Cranfield University logoCranfield University

Forensic Computing MSc/PgDip/PgCert


Forensic Computing
  • Emphasis on practical aspects
  • Start date - September
  • Designed for full or part-time study
  • Modular structure

Forensic computing is a dynamic area of criminal investigation, with new tools, techniques and methods constantly available to both the investigator and the investigated. This course offers a carefully blended mix of fundamental principles and advanced techniques, taught by experienced examiners and active researchers in forensic computing.

  • Course overview

    This course is available both full-time and part-time. Students will complete a number of taught modules, each with theoretical and practical elements, and an individual research project.

    PgCert - part-time.

    One core module plus choice of four elective modules from those listed below to total 60 credits.

    PgDip - full-time and part-time.

    Five core modules plus choice of six elective modules from those listed below to total 120 credits.

    MSc - full-time and part-time.

    Taught phase of the PgDip followed by an individual project dissertation to total 200 credits.

  • Individual project

    The individual project will involve academic research in a specific area of forensic computing. The student will produce a substantial dissertation detailing their investigation and findings. Students are pushed to produce high quality, novel research during this period, and research outcomes are often at the cutting edge of the subject.

  • Modules

    Taught on a modular basis, each module earns 10 credits with the exception of Forensic Computing Foundations which earns 20 credits.


    • Forensic Computing Foundations
      Module LeaderDr Christopher Hargreaves - Lecturer in Forensic Computing

      The module will provide you with the knowledge, understanding and practical experience that will enable the recovery of admissible evidence from PC based computers and the skills and competencies to prepare such evidence for presentation in a Court of Law.

      The course will detail the fundamentals of forensic computing to a degree that will enable you to understand precisely how commercial forensic tools operate, which will allow you to operate beneath the level of the tool and extract digital evidence directly from binary images.


      Evidence and the Forensic Process:

      • Preparations to be made before seizure; actions at the scene and the treatment of exhibits.
      • An outline of the law relating to the recovery of evidence from computers, and Association of Chief Police Officers (ACPO) guidelines.
      • Writing contemporaneous notes, forensic reports, and witness statements.
      • Presenting evidence in court, including admissibility and the role of an expert witness.

      Computer Principles Relevant to Forensics:

      • The physical architecture, including interrupts and memory management.
      • Software components, including the operating system, the boot sequence, the role of BIOS and Unified Extensible Firmware Interface (UEFI).
      • Strategies for searching and indexing forensic data.

      Understanding Forensic Artefacts:

      • Low level data formats: how information (such as text, numbers and dates) are encoded.
      • Interpreting data structures, including common approaches used to check, find, and recover data.
      • File formats, file signatures (including when they are not reliable) and other techniques for recognising and recovering files and hidden data.
      • Document, graphic and compressed data formats.
      • XML data structures and modern document formats.

      Disks and data storage

      • Disk fundamentals, including the physical construction and handling of hard disks, physical data storage on the disk, disk management and interface functions.
      • Data hidden or masked from the operating system.
      • Imaging and examination strategies to ensure data recovery.
      • RAID disk systems.
      • Addressing disk sectors, including historic addressing and interface modes.
      • Disk organisation and partitioning, including MBR and GPT disks.
      • Disk mapping and the manual reconstruction of disk partition structures.

      File Systems:

      • File system fundamentals including allocation tables and link lists, system reserved space, clusters, allocated, slack and unallocated space.
      • The detailed structure of the FAT and NTFS file systems, including practical examination of complete and partial file systems, the potential for recovery of deleted files, and extracting and understanding file system metadata (e.g. dates and times).
      • Additional evidential metadata available in NTFS systems, including zone information in ADS.
      • Overview of the exFAT file systems, in particular how the potential for forensic data recovery contrasts with FAT 12/16/32.
      • Overview of Apple MAC disks and file systems.

