Modules

Core Module Information
Module title: OS Forensics
SCQF level: 10:
SCQF credit value: 20.00
ECTS credit value: 10
Module code: CSN10111
Module leader: Robert Ludwiniak
School School of Computing, Engineering and the Built Environment
Subject area group: Cyber Security and Systems Engineering
Prerequisites

Requisites: Pre-requisite: [Module CSN08111] Digital Forensics
Description of module content:

The aim of the module is to investigate the principles of operating systems and how they hinder or support forensic investigation. The module includes significant practical sessions in applying computer forensics in realistic real-world scenarios, allowing students to analyse and evaluate digital evidence through the use of forensic tools and techniques. The practicals will be complemented with considerable theoretical knowledge of operating system information as digital evidence, and the basic techniques associated with gathering, preserving and presenting digital evidence. Outlines of the main areas include:? Introduction to common operating systems such as Windows, Linux, Android? Forensic artefacts specific to the operating system and their role as digital evidence (for example, the Windows registry).? Exploration of user data areas, directories and files.
Learning Outcomes for module:

Upon completion of this module you will be able to

LO1: Critically evaluate operating system artefacts relating to user behaviour as digital evidence in forensic investigation.

LO2: Critically reflect on the tools and techniques used in digital forensic investigations.

LO3: Conduct a digital forensics investigation and critically evaluate and reflect on digital evidence gathered for the investigation in an ethical and professional manner.
Full Details of Teaching and Assessment
2025/6, Trimester 1, In Person,
VIEW FULL DETAILS
Occurrence: 001
Primary mode of delivery: In Person
Location of delivery: MERCHISTON
Partner:
Member of staff responsible for delivering module: Robert Ludwiniak
Module Organiser:


Student Activity (Notional Equivalent Study Hours (NESH))
Mode of activityLearning & Teaching ActivityNESH (Study Hours)NESH Description
Face To Face Lecture 24 LECTURE
Face To Face Practical classes and workshops 24 Practical classes and workshops
Online Guided independent study 152 Guided independent study
Total Study Hours200
Expected Total Study Hours for Module200


Assessment
Type of Assessment Weighting % LOs covered Week due Length in Hours/Words Description
Report 60 1~2~3 Week 13 , WORDS= 4000 The coursework is a practical assessment which gives students the chance to directly carry out a forensic investigation of a provided scenario.Students will build upon the theoretical materials from the lectures and practical experience on the labs, tying all of the elements together into a single investigation.The goal is to answer specific, scenario-based, investigative questions which are outlined in the assessment brief. Given the length limitations, students are required to be concise with their documentation, while still adhering to sound forensics principles.Learning Outcomes 1-3 are all relevant here as students are expected to utilise core knowledge of artefacts, while reflecting on the recovery of said artefacts via any tools used. Howeverm the primary focus here is on LO3, which assesses how well they can put knowledge into practice.
Class Test 40 1~2 Week 10 HOURS= 2 The class test largely seeks to assess the students' understanding of the theoretical components of the module, though there may be acutely scoped practical elements included.There are two main elements that the students would be expected to answer questions on:- Technical reflection on specific evidence artefacts pertaining to the relevant Operating Systems and software from the lectures/practicals.- General forensics processes, best practice, and scenario-based thinking where specific artefacts are discussed in context.Essentially, students should be able to demonstrate that they understand the general principles and relevant evidence artefacts mentioned in the module.
Component 1 subtotal: 100
Component 2 subtotal: 0
Module subtotal: 100

Indicative References and Reading List - URL:
OS Forensics
 

Related information