of lectures, will be offered through our Learning Management System (LMS), i.e. Blackboard.
• Communication between the teachers and the students, and among the students, will be facilitated by the LMS.
• Mandatory group assignments (approved/not approved) and the submission of a final group report. The specific requirements for these assignments will be communicated to the students through the LMS.
• In instances where individual participation and contributions within a group are uneven or where certain students fail to fulfil agreed-upon tasks, the course coordinator reserves the right to take punitive actions, for example by assessing individual performance separately. This evaluation may result in individual grades being assigned for the group work component.
• On-campus participation in laboratory sessions at the Gjøvik campus provides a hands-on experience for students. Non-mandatory participation and the sessions will be streamed and recorded, ensuring accessibility for remote students.

Compulsory assignments

• Mandatory group assignment

Further on evaluation

The course evaluation consists of two parts:

1. 3-hour written exam (51/100) with open-ended questions, where no external materials are allowed.
2. Group report (49/100) is a collaborative project that requires mandatory group assignments throughout the course.

The mandatory group assignments are evaluated on an approved/not approved basis. The specific requirements for these assignments will be communicated to the students through the LMS. The successful completion of all group assignments is required to pass the entire group report component.

Both the written exam and group report is graded A-F, according to the NTNU grading scale: https://i.ntnu.no/wiki/-/wiki/English/Grading+scale.

The written exam accounts for 51% of the final grade, while the group report accounts for 49%. To pass and get an overall grade for the course, you need to obtain a grade of E or higher in both parts, and complete all the group submissions successfully.

Students have the flexibility to complete the group work and written exam in different semesters.

Re-sit examination

• Ordinary re-sit examination for the written exam (3 hours) is in August. The examination form may be changed from written to oral.
• No re-sit examination for the group report. Group work is only possible the next time the course is running.

If a student does not pass some or all of the course components, such as the written exam or group report, they must re-take those components.

Students wishing to improve their course grade can re-take the written exam. However, for the group report component, students must participate in the group work again as a whole the next time the course is running.

Specific conditions

Course materials

Coursebook: Årnes, André, ed. Digital forensics. John Wiley & Sons, 2017.

Other learning material such as conference/journal research articles, (guest) lectures, and other supplementary materials are available via LMS.

Credit reductions