      Introduction to Windows Forensics:

      • This is focussed on Windows 7, with explanations of how previous versions (e.g. XP, VISTA) differ.
      • Examination fundamentals: establishing machine, system, time, user, and software base information.
      • Data and Time: the BIOS, the operating system, and network time.
      • The Windows Registry: differences between hives on disk and the live system, and examination of the registry.
      • Mapping what the user sees: examining the user interface forensically via the registry and file system; for example, the desktop configuration, gadgets, recent documents.
      • Mapping user behaviour: extracting information about the user's history, for example Internet history, registry keys, and link files.
      • Mapping device usage, including USB device evidence.

      Practical Exercises and Forensic Examination Tools:

      This course is focussed on developing deep understanding via practical forensic exercises; most of the syllabus is taught via practical examples. Particular time and emphasis is given to:

      • Writing forensic reports (weekend exercise).
      • Disk partition mapping.
      • File system mapping (both FAT and NTFS).
      • Windows operating system examination.

      Coursework Syllabus:

      The coursework will reinforce the material taught during the residential course, and allow students the opportunity to further practice and develop their forensic examination skills. The coursework will be divided into three exercises, typically comprising:

      • A written report on a forensic process scenario, reviewing how the requirements for evidential admissibility influence the process or organisation.
      • Mapping the structure of a suspect disk, and contrasting that structure with that obtained by standard forensic tools.
      • Conducting a forensic examination of a suspect hard disk, including extracting all relevant information (which may include data obtained by the analysis of a corrupt file system) and submitting this as evidence in accordance with a provided scenario.
      Intended Learning Outcomes

      On successful completion of this module you will be able to:

      Knowledge and Understanding:

      • Understand how the forensic process, including seizure, imaging, examination, reporting, is conditioned by the requirements of evidential admissibility.
      • Understand the start-up procedures of operating systems, particularly in Windows environments, how they interact with the hard disk and the significance of the paging of memory to disk in a forensic environment.
      • Understand how disks are constructed and the implications of their interfacing and addressing for forensic imaging.


      • Appraise the advantages and disadvantages of imaging and copying for evidential purposes, and compare and appraise different imaging methods.
      • Identify the advantages/disadvantages of imaging tools and other forensic software utilities.
      • Understand the overall principle of original integrity, and be competently practised in the methods and principles of disk examination and logging, and the preparation of evidence for Court.
      • Demonstrate a sound understanding of the law relating to evidence recovered from computers and the law relating to common offences in which evidence recovered from computers is frequently required.
      • Carry out detailed manual forensic reconstruction of disk structures and file systems, including systems that may be unreadable by standard forensic tools due to deliberate or accidental damage, including identification of intentionally “hidden” areas and those areas not visible to a normal user.
      • Analyse hard disks in a manner suitable for evidential purposes.
      • Carry out a well-structured forensic examination of a suspect machine using the Windows operating system, including using a variety of tools to extract artefacts that indicate how the machine is configured and used.
      • Prepare reports suitable for submission in evidence.

      Indicative Reading

      • Forensic File System Analysis, Brian Carrier, 2005, Addison Wesley, ISBN 978-0321268174.
      • Forensic Computing A Practitioner’s Guide (2nd Edition), Sammes & Jenkinson, Springer, 2007 ISBN 978- 1-84628-397-0.
      • ACPO: Good Practice Guide for Computer-Based Electronic Evidence,
      • The Police and Criminal Evidence Act 1984, The 5th Edition, 1st Supplement, Professor Michael Zander, QC, Sweet & Maxwell, 2006, ISBN: 9780421956100.
      • Windows Internals 5th Edition, Mark E. Russinovich, David A. Solomon, Alex Ionescu, 2009, Microsoft Press , ISBN 978-0735625303.
      • Handbook of Data Compression, 5th Edn, 2009, David Salomon, Giovanni Motta, D Bryant, Springer, ISBN 978-1848829022.
      • Computer Forensics: Incident Response Essentials, Warren G. Kruse II, Jay G. Heiser, 2001, Addison Wesley, ISBM 978-0201707199.
      • The Expert Witness: A Practical Guide, 3rd End, 2007, Catherine Bond, Mark Solon, Penny Harper, Gill Davies. Sweet and Maxwell, ISBN 978-0721914428.
    • Investigation and Evidence Collection
      Module LeaderDr Karl Harrison - Lecturer in Forensic Archaeology
      AimThe module provides an understanding of the core responsibilities of evidence recording and collection at the crime scene, both in general and specifically related to operational constraints of a UK investigative context. You will also understand the operation of forensic and police investigators within the context of a major investigation.
      • Construction of the forensic strategy.
      • Evidence selection and collection.
      • Scene photography.
      • Digital photography.
      • Sample integrity and contamination issues.
      • Assessment of evidence.
      • Packaging and transportation.
      • Scene reporting.
      • Handling intelligence – assessment and communication.
      Intended Learning Outcomes

