Digital Forensics 2 | Abertay University

Digital Forensics 2


This module will look at the forensic investigation of computer (e.g. TCP/IP) and mobile phone networks. Starting with an understanding of the underlying communications technologies, the module will develop a comprehensive, systematic approach to the discovery and examination of evidence from both end-user devices (e.g phones, tablets etc.) and the networking infrastructure itself.


The aim of this module is to provide the student with an understanding of the sources of evidence associated with the use of mobile phone and network technologies. It will focus on how to recover, analyse and present that evidence in a forensically sound manner.

Learning Outcomes

By the end of this module the student should be able to:

1.  Critically appraise a computer forensic investigation involving evidence from mobile and network sources with respect to the legal definitions of computer misuse.

2.  Devise an appropriate professional level plan for such a forensic investigation and carry out this plan within a context of a specific scenario using appropriate digital forensic tools.

3.  Critically analyse and evaluate the results of a mobile and network based digital forensic investigation.

Indicative Content

1 Mobile Phone technologies and networks

How do mobile/wireless networks work? What are the implications for their forensic investigation?

2 Principles and limitations of mobile operation

GSM based networks, GPRS, 3rd/4th generation, UMTS networks, Data carrying capabilities and user access methods.

3 Forensic analysis of end-user devices

Acquisition of evidence from end-user devices (e.g. phones, tablets, etc.) Phone, SIM and memory data, use of tools to extract data, SMS

4 Cellsite Analysis

Data stored within the network. Mobile trail. Location-aware devices and tracking data.

5 Mobile Phone Data mining

Ideas of gaining behaviour patterns for stored data. Data mining techniques.

6 Header 6

Evaluate techniques for the gathering, analysis and use of network based evidence - session data, alert data, statistical data. Tools and techniques - packet tools for real-time capture and analysis, log analysis tools, custom written tools.

7 Network integrity

Evaluate the effects of viruses and internal and external attacks on the network. Develop strategies to prevent and detect these.

8 Live incident response

Gathering and analysing volatile and non-volatile data from a system in real-time - e.g. network connections, open ports, routing tables, users, processes, services, open files

9 Intrusion detection systems

Benefits and limitations. False positives. Critical analysis of data. Tuning

10 Server side forensics

Evaluate techniques for analysing and filtering logs and data from firewalls, DNS, web caches, email.

Statement on Teaching, Learning and Assessment

Content will be presented by a mixture of lectures and practicals. Assessment will be by means of coursework reports on laboratory work and case studies. Lectures constitute 12 of 36 hours class contact. The remainder, 67%, is lab or tutorial work of an experimental or investigative nature. Class contact time comprises lectures, tutorials/seminars and supervised laboratory work, amounting to 24% of the module time. The remainder, 74%, is independent study or assessment. A purpose-built and regularly-updated module website is used to provide links to lecture notes, laboratory tasks, assessment briefs, operational matters, and external information. Student project or lab work and student-suggested links are incorporated as and when appropriate. Week 7 of the term will include structured feedback week activities where students will present their evaluation of the network security incidents analysed in the previous weeks and receive feedback on their efforts. This will inform their evaluation of the security incidents in the remainder of the module and assessment.

Teaching and Learning Work Loads

Total 200
Lecture 12
Tutorial/Seminar 0
Supervised Practical Activity 39
Unsupervised Practical Activity 0
Assessment 60
Independent 89

Guidance notes

Credit Value – The total value of SCQF credits for the module. 20 credits are the equivalent of 10 ECTS credits. A full-time student should normally register for 60 SCQF credits per semester.


We make every effort to ensure that the information on our website is accurate but it is possible that some changes may occur prior to the academic year of entry. The modules listed in this catalogue are offered subject to availability during academic year 2018/19 , and may be subject to change for future years.