CURRICULUM POST GRADUATE EDUCATION FOR NORDIC COMPUTER FORENSIC INVESTIGATORS Module 3A Forensic tool development Approved by the board at NPUC 16 th of September 2015
1. Introduction The fields of Digital Forensics and Cybercrime Investigation are expanding rapidly. The ability to develop software solutions for problems in these areas is of paramount importance in the continued success of these techniques in court proceedings. This course examines the means by which forensic tools are developed. Students will progress from basic programming, to the development of large scale forensic solutions. As the ultimate aim of every case is the successful prosecution of the case in a courtroom, students will see how the forensic tools are tested and validated using scientific methodologies. Thereby ensuring that any evidence acquired through use of these tools will be admissible in a court. The NCFI programme consist of the following modules: Module 3A Forensic tool development Module 3B Linux artifacts Module 3C Open Source Forensics Module 3D Macintosh computer forensics Other module parts Module 2: Nordic Computer Forensics Investigators - 25 ECTS Module 1: Nordic Computer Forensics Investigators, introduction - 5 ECTS 2. Aim The aim of the study is to ensure a high level of quality in digital forensic investigation thereby ensuring legal protection and civil liberties are upheld. 3. Target group and admission criteria 3.1. Target group The primary target group is employees in the police service within the Nordic countries whose primary job is the handling and investigation of digital evidence. Curriculum for Nordic Computer Forensics Investigators Module 3A 2015 Page 2
It is presumed that the applicants have been chosen in accordance with the local plan for competency. Employees in other Nordic governmental agencies which cooperate with the police and work with digital evidence on a daily basis are also entitled to apply. 3.2 Admission criteria Applicants for module 3A must: Be employed by a governmental agency Have passed NCFI 2 (Nordic Computer Forensics Investigators, module 2) or similar education Have at least one year of experience in digital forensic or cybercrime investigation With specific approval, exceptions to the requirement of post graduate education from the Norwegian Police University College may be made. It is the responsibility of the applicant to document all relevant training if they wish to avail of this facility. 4. Learning outcome 4.1. General competence After completion of the course candidates will: Show a deep understanding of the importance of artifacts in digital forensics Perceive the field of digital forensics in a broader context Identify ethical dilemmas during investigations 4.2. Knowledge After completion of the course candidates possess knowledge of: General programming concepts in both the imperative and object-oriented paradigms Methods of forensic tool testing and validation Legal issues related to the admissibility of digital evidence in court proceedings both in the Nordic countries and internationally. Curriculum for Nordic Computer Forensics Investigators Module 3A 2015 Page 3
4.3. Skills After completion of the course candidates are able to: Develop large-scale forensic applications Compare the performance of forensic tools Evaluate the validity of the results returned by forensic tools Present the results of new tools in the courtroom 5. Organisation and working demands This course will be delivered on-line through a combination of lectures, exercises, quizes and assignments. The approximate duration of the course is 280 hours of student workload. Students may choose to study at their own pace, however, it is expected that students will complete the course within 2 semesters. As software development is a practical skill, the students will be presented with numerous exercises throughout the course to ensure they have sufficient practical exposure. Student support will be delivered via electronic means such as: email, discussion forums, chat, and video conferences. An online e-learning platform is used in the administration and implementation of the course. Working demands The following course requirements must be met and approved before students sit the exam: Successful completion of up to 10 on-line MCQ tests throughout the course. Students have multiple attempts at these tests if necessary. Curriculum for Nordic Computer Forensics Investigators Module 3A 2015 Page 4
6. Assessment The study concludes with an exam consisting of two parts: Submission of a task An oral examination based on the task It is used a graded scale with five levels from A to E for passes and F for fail. Both parts of the exam must be passed. It is given an overall grade where oral examination may adjust the grade one step, up or down. 7. Literature 7.1. Mandatory literature Students will be examined on all material published in the lessons, and a number of specific web resources and research articles (both technical and legal) which will be provided to students during the course. These will form part of the mandatory reading requirements and will be examinable. In addition, the students may find the following books beneficial during the course. Lutz, M. (2013) Learning Python (5 th Ed.), O'Reilly Media, ISBN: 1449355730 O'Connor, T. J. (2012) Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers. Syngress, ISBN: 1597499579 Downey, A. B. (2012), Think Python, O'Reilly Media, ISBN 144933072X Students may also find the following web resources beneficial during the course: Official Python Documentation [https://docs.python.org/2/] A collection of Python Tutorials: [http://www.tutorialspoint.com/python/] Curriculum for Nordic Computer Forensics Investigators Module 3A 2015 Page 5