      On successful completion of the module you will be able to:

      • Analyse and evaluate various different strategies of major scene investigation to consider the various effects of different approaches.
      • List and define the range of evidence collection and investigation techniques available to the crime scene investigator.
      • Describe and evaluate the relative merits of the range of systematic crime scene procedures vital to successful investigations.
      • Evaluate which of these procedures are appropriate to a particular crime scene and apply these procedures appropriately during a crime scene exercise.
      • Generate a crime scene report which objectively critiques the methodologies used and draws justified conclusions appropriate for the evidence.
      • Transfer theoretical and practical knowledge of evidence identification, recording and retrieval into the various roles of forensic specialists.
    • Reasoning for Forensic Science
      Module LeaderProfessor Keith Rogers - Professor of Materials/Medical Science

      The module will provide understanding and experience of the disciplines underpinning critical evaluation of quantitative information applied within the Forensic Sciences.


      The syllabus will follow the general course of a generic investigative process from the appropriate framing of a question to the critical interpretation of data and information. The appropriate use of data in well constructed arguments will be considered in order to distinguish between fact, opinion and speculation. Intellectual rigour will be challenged, and the ability to identify weakness in argument will be developed. Data will be examined for reliability and reproducibility with a focus on the distinct features of forensically related data. Appropriate use of descriptive and hypothesis testing statistics will be practiced and the ‘prosecutor’s fallacy’ explored. Bayes’ Theorem will be considered and rehearsed through case studies

      The module covers:

      • Experimental design.
      • Interpretation and assessment.
      • Effective framing and rebutting of arguments.
      • Problem solving.
      • Evidential types.
      • Use of relevant statistics for design and interpretation.
      • Courtroom statistics.
      Intended Learning Outcomes

      On successful completion of the module you will be able to:

      • Recognise the fundamental features of effective experimental design.
      • Explain how confidence may be secured through effective reliability and reproducibility assessments.
      • Frame and defend an effective argument concerning quantitative information.
      • Understand the minimum requirements for presenting scientific evidence in court.
      • Distinguish between evidential types used in court and research environments.
      • Apply appropriate statistics to forensic evidence for analysis and interpretation.
      • Explain the statistical processes to the layman.
      • Apply Bayes’ Theorem to forensic evidence.
    • Courtroom Skills
      AimThe module will provide an understanding of the role and responsibilities of expert witnesses in domestic and international criminal and civil cases and how they can present their evidence to the court effectively. You will also apply knowledge gained in previous modules to strengthen arguments presented in expert witness reports
      • Role and legal responsibilities of the forensic expert.
      • Civil and criminal procedure rules.
      • Excellence in report and statement writing.
      • Presentation of evidence in court.
      • Preparation for examination-in-chief and cross-examination.
      Intended Learning Outcomes

      On successful completion of the module you will be able to:

      • Define the role and responsibilities of the expert witness.
      • Construct an effective expert witness report.
      • Develop the skills to present oral evidence in court effectively and respond successfully to cross-examination.
    • Forensic Internet
      The aim of this module is to enable evidence from computers which have been used to access or exchange data across the Internet.

