Bachelor in Digital Forensics and Incident Response

Start semesters

2024 Autumn

Bachelor in Digital Forensics and Incident Response

Study Facts
- Area of Study
  Computing
- ECTS
  180
- NQF Level
  Bachelor's degree (Level 6 1. Cycle)
- Campus
  Kristiansand, OnlinePLUS - Bergen, OnlinePLUS - Oslo, Online
- Study Mode
  OnlinePLUS, Full-time, Online
- Entry Requirements
  Entry Requirements
- Study Programme Leader
  Emlyn Butterfield

Introduction

Noroff University College (NUC) offers awards that specialise in the utilisation of digital technology. The objective of the Bachelor in Digital Forensics and Incident Response (DFIR) is to provide you with an understanding of the forensic analysis of digital systems, the methods and techniques that can be applied, and to develop you into future digital investigators and incident responders. The use of computers and technology has become ubiquitous within the modern world. With an increase in the use of digital devices within every walk of life now means that there is not a single action taken that does not require a digital device at some point. The legal and commercial sectors have identified this factor and now analyse digital devices on a regular basis to help identify or dismiss user activity.

Traditionally digital forensics was seen as a law enforcement only activity, however given the increase and breadth of cyber-attacks, the field of Digital Forensics and Incident Response (DFIR) was formed. Cyber-attacks, and security breaches, can happen to any organisation at any point due to the connected and distributed nature of an organisation’s infrastructure. Attacks and breaches can cause an organisation to suffer data, financial, and reputational loss. An organisation must identify, respond to, and reduce the impact of an attack or breach as quickly as possible. DFIR focuses on identification, investigation, and remediation from cyber-attacks. With the increased reliance on technology, there are simply more devices that can be 'attacked'. DFIR provides reactive technological capabilities to any organisation to deal with incidents, often the central capability.

This degree will provide students with the skills, knowledge, and competencies to investigate incidents on a range of complex digital systems in a forensically sound manner. Students will be able to analyse and assess evidence and events both in a real time incident analysis and in a post event investigation to enable decisions to be made to secure systems and devices; understanding the potential legal and commercial impact of their actions, while preserving evidence to enable further investigation and prosecution in a court of law. The complexity of cyber-attacks and data breaches has increased the need for skilled individuals who are able to investigate and think analytically, rather than simply knowing how to secure or attack a digital system. DFIR’s are generally creative and flexible in their approach taking on board a range of data and systems with an ability to identify the “red thread”. This degree aims to provide specialists in the DFIR domain, and it will challenge individuals to develop a scientific, rigorous approach to their work.

Aims of the Degree Programme

This programme aims to develop individuals with a holistic understanding of key practice, principles and procedures of digital forensic investigations and incident response. Through a blend of theoretical and practical experience in investigating digital systems students can identify the who, what, where, and when. Graduates have a high level of proficiency in a wide range of skills including problem-solving, digital forensics, network infrastructures, system design and development, operating and file system analysis, network security and incident response. The programme has been specifically designed to equip students with the practical and theoretical understanding and principles required to excel in the DFIR domain.

Students are provided the required background to act as a digital investigator and incident responder, they become competent in the collection, processing, and secure handling of digital evidence from a variety of sources. They have received instruction on the full life cycle of a digital investigation. This will encompass the collection of evidence from a crime scene, maintenance of the chain of custody, analysis and interpretation of the evidence, and the final production of results and findings. The following are the broad core elements for the degree programme.

Computing provides an essential understanding of how digital devices communicate locally and across networks. These fundamentals are key for anyone within a computing discipline.
Digital Forensics is a branch of forensic science that covers the recovery, analysis, interpretation, and presentation of information from digital devices, whilst preserving their integrity.
Incident Response is an organised approach to investigating and addressing security breaches or cyber-attacks.
Legal and Compliance provides an essential understanding of the processes, procedures and broad legal aspects related to digital forensics and incident response to ensure students are aware of the risks and obligations of their work.

The programme develops and equips students as digital investigators with the necessary skills to process numerous forms of digital evidence and sources of data. It will challenge individuals to develop a scientific, methodical, and rigorous approach to their work, along with creativity and versatility in problem solving. This will enable students to not only solve issues posed as part of the degree but also to address unforeseen problems once employed within the DFIR domain, and other future careers. The specialisation builds upon the practice and procedures explored in earlier courses through thorough exploration of different types of file systems and data types. Students then explore investigative practices and tools, before examining novel platforms in their final year.

