Module details for Digital Forensics 2


This module will look at the forensic investigation of computer (e.g. TCP/IP) and the challenges facing analysts when investigating mobile devices and network traffic. Starting with an understanding of the underlying communications technologies, the module will develop a comprehensive, systematic approach to the discovery and examination of evidence from both end-user devices (e.g. phones, tablets etc.) and the networking infrastructure itself.


The aim of this module is to provide the student with an understanding of the sources of evidence associated with the use of mobile phone and network technologies. It will focus on how to recover, analyse and present that evidence in a forensically sound manner.

Learning Outcomes

By the end of this module the student should be able to:

1.  Critically appraise a computer forensic investigation involving evidence from mobile and network sources with respect to the legal definitions of computer misuse. 

2.  Devise an appropriate professional level plan for such a network forensic investigation and carry out this plan within a context of a specific scenario using appropriate digital forensic tools.

3.  Critically analyse and evaluate the results of a mobile and network based digital forensic investigation. 

4.  Critically analyse the challenges faced by investigators with respect to forensic investigations involving mobile devices.

Indicative Content

1 Mobile Phone technologies and networks

How do mobile/wireless networks work? What are the implications for their forensic investigation?

2 Principles and limitations of mobile operation

GSM based networks, GPRS, 3rd/4th generation, UMTS networks, Data carrying capabilities and user access methods.

3 Forensic analysis of end-user devices

The theory of acquisition of evidence from end-user devices (e.g. phones, tablets, etc.) Phone, SIM and memory data, use of tools to extract data, SMS

4 Cellsite Analysis

Data stored within the network. Mobile trail. Location-aware devices and tracking data.

5 Mobile Phone Data mining

Ideas of gaining behaviour patterns for stored data. Data mining techniques.

7 Network integrity

Evaluate the effects of viruses and internal and external attacks on the network. Develop strategies to prevent and detect these.

8 Live incident response

Gathering and analysing volatile and non-volatile data from a system in real-time - e.g. network connections, open ports, routing tables, users, processes, services, open files

9 Intrusion detection systems

Benefits and limitations. False positives. Critical analysis of data. Tuning

10 Server side forensics

Evaluate techniques for analysing and filtering logs and data from firewalls, DNS, web caches, email.

10 Server side forensics

Evaluate techniques for analysing and filtering logs and data from firewalls, DNS, web caches, email.

10 Server side forensics

Evaluate techniques for analysing and filtering logs and data from firewalls, DNS, web caches, email.

Teaching and Learning Work Loads

Teaching and Learning Method Hours
Lecture 12
Tutorial/Seminar 0
Practical Activity 48
Assessment 60
Independent 80
Total 200

Guidance notes

SCQF Level - The Scottish Credit and Qualifications Framework provides an indication of the complexity of award qualifications and associated learning and operates on an ascending numeric scale from Levels 1-12 with SCQF Level 10 equating to a Scottish undergraduate Honours degree.

Credit Value – The total value of SCQF credits for the module. 20 credits are the equivalent of 10 ECTS credits. A full-time student should normally register for 60 SCQF credits per semester.


We make every effort to ensure that the information on our website is accurate but it is possible that some changes may occur prior to the academic year of entry. The modules listed in this catalogue are offered subject to availability during academic year 2021/22 , and may be subject to change for future years.