      This course focuses upon artefacts remaining upon a subject machine that has been used to
      access the Internet. Common Internet activity is explained as well as methods of transmission
      and reception. A number of software packages currently encountered by analysts are explored
      in terms of examining material stored or retained on the machine during and after use on the
      Internet. Methods and tools are introduced which will permit access to residual data in a form
      which is useful to analysts as well as low level confirmation of data on the disk. Relevant hard
      disk areas are explored in practical sessions and artefact recovery is carried out. Examinations
      are carried out on prepared hard disks for the recovery of relevant data within a number of given
      internet scenarios. The residential element of the course is followed by a substantial piece of


      • Internet-specific crimes, including phishing, grooming, and money scams
      • Internet history, addressing, and services
      • Internet organisation, the role of Internet Authorities and ISPs
      • Basic Protocols: IP, ICMP, TCP, HTTP, FTP, Telnet
      • Email protocols, e-mail and header interpretation, attachments and MIME
      • The reliability of data received from the Internet
      • Forensically important database artefacts used in Internet applications including SQLite, its schema, query language and binary record structure
      • Web browsers: Internet Explorer and other browsers: history and cache forensics
      • Forensic evidence from e-mail clients (Outlook and Windows Live), and from web-mail
      • Other significant applications, including Facebook, Internet chat, and peer-to-peer
      • The effect of malware on Internet clients.
      Intended Learning Outcomes

      On successful completion of this module a student should be able to:


      • Interpret the more common areas containing information about Internet transactions on a hard disk and apply this knowledge to recover data from them
      • Summarise important Internet protocols, and compare the evidential value of artefacts derived from such protocols
      • Evaluate the effects of malware and its impact on a forensic examination.


      • Contrast the data structures of a number of leading Internet related applications and consequently adopt the correct data recovery strategy for them
      • Create a template for examination of a machine which has been used to access the Internet by identifying relevant areas for examination
      • Formulate methods to test the outcome of particular actions believed to have been carried out by a use, or piece of software, in order to state whether such outcomes were consistent with what has been recovered from the disk.


    • Digital Crime and Investigation
      Module LeaderMr Peter Forster - Course Director - Forensic Computing
      AimTo provide understanding and experience of digital crime and the principles of forensic computing investigations.

      The course will examine the stages of the forensic process in a practical setting, together with the options available and techniques that can be applied at each stage. Practical work will focus on process issues, rather than a deep understanding of systems and artefacts, and include the introductory use of a range of commercial forensic tools to manage cases and extract evidence. 


      • The definition of forensics, concepts of electronic traces, types of digital evidence, sources of evidence, types of crime and related evidence.
      • Elements of a sound process.
      • Evidence handling, maintaining the chain of custody, admissibility, good practice including ACPO guidelines, technical competence, explicit choice and justification of processes, completeness of an investigation.
      • Individual roles in an investigation and their relationships.
      • The role of the expert witness.
      • Ethics in forensic examinations. Collecting evidence
      • Identifying data media and securing physical evidence, Imaging, Hashes, bag- and-tag and subsequent handling.
      • Physical examination of computers.
      • Collection problems, choices and variations: dealing with volatile evidence, large disk systems, networked computers, operationally critical systems, collecting remote evidence. Analysis Tools
      • Introducing commercial analysis tools.
      • Image and case management, reliability of tool-generated evidence, indexing and searching. Basic tool functions: extracting files, documents, photographs.

      The analysis process

      • Recording actions: repeatability, case management, contemporaneous notes.
      • Working with a hypothesis: confirmatory and contradictory evidence, corroboration, anticipating defence arguments.
      • Identifying starting points, and following chains of evidence; the problem of linking digital evidence to real people and real events.

      Reporting findings

      • Reporting styles, the content of a report, expert opinion.

      Legal issues

      • Computer misuse.
      • Data protection.
      • Indecent images – law and good practice.
      • Encryption.
      • Human Rights – The European Convention and UK law.
      • Emergent issues.
      Intended Learning Outcomes

      On successful completion of this module a student should be able to: 


      • Critically distinguish and assess the background definitions and concepts applicable to forensic computing
      • Evaluate the Association of Chief Police Officer (ACPO) guidelines and their impact on the forensic workflow
      • Appraise the key roles performed by primary actors and institutions in the forensic process
      • Critically review the key legislation that relates to digital evidence
      • Evaluate what offence has been committed given a particular digital crime scenario
      • Summarise the national guidelines that impact the field of digital forensics.