Course Model

This bachelor's degree is a full-time programme of study, based on a 40-hour per week study schedule. The degree consists of six semesters which are delivered over three academic years (each of a 10-month duration), with each year providing 60 ECTS of educational material and qualification. This results in a 30 ECTS workload per semester and total of 180 ECTS for the full bachelor’s degree, which equates to 1,500-1,800 hours of work. Each year the programmes and their courses are reviewed to ensure the degree continues to be appropriate for this fast-developing field. Some courses may span semesters and the credit value is only awarded in the semester they are completed. The courses that comprise this degree are therefore subject to minor changes each academic year.

BDFIR - Digital Forensics and Incident Response H24

Elective Courses: The elective courses provide students with specialisations within Digital Forensics and Incident Response; focusing on areas such as big data analytics, SIEM architecture, threat modelling, offensive and defensive security techniques, malware analysis, and reverse engineering. Students will learn to handle large-scale data, generate threat intelligence, understand security risks, and evaluate security strategies. Additionally, the courses will equip students with practical skills to isolate infected systems, analyse malicious code, and recover from cyber attacks. Topics varies dependent on the electives available and the elective chosen.

Course	Course type	2024 Autumn	2025 Spring	2025 Autumn	2026 Spring	2026 Autumn	2027 Spring
UC1NFU10 Network Fundamentals	Core	10
UC1PR110 Introduction to Programming	Shared	10
UC1MA110 Mathematics 1	Core	10
UC1PR210 Programming and Databases	Shared		10
UC1OSA10 Operating Systems and Computer Architecture	Core		10
UC1ACR05 Applied Cryptography	Core		5
UC1AS105 Academic Skills 1	Shared		5
UC2NAP10 Network Architectures and Protocols	Core			10
UC2DFF10 Digital Forensics Fundamentals	Core			10
UC2IRF10 Incident Response Fundamentals	Core			10
UC2MA205 Mathematics 2	Core				5
UC2NFO10 Network Forensics	Core				10
UC2DFI10 Digital Forensic Investigation	Core				10
UC2AS205 Academic Skills 2	Core				5
UC3AIR10 Advanced Incident Response	Core					10
UC3ADF10 Advanced Device Forensics	Core					10
UC3DRI10 Data Recovery and Advanced Imaging	Core					10
Elective Courses							10
UC3EAT05 Adversary Tools and Techniques	Elective Course						10
UC3EMA05 Malware Analysis	Elective Course						10
UC3EST05 SIEMs and Threat Intelligence	Elective Course						10
UC3BFI20 Bachelor Project	Spesialism						20
Sum (180 total)		30	30	30	30	30	30

Programme Learning Outcomes

A Programme Learning Outcome (PLO) is essentially a statement that describes what the student has achieved upon successfully completing the degree. Each course description has its own set of learning outcomes, which contribute to the achievement of Programme Learning Outcomes. The PLOs for this degree are based on the Norwegian Qualifications Framework for Lifelong Learning (NQF) at bachelor level. The NQF levels are formulated on the basis of what a person know, can do and is capable of doing as a result of a learning process. The outcomes of the completed learning process are described in the categories: “knowledge”, “skills” and “general competences”.

Knowledge: Understanding of theories, facts, principles, procedures in subject areas and/or occupations.
Skills: Ability to utilise knowledge to solve problems or tasks (cognitive, practical, creative and communication skills.
General Competence: Ability to utilise knowledge and skills in an independent manner in different situations.

Students who are awarded a Bachelor in Digital Forensics and Incident Response have attained:

Knowledge

The candidate …

K1	has broad knowledge of procedures, methods and standards that are used for the preservation and analysis of digital devices.
K2	has broad knowledge of core computing concepts relevant to digital forensics and incident response.
K3	has broad knowledge of applicable legislation and ethics that apply to digital forensics and incident response.
K4	has knowledge of roles and responsibilities within digital forensics and incident response.
K5	is familiar with current practice, emerging research, and development work within digital forensic and incident response.
K6	can update their knowledge of processes, procedures, methodologies and toolsets relevant to digital forensic and incident response.
K7	has knowledge of the significance of digital technology and its place in society.

