htw saar Piktogramm QR-encoded URL
Back to Main Page Choose Module Version:
emphasize objectives XML-Code


IT Forensics

Module name (EN):
Name of module in study programme. It should be precise and clear.
IT Forensics
Degree programme:
Study Programme with validity of corresponding study regulations containing this module.
Applied Informatics, Bachelor, ASPO 01.10.2017
Module code: PIB-ITF
Hours per semester week / Teaching method:
The count of hours per week is a combination of lecture (V for German Vorlesung), exercise (U for Übung), practice (P) oder project (PA). For example a course of the form 2V+2U has 2 hours of lecture and 2 hours of exercise per week.
1V+1P (2 hours per week)
ECTS credits:
European Credit Transfer System. Points for successful completion of a course. Each ECTS point represents a workload of 30 hours.
Semester: 5
Mandatory course: no
Language of instruction:
Successful participation in the tutorial, oral examination

[updated 26.02.2018]
Applicability / Curricular relevance:
All study programs (with year of the version of study regulations) containing the course.

DFBI-344 (P610-0200) Computer Science and Web Engineering, Bachelor, ASPO 01.10.2018 , semester 6, optional course, informatics specific
KI690 (P221-0083) Computer Science and Communication Systems, Bachelor, ASPO 01.10.2014 , semester 5, optional course, technical
KIB-ITF Computer Science and Communication Systems, Bachelor, ASPO 01.10.2021 , semester 5, optional course, technical
KIB-ITF Computer Science and Communication Systems, Bachelor, ASPO 01.10.2022 , semester 5, optional course, technical
PIBWI54 (P221-0083) Applied Informatics, Bachelor, ASPO 01.10.2011 , semester 5, optional course, informatics specific
PIB-ITF Applied Informatics, Bachelor, ASPO 01.10.2017 , semester 5, optional course, informatics specific
Workload of student for successfully completing the course. Each ECTS credit represents 30 working hours. These are the combined effort of face-to-face time, post-processing the subject of the lecture, exercises and preparation for the exam.

The total workload is distributed on the semester (01.04.-30.09. during the summer term, 01.10.-31.03. during the winter term).
30 class hours (= 22.5 clock hours) over a 15-week period.
The total student study time is 60 hours (equivalent to 2 ECTS credits).
There are therefore 37.5 hours available for class preparation and follow-up work and exam preparation.
Recommended prerequisites (modules):
Recommended as prerequisite for:
Module coordinator:
Prof. Dr. Damian Weber
Lecturer: Prof. Dr. Damian Weber

[updated 10.11.2016]
Learning outcomes:
After successfully completing this course, students will be able to use the system properties of an IT system to secure evidence that can be used in court after an IT security incident. To this end, they will apply best practices, compare the advantages and disadvantages, isolate problems that arise and investigate the usability of the secured data. They will be capable of interpreting the collected data and presenting the results convincingly to an independent authority.

[updated 26.02.2018]
Module content:
1. General information about the field
2. Introduction
    Definition of terms
    Motivation for authorities
    Motivation for companies
3. Principles of IT forensics
    Procedure model
    Digital traces
    Volatile data
    Interpreting data
    Interpreting time stamps
4. File system basics
    Hard disks, partitioning, file systems
    Unix file management
5. File system analysis
    Creating a file system image
    Analyzing a file system image
    Deleted files
    File carving
6. Analyzing a compromised system
    Process handling

[updated 26.02.2018]
Recommended or required reading:
Forensic Discovery. (Addison-Wesley Professional Computing) (hard cover)
by Daniel Farmer (author), Wietse Venema (author)
File System Forensic Analysis. (soft cover) by Brian Carrier (author)

[updated 26.02.2018]
[Thu Jun 13 09:17:31 CEST 2024, CKEY=ki, BKEY=pi2, CID=PIB-ITF, LANGUAGE=en, DATE=13.06.2024]