      • Compose an effective forensic collection plan in the context of an electronic investigation
      • Critically assess and develop the processes for the management of the digital crime scene
      • Design and Implement an analysis workflow for imaged/collected electronic evidence
      • Evaluate both the collection plan and the analysis workflow in order to formulate an expert witness report
      • Critically assess complaints, intelligence and evidence of computer related offences and breaches of computer law
      • Act as a source of assistance and information in relation to digital evidence and crime.
    • Forensic Computing Using Linux
      Module LeaderDr Christopher Hargreaves - Lecturer in Forensic Computing

      The module develops a practical working knowledge and understanding of Linux and opensource tools as a platform for performing computer forensic examinations.


      The course provides an introduction to Linux including both GUI and command line environments. You will learn key forensic tools available on a Linux platform and how they can be used to synthesize a forensic workflow. This includes disk imaging/acquisition, preservation, duplication/cloning, recovery, analysis, managing acquired images, and other forensic techniques. The emphasis is on developing knowledge, understanding and skills to use Linux in a forensic examination. The residential element is followed by one item of coursework.

      Overview of Linux and Unix Platforms:

      • Understanding Linux Kernels, distributions, graphical environments, and available options.
      • Other Unix platforms.
      • Licensing and support.
      • Installing and configuring Linux and Linux applications.

      Linux Basics:

      • File system layout, system management and security concepts.
      • Accessing devices, partitions, and file systems.
      • Using a desktop (GUI) environment, and introducing common desktop applications.
      • Using the shell and common command-line utilities.

       Managing Forensic Data:

      • Import, export, and cloning of disk images.
      • Working with split, compressed or encrypted images.
      • The Advanced Forensic Format (AFF) – extensible open format for forensic image data.
      • Use of standard Unix features for data management and analysis.
      • Tools for basic process functions, such as viewing, converting, cryptographic hashing.

      Open Source Analysis Tools and their Use:

      • Identification and acquisition of disks and partitions (including dcfldd).
      • Search concepts, including grep, find, and regular expressions.
      • Using NSRL known-good databases for file exclusion.
      • Analysis and Carving tools (including Coroners Toolkit, Sleuthkit, Foremost).

      Building a Forensically Sound Workflow:

      • Choices: tools and approach.
      • Forensic issues within the workflow, including repeatability and validity.
      • Managing and preserving evidence.

      Other Examination Options

      • Review other workflow tools and options and the circumstances in which they are useful.

      Pre-requisite Workbook

      • The workbook is a distance-learning workbook, which includes a practical exercise for self-assessment.
      • The coursework will ensure that all students have some familiarity with Linux prior to the residential, especially the basic use of the command-line to navigate and manage the Linux file system, files and processes.
      Intended Learning Outcomes

      On successful completion of the module you will be able to:


      • Understand the primary operating system platform choices and their pros and cons from a forensic examination perspective.
      • Understand the range and capability of tools available in the open source community, in particular, those useful within a digital forensics lab.


      • Confidently use and navigate a Linux system.
      • Apply standard Linux features, including the command shell and core utilities, to manage data and files in a forensic examination.
      • Securely and efficiently transfer data to and from a Linux system
      • Apply core open-source forensic tools to forensic examinations.
      • Construct a complete forensic processing chain from open-source components, and assess its suitability for a particular forensic examination.

      Indicative Reading:

      • Ubuntu Linux Website ( contains free Linux software downloads, support, and documentation.
      • Learning the bash Shell (3rd Ed.), March, 2005, Cameron Newham, O'Reilly, ISBN: 0596009658.
      • The Law Enforcement and Forensic Examiner Introduction to Linux: A Beginner's Guide, January 2004, Barry J. Grundy, NASA Office of Inspector General Computer Crimes Division, ( sleuthkit, Brian Carrier, ( Forensic Discovery, December 2004, Dan Farmer, Wietse Venema, Addison-Wesley, ISBN: 020163497X.
    • Advanced Forensic Computing

      The aim of this module is to develop knowledge and understanding of advanced forensic computing techniques and to acquire the skills to apply these successfully.