Skills

The candidate …

S1	can apply knowledge of digital forensics and incident response to undertake investigations and the remediation of digital systems from cyber-attacks.
S2	can apply knowledge of complex digital information to inform decisions and investigation direction.
S3	can reflect upon their own academic practice, with an ability to adapt and adjust to new situations given appropriate academic guidance and support.
S4	can find, evaluate, and refer to information, emerging research, and case studies to present sound solutions to problems.
S5	masters relevant tools and techniques to conduct investigation of digital evidence and cyber incidents.
S6	masters relevant techniques to interpret, present and communicate information, data, and cases logically.

General Competence

The candidate …

G1	has insight into moral and ethical issues related to academia and digital forensics and incident response.
G2	can plan and carry out assignments and projects over time, individually or as part of a team, in accordance with a given brief.
G3	can communicate in both written and verbal formats to ensure the information is presented and conveyed appropriately.
G4	can exchange opinions and experiences with peers and discipline professionals regarding practice and efficient procedures within digital forensics and incident response, thereby contributing to both organisational and personal development.
G5	is familiar with current and evolving processes and emerging technologies within digital forensics and incident response.

Teaching and Learning

Learning Activities

All studies use a variety of teaching and learning activities to encourage students to actively explore and apply new knowledge, along with developing skills and competencies. Each course will incorporate a range of teaching and learning methods according to which are most appropriate for that course – determined through a process of constructive alignment. The primary aim of these methods is to support the students’ learning process and facilitate the achievement of the learning outcomes. The applicable teaching and learning methods include, but are not limited to, the following:

Teacher-Led Activities (TLA)
Lectures and video lectures Online lessons Tutorials	Seminars Presentations

Teacher-Supported Work (TSW)
Practical Work Workshops	Scheduled guidance Group work

Self-Study (SST)
Research Reflection	Group work (Individual) Virtual Laboratory Work

Learning Resources

Key information for the degree is delivered in lectures, normally in one of the Campus auditoriums and as a live stream. Tutorials and supported study are delivered through laboratory-based sessions. All educational material is accessible through the LMS, which forms part of the Virtual Learning Environment (VLE), illustrated in Figure 1.

The LMS provides a central location for the distribution of all educational content and learning resources related to all courses throughout the program of study:

Programme Description
Course Descriptions
Lecture slides
Recorded lectures
Reading lists

Student Handbook
Tutorial exercises
Supplementary notes
Self-study material

The dates and times for all educational sessions for every course, including lectures and tutorials, can be found in the online timetabling system (TimeEdit).

Study Workload

The student workload has been carefully considered for each course to include an appropriate combination of activities suitable for the subject area.

Information and details about a specific course can be found in the respective Course Description. However, each course comprises a selection of lectures, tutorials, and other appropriate sessions. These are timetabled based on a full-time study schedule of 08:00 to 16:00, Monday to Friday.

At the start of each academic year, a Study Schedule is published and made accessible. It contains the planned start and end dates for all courses in the degree. The schedule also includes dedicated study time to work on projects and extra-curricular sessions, including seminars, workshops, and guest speakers from industry. If the schedule is updated, students are promptly informed.

Reading List

Anson, S., (2020) Applied Incident Response. 1st ed. John Wiley & Sons.
Bijalwan, A., (2021). Network forensics. CRC Press.
Carrier, B., (2005). File System Forensic Analysis. Addison-Wesley Professional.
Gerard, J,. (2020) Digital Forensics and Incident Response, 2nd ed. Packt Publishing.
Jaswal, N., (2019). Hands-on network forensics. Packt Publishing Ltd.
Jones A, Watson D. (2013) Digital Forensics Processing And Procedures: Meeting The Requirements Of ISO 17020, ISO 17025, ISO 27001 And Best Practice Requirements. 1st ed.
Le-Khac N, Choo K. (2020) Cyber And Digital Forensic Investigations. Cham: Springer International Publishing.
Nikkel, B., (2016). Practical forensic imaging. No Starch Press.
Palacin, V., (2021). Practical Threat Intelligence and Data-Driven Threat Hunting. Birmingham: Packt Publishing, Limited.

Assessment

Grading of Assessments

Each course in the study comprises of several graded (summative) assessments, where students can demonstrate their achievements and abilities. Information about assessments for each course is provided via the course pages on the LMS. When assessments are released, students are encouraged to always read through the instructions fully and carefully, to ensure the greatest chance of success. If anything is unclear, please contact the relevant Course Leader as soon as possible.

A course is successfully completed once the student has obtained a passing grade for that course. Every assessment has a specific completion deadline comprising a date and time. Work can be submitted any time up to the stated deadline. Students must be able to clearly demonstrate the extent to which they have met the learning outcomes of that course in order to pass. Students will encounter a variety of assessments, which may be used for formative and summative purposes, to ensure that students meet or exceeded the PLOs.

Specific assessment strategies for each course, and instructions for submitting course work, are detailed in the LMS course pages. Please see the regulations available on www.noroff.no/en.

Assessment
Formative	Continuous Assessment Online Test Interactive Online Test
Summative	Presentation of Practical Work Portfolio of Work Projects Online Exams Reports Term Paper Oral Test

Grading Scale

Both formative and summative results may be assessed as Approved / Not approved, Pass / Fail or A-F.
Assessments are graded according to the standard university grading scale, illustrated in the table below.

Grade Letter	Quality Indicator	Definition
A	Excellent	An excellent performance, clearly outstanding. Shows a high degree of independence.
B	Very good	A very good performance, above average. Shows a certain degree of independence.
C	Good	An average performance, satisfactory in most areas.
D	Satisfactory	A performance below average, with significant shortcomings.
E	Sufficient	A performance that meets the minimum criteria, but no more.
F	Fail	A performance that does not meet the minimum criteria.

Entry Requirements

For general admission it is required to document the following criteria as passed:

Higher Education Entrance Qualification, and
Candidates must be able to document proficiency in the English language.
Language requirements by Samordna Opptak

Special admission requirements:
In addition to the general admission requirements, it is required to document the following:

Mathematics R1 (S1+S2)

For admission on basis of prior learning and work experience:
Admission based on prior experience requires a written application for evaluation. Applicable candidates must be at least 25 years of age in the year of admission.

For candidates with foreign education the requirements for Higher Education are:

The country must be recognized by NOKUT, specified in the GSU-list.
Candidates must be able to document proficiency in the English language.
Language requirements by Samordna Opptak

For further information, please see the admission requirements: https://www.noroff.no/en/admission/admission-requirements

Campus and Online Study

All students follow the same progression according to their education plan, irrespective of whether they study online or on campus. All students study the courses at the same time, with the same delivery and workload, following identical assessment strategies for every course. At the study level no distinction is therefore made between campus and online students. All students are required to engage in live education sessions (such as lectures) and undertake all required educational activities.

Students are encouraged to interact with each other via online forums and chat systems, enabling discussions to take place involving both online and campus students. Each student cohort is therefore a single learning community, concurrently engaging in all educational activities irrespective of actual physical location. Throughout all educational sessions course staff actively encourage participation from campus and online students simultaneously, and do not focus solely on those who are physically present.

This tight integration of campus and online ensures students will be part of a cohesive learning community throughout their study. As a result, this also means that should students' personal situations change during their studies, and they must change their mode of study from online to campus (or vice versa) this can be done with little to no disruption to their studies.

Opportunities for Further Studies

The subject material will enable graduates to go on to postgraduate study, for example:

M Cyber Security (University in Agder)
M Information Security (NTNU)
M Criminal Investigations (University of Derby)
M Cyber Security (Teesside University)
M Digital Forensics and Cyber Investigation (Teesside University)
M Computer Forensics (University of South Wales)
M Cyber Security and Digital Forensics (Leeds Beckett University)

Undertaking some period of study at an international educational institution can result in many benefits to those who take part, including:

Language and general competence in the destination country and culture
Development of personal and professional networks in other parts of the world
Personal growth and holistic development.

All students are eligible to apply to undertake a period of study at an international university. All international study opportunities are subject to the application processes and admissions requirements of the international institution, in addition to an evaluation of the suitability of the proposed study exchange within the students’ study at NUC. Full details of international study opportunities and the application process is available to all students within the LMS.

Possible Professions

Graduates understand business security needs examined and are able to ensure that such security solutions are implemented correctly, and that they are in fact adequate to mitigate the risks the organisation faces in the given context. The graduate is enabled to fulfil a number of distinct employment titles, such as the following:

Digital Forensics Investigator
Intrusion Analyst
Cyber Security Incident Responder
Cyber Security Analyst
CERT Specialist
SOC Analyst

Accredited

June, 2023