Course Summary

Prerequisites: Students who attend the course should have knowledge in: computer architecture, operating system, programming, computer networking and data structures.

Course Level: Master

Learning effort: min. of 150 hours of study (30 hrs. e-learning directed study, 15 hrs. collaborative online lab, 15 hrs. collaborative project, 60 hrs. preparation/follow up of labs/project, 30 hrs. follow up independent study and individual preparation for exam).

Credits: 6 ECTS

Teaching method:Blended Learning

The instructor answers students’ questions (Q&A), presents demos and moderates the presentation of case studies conducted by industry experts, moderates discussions using interactive systems, e.g. webinar or video conference. These weekly supportive sessions are announced a priori to the participants.

Learning objectives:

Upon completion of this course students will be able to:

  • demonstrate detailed technical knowledge of the advanced techniques associated with evidence collection and investigative analysis,
  • utilize various sources of digital evidence available to the Investigator,
  • apply computer forensics best practice principles to a range of technological issues,
  • exhibit a critical understanding of the legal issues relating to IT in international law, and apply the issues to practical situations,
  • manifest their ability in the following areas: analytic investigations, research, evaluation skills, presentation skills.

General description:

The course content mirrors a typical forensic investigation. It exposes students to wide range of concepts and applied techniques that will involve identifying, securing and conducting the forensic extraction of data from a suspect digital storage device. Post data capture, the application of computer forensic analysis methods and specialist computer forensic software tools will be taught in the pursuit of digital evidence and or intelligence from said device. Learning materials will include topics such as forensic recovery of digital data from a range of digital storage devices, analysis of data to establish fact, uncovering data exchanges between suspects and devices, documentation for the digital and physical investigation, presentation of findings to clients, and acting as an expert witness in a court of law. This course prepares graduates for a career in computer forensics with the latest developments in device technology, file systems architecture and state-of-the-art investigative methods in this particular field of law enforcement. The course leads to development of crime investigation skills and an awareness of wider IT security issues, underpinned by an academic framework built by practitioners and academics active in the industry.

Course content:

Computer Crime Investigative Principles and Practices: Digital Evidence related to specific hardware storage devices; Digital Evidence on Computer systems; Digital Evidence on the Internet; Digital Evidence on Mobile Devices. Computer Forensics: Computer Data Analysis; Operating Systems Forensics; Cryptographic Techniques assisting Forensics (e.g. SHA, MD5); Event Timing; File Reconstruction; Mobile Device Forensics; Forensic Disk Imaging; Data Recovery; Forensic Investigation Process; Forensic Tools; Laboratory Standard Operating Procedures. Rules of Evidence and Standards: Principles of Evidential Management; Criminal Justice Act and Police and Criminal Evidence Act; Role of the Expert Witness; Appropriate Standards, Ethics.

Lab assignments:

Lab experiments using a virtual lab will be assigned to the students. The labs are correlated to the multimedia interactive reading materials of each unit and make use of students' creativity and analysis capabilities. This requires them to prove their understanding of the materials and reflects their personal view on the topics The lab results will be evaluated by the instructor of the course.

Collaborative and cumulative project:

A project will be assigned to the students. The project will be carried out in a collaborative manner by international teams of 2-3 students. It will be presented in a form of a wiki, a presentation or a portfolio. The project will be cumulative, i.e. each project step is based on the framework provided by the prior steps. The project results will be evaluated by the instructor of the course.


Throughout the course, students will be involved in e-discussions related to the course content, through means specific to e-learning, such as forums, wikis, e-portfolios, etc. As part of the virtual community, each student will give feedback to at least two colleagues in the forums.

Learning outcomes:

Critically discuss the issues surrounding the computer forensic process, from the initial scene of crime management, through the analysis to the creation and submission of a final report. Demonstrate a detailed understanding of the processes required to reconstruct and interpret various evidence sources.


  • Lab performance = 30% of the final grade.
  • Project performance = 20% of the final grade.
  • Discussions performance = 10% of the final grade.
  • Written presence exam (60 min.) = 40% of the final grade. (conducted at the home university with a help of a trusted teacher)
The result of the evaluation will be expressed in percentage and transferred to the students’ home university by the instructor.

Reading List:

  1. International Journal of Forensic Computer Science
  2. Digital Forensics, Security and Law Journal
  3. Digital Investigation Journal
  4. Carvey H. ,”Windows Forensics & Incident Recovery”, Harlan Carvey Editor, ISBN-13:978-0321200983, 2004
  5. Casey, E., “Digital Evidence and Computer Crime; Forensic Science, Computers and the Internet”, Academic Press, 2nd Ed., 2004
  6. Davis C., Phillip A., Cowen D., “Hacking Computer Forensics Exposed”, McGraw Hill, 2005
  7. Nelson B., Phillips A., Enfinger F., Steuart C., “Guide to Computer Forensics and Investigations“, 2nd Ed., 2005

Gareth Davies
Senior Lecturer in Forensics and Security, Faculty of Computing, Engineering and Science, University of South Wales, Treforest, CF37 1DL, UK
Research Interests: Mixed Martial Arts, Japanese Motorsport

“I have a passion for academic, research and consultancy work in the field of Cyber Forensics. Over the past decade the course at the University of South Wales has established itself as one of the best in the world. It's great to be able to teach what you enjoy doing! In my off-time I enjoy being outdoors on the top of a mountain, ‎or besides a lake. Welcome to our course!