      The course will examine, in a practical setting, advanced forensic computing techniques as applied to a number of areas of current relevance. Students will learn how to identify and access artefacts of forensic significance in these areas and will be given the opportunity to develop their skills in applying these techniques. The residential element of the course is followed by a substantial piece of coursework.

      Forensic Analysis of the Registry:

      • Structure and construction of the Windows 7 registry (including difference from previous versions of Windows.
      • The use of registry viewers, especially to review the forensic artefacts, as opposed to the live registry.
      • The analysis of important registry keys, including: complete and partial MRU streams, Typed URLs; UserAssist and examination of ControlSet, MountedDevices.
      • Analysis of the binary structure of the registry and extraction of forensic artefacts from registry fragments.

      Structure and Analysis of Optical Media Disk Formats:

      • The physical construction and structure of CDs and DVD, together with forensic handling implications.
      • How data are stored, processed and presented to the reader/writer interface; including the implications for forensic imaging.
      • Detailed analysis of the file structure on CDs and DVDs, including 9660, JOLIET and UDF.
      • Practical analysis of multi-session disks; the recovery of data hidden by multi-session writing.
      • Mapping metadata that indicates the provenance (machine, user, etc) and links sessions CDS and DVDs.

      Virtual Machine Forensics:

      • The use of VMware to establish working version of suspect's machine, including overcoming hardware, activation and password problems.
      • Booting a virtual machine (e.g. a suspect image) from a separate bootable CD image for examination or configuration purposes.
      • The use of VMware techniques to recover shadow copies of a Windows NTFS file system.
      • The use of VMware in forensic experiments, including virtual networking, isolation management, self-protection protection, and imaging.
      • Forensic examination of virtual machines.

      Forensic Analysis of Dynamic Disks, Spanned Disks etc:

      • Dynamic disks compared with basic disks; spanned and striped volumes; forensic treatment.

      Forensic Evidence resulting from Web-Site development and management:

      • Web-site development, typical artefacts, including those resulting from test and development environments.
      • Web-site management, typical services and data provided by a hosting environment, and the forensic artefacts that result on the client used to manage such a website.

      Approaches to Anti Forensic Techniques:

      • Methods used which attempt to thwart subsequent forensic analysis; in particular encryption, and tools and forensic approaches to data recovery.

      Forensically Exploiting Operating System Indexes:

      • Forensic traces left in thumbnail databases.
      • Extracting evidence of encrypted and inaccessible systems from Windows.
      Intended Learning Outcomes

      On successful completion of this module students should be able to:


      • Recognise forensic artefacts deposited by a number of common CD/DVD packages whilst creating CD/DVD disks. Recognise raw data formats used on CD/DVDs and the connections that can be made between the two as well as deductions/conclusions which can be drawn.


      • Understand some of the methods used in the “Anti-Forensic” arena; be able to apply a range of techniques to extract forensic evidence of data or system usage which is otherwise inaccessible.
      • Trace and interpret, using relevant tools as required, areas of the registry from which useful forensic material is likely to be found. Confirm the interpretation of that material by use of binary decoding/deconstruction.
      • Create and run Virtual Machines for both test and experimentation purposes in terms of software application operation and for forensic examination purposes to reproduce and evaluate user activity/views/accesses/connections and the like for evidential purposes.
      • Understand how websites are constructed and administered; be capable of extracting evidential material both from the PCs that have been used remotely to construct and administer the websites. and understand what evidence may be obtained from the hosting provider.


      • Windows Registry Forensics, Harlan Carvey, 2011, Syngress, ISBN 9781597495806 
      • Principles of Digital Audio, Sixth Edition (Digital Video/Audio), Ken Pohlmann, McGraw-Hill/TAB Electronics, 2010, ISBN 978-0071663465
      • WorkStation User's Manual, VMWare Workstation 7.1, 2010,
      • PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide, 2008, Larry Ullman, Peachpit Press, 2008, ISBN 978-0321525994
      • Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments Diane Barrett , Greg Kipper, Syngress, 2010, ISBN 978-1597495578
    • Programming for Digital Forensics
      Module LeaderDr Christopher Hargreaves - Lecturer in Forensic Computing
      The aim of this module is to provide students with the programming skills required to write specific programs to complement existing forensic investigative software. Such programs will seek to solve original problems encountered in the field. In particular, production of these programs will offer a method of verifying output from commercial forensic packages.


