Digital forensics


The objective of this module is to introduce the foundations of digital forensics, from the discovery to collection and analysis of evidence suitable for use in a court of law or purposes such as documenting compliance.

You will cover the ways in which data is generated, stored, and transmitted in a number of settings including desktop and mobile environments as well as networks. Preserving the integrity of such evidence also in the presence of malware or explicit counter-forensic mechanisms as well as means for discovering the presence of such mechanisms is also covered explicitly.

Topics covered

  • Introduction
  • Storage forensics
  • Host forensics
  • Selected aspects of network forensics
  • Malware forensics
  • Mobile device forensics
  • Steganography (not examinable)
  • Forensic analysis of embedded device

Learning outcomes

If you complete the module successfully, you should be able to:

  • have an understanding of audit and indirect dynamic activity records retained by operating systems, particularly in file systems.
  • understand selected network protocols, collection and derivation of evidence allowing reconstruction of activities.
  • be able to identify and apply sound forensic practices.
  • be able to identify and counter obfuscation and counter-forensic techniques.
  • have in-depth insight on retention characteristics of storage systems for desktop, mobile, and non-standard computing systems.


This module is assessed by a two-hour unseen written examination.

Essential reading

  • C. Altheide, H. Carvey: Digital Forensics with Open Source Tools, Syngress (2011)
  • E. Casey: Digital Evidence and Computer Crime, 3rd ed. Academic Press (2011)