course-details-portlet

IMT4114

Introduction to Digital Forensics

Choose study year
Credits 7.5
Level Second degree level
Course start Autumn 2025
Duration 1 semester
Language of instruction English
Location Gjøvik
Examination arrangement Aggregate grade

About

About the course

Course content

  • Digital investigations, stakeholders and their roles.
  • Digital evidence, e.g. acquisition, admissibility, authenticity.
  • Chain of custody, evidence integrity and forensic soundness.
  • File and live system forensics.
  • Timeline analysis.
  • Forensic reconstructions.
  • Internet and network forensics.
  • Automation and forensic tools.
  • Reporting and presenting evidence.
  • Expert witness and cyber crime law.
  • Computational forensics.
  • Forensic readiness.
  • Advanced topics if time permits.

Learning outcome

Knowledge:

  • Digital Forensics methodology with a solid understanding of requirements for handling digital evidence.
  • Requirements and impact on maintaining evidence integrity and chain of custody.
  • Principles, procedures, and the basic concepts of forensic standards and best practices, e.g. forensic tool testing.
  • The overall process for establishment and maintenance of a digital forensic lab environment.
  • The role of expert witnesses and digital evidence in the context of legal proceedings.
  • The part of policies, standards and guidelines for controls and is capable of applying their knowledge in case studies.
  • Legal, privacy and ethical aspects of digital forensics investigations.

Skills:

  • Forensic acquisition of digital evidence from a computer and network media.
  • Live system forensics and evaluation of order of volatility.
  • Evidence analysis with timeline analysis and forensic reconstruction.
  • Scientific documentation of forensic acquisition and analysis.
  • Applying forensic principles on practical case studies.
  • Performing stakeholder analysis, risk assessment and forensic triage on limited case-studies.
  • Evaluating the applicability of forensic methods and tools for various controls given a specific scope and policy for the control.

General competence:

  • Capability of analyzing business, legal, ethical and case-specific requirements for planning and conducting a digital forensics investigation.
  • Understanding of forensic analysis and incident response processes.
  • Working independently and familiarity with digital forensics terminology.
  • Capability of discussing professional problems such as documentation, decision-making processes, implementation plans, operations, reviews and corrective actions, with forensic experts, IT specialists and general managers.
  • Learning skills to continue acquiring new knowledge and skills in a largely self-directed manner.
  • Ability to contribute to innovative thinking and innovation processes.
  • Active participation and collaboration within a group setting.

Learning methods and activities

  • Lectures.
  • Group work.
  • Laboratory work.
  • Asynchronous e-learning.
  • Guest lectures (occasionally).
  • Other exercises (if time permits).

Additional information:

  • The course offers flexibility for both on-campus and remote students. Lectures will be conducted in person on the Gjøvik campus and will be streamed/recorded to remote students.
  • Lectures and other types of learning material, such as recordings of lectures, will be offered through our Learning Management System (LMS), i.e. Blackboard.
  • Communication between the teachers and the students, and among the students, will be facilitated by the LMS.
  • Completion and submission of mandatory group assignments (approved/not approved) and a final group report are required. Specific requirements for these assignments will be communicated to students through the LMS.
  • If individual participation and contributions within a group are uneven, or if some students do not complete their assigned tasks, the course coordinator may take corrective actions. This could include evaluating individual performance separately, which may result in individual grades for the group work component.
  • Laboratory sessions will be conducted on-campus at the Gjøvik campus to provide hands-on experience. Participation in these sessions is not mandatory, and they will be streamed/recorded to ensure accessibility for remote students.

Compulsory assignments

  • Mandatory group assignment

Further on evaluation

The course evaluation consists of two parts:

  1. 3-hour written exam (51/100) with open-ended questions, where no external materials are allowed.
  2. Group report (49/100) is a collaborative project that requires mandatory group assignments throughout the course.

The mandatory group assignments are evaluated on an approved/not approved basis. The specific requirements for these assignments will be communicated to the students through the LMS. The successful completion of all group assignments is required to pass the entire group report component.

Both the written exam and group report is graded A-F, according to the NTNU grading scale: https://i.ntnu.no/wiki/-/wiki/English/Grading+scale.

The written exam accounts for 51% of the final grade, while the group report accounts for 49%. To pass and get an overall grade for the course, you need to obtain a grade of E or higher in both parts, and complete all the group submissions successfully.

Students have the flexibility to complete the group work and written exam in different semesters.

Re-sit examination

  • Ordinary re-sit examination for the written exam (3 hours) is in August. Depending on the number of students or at the discretion of the course coordinator, the examination format may be changed from written to oral.
  • No re-sit examination for the group report. Group work is only possible the next time the course is running.

If a student does not pass some or all of the course components, such as the written exam or group report, they must re-take those components.

Students wishing to improve their course grade can re-take the written exam. However, for the group report component, students must participate in the group work again as a whole the next time the course is running.

Specific conditions

Admission to a programme of study is required:
Information Security (MIS)
Information Security (MISD)
Information Security (MISEB)

Course materials

Coursebook: Årnes, André, ed. Digital forensics. John Wiley & Sons, 2017.

Other learning material such as conference/journal research articles, (guest) lectures, and other supplementary materials are available via LMS.

Credit reductions

Course code Reduction From
IMT4012 5 sp Autumn 2017
IMT3551 5 sp Autumn 2017
This course has academic overlap with the courses in the table above. If you take overlapping courses, you will receive a credit reduction in the course where you have the lowest grade. If the grades are the same, the reduction will be applied to the course completed most recently.

Subject areas

  • Information Security

Contact information

Course coordinator

Lecturers

Department with academic responsibility

Department of Information Security and Communication Technology