      The idea of a programming language, language generations (1st – 5th), compilation and interpretation, abstraction. 
      Overview of Software Engineering and its application to documentation and testing. 
      Simple design techniques: stepwise refinement, flow charts. 
      Integrated Development Environments (IDEs) and their components.

      Python Language

      Types and strongly typed languages. 
      Scalar and structured types and their mutability. 
      The idea of an object and references. 
      Control structures. 
      Expressions and operators. 
      Functions and parameters. 
      File handling. 
      Errors and exception handling. 
      Comments and program documentation. 
      Testing and use of the debugger.


      Importing, modules, packages. 
      Examples from a representative selection of modules from the standard library.

      Intended Learning Outcomes

      On successful completion of this module a student should be able to:


      • Justify the need for a disciplined approach to the development of software and its supporting documentation
      • Summarise the functions of a software development environment
      • Discuss the functions of the component parts of a Python program. 


      • Analyse a problem in a forensic investigation and produce a design for a program to solve such a problem
      • Write a program in the Python programming language which implements the design. 
      • Test, debug and document the program
      • Argue, as to a Court of Law, the operations of pieces of source code and their component structures with a view to proving the actions of the programs they constitute beyond reasonable doubt.
    • Mac OS X Forensics
      Module LeaderDr Christopher Hargreaves - Lecturer in Forensic Computing

      The aim of this module is to enable students to plan and implement a forensic analysis of Mac filing systems.


      The course uses Mac Mini computers to forensically examine Mac operating systems, including:

      • Installation and overview of the Mac OS X operating system
      • Navigating the Mac OS X Aqua interface
      • Utilising the command line interface for forensic examinations
      • Examine and interpret the boot process and logging
      • Identification and interpretation of hard disks, partitions and file systems
      • Break down and identify file date and time behaviour
      • Acquiring, investigating and manipulating Mac forensic images
      • Interpret the role of the SQL database and Spotlight
      • Analysis of mail and web browsing artefacts
      • File deletion and recovery
      • Plan and present an analysis strategy based upon defined parameters.
      Intended Learning Outcomes

      On successful completion of this module a student should be able to:


      • Differentiate, identify and extract Web artefacts left by Web browsing, specifically Firefox, Safari and Chrome
      • Interpret and analyse Mac partitions and file systems
      • Break down the Mac boot process.



      • Effectively construct a forensic analysis plan for a Mac OS X software system utilising selected software
      • Evaluate, assemble and assess selected forensic tools for examining a Mac file system
      • Interpret and assess the artefacts left by Mac Mail
      • Interpret and assess the metadata from Spotlight
      • Critically evaluate the advantages and disadvantages of selected forensic acquisition methods
      • Distinguish between Intel and Power PC Macs.
    • Forensic Network
      Module LeaderDr Christopher Hargreaves - Lecturer in Forensic Computing

      The module enables you to develop knowledge, understanding and skills for the recovery of admissible evidence from computers which are, or have been, connected to a formal network.


      The focus of this course is upon the understanding of the storage of data, and forensically useful artefacts upon networks, of whatever size. Much of the course is practically based following the development of a small business from its first two-machine network to a full blown multi-domain network. Differences in forensic artefacts are identified along the way as well as methods and options regarding the recovery of useful evidential data. Options are explored in practical sessions and artefact recovery is carried out live on networked machines. Examinations are carried out on prepared hard disks for the recovery of relevant data within a number of given network scenarios. The residential element of the course is followed by two substantial pieces of coursework.


      • Network Basics, LAN, WAN, topologies, transmission methods, packets and packet sniffing, TCP/IP structure and services, client server architecture and Resources.
      • Network devices, including: hubs, switches and routers, wireless devices.
      • Backup types, policies and software.
      • Simple networking systems.
      • