University of Oxford Logo University of OxfordSoftware Engineering - Home
On Facebook
Follow us on twitter
Linked in
Linked in
Google plus
Google plus
Stumble Upon
Stumble Upon

Digital Forensics

Security is an emergent property of whole systems, of which software plays a part. A system's life cycle does not stop once it has been designed and delivered. When in its operating environment a system will be monitored and maintained within its original use cases through traditional software management techniques. But what happens when an incident causes a system to operate outside its original use cases? Simply taking a traditional software maintenance approach will only reveal part of what happened and why. 

The aim of the module is to provide students with an understanding of forensic principles and techniques within a context of software and systems, enabling them: to choose the most appropriate techniques to apply when conducting or managing an investigation into a software-centric systems; to apply techniques or to identify resources necessary for application; to explain their choices in terms that can be understood by anyone with a basic knowledge in the field.

Course dates

23rd September 2024Oxford University Department of Computer Science - Held in the Department05 places remaining.
28th April 2025Oxford University Department of Computer Science - Held in the Department06 places remaining.


The successful participant will

  • Apply forensic principles and techniques to the investigation of software and systems.
  • Demonstrate a systematic approach for undertaking forensic investigations.
  • Evaluate the results from analysis of extracted forensic traces.
  • Reflect on how the results of an investigation relate to those security measures that were taken during the design, development and implementation of a software-centric system.


  • Forensic Investigations: The approach to an investigation. Its purpose, the steps involved, the presentation of findings, and the challenges of reliance on automated tools.
  • Practical issues associated with the collection of evidence, chain of custody and presentation of findings.
  • Analysis and interpretation of a selection of file system, operating system, and application-based forensic artefacts in the context of a digital investigation
  • Digital Forensic Analysis & Investigation: Discuss the various tools and techniques used to analyse a computer and the typical applications that are on a computer.
  • Digital Forensics Research: Use techniques to identify the forensic traces left from the use of a piece of software.


Much of the course will involve examining data structures at the hexadecimal level, the use of GUI and command line digital forensic tools. These will be covered during the week, but the prestudy will provide background on different number representations. Therefore, some knowledge of binary and hexadecimal will be expected by the time the course begins. Also, some knowledge of command line usage will be an advantage, but most of the analysis is performed with graphical tools and a hex editor, which will be carried out within a Windows VM, so competence with Microsoft Windows is assumed.

Students taking the module should be familiar with running virtual machines on the computer they will use for the assignment. Virtual machines will be described in more detail during the course, but some basic knowledge would be an advantage.

Please ensure that you are up to date on these topics, or can be, by the time the module begins. If you have any doubts about your suitability for the module, please contact your supervisor and/or the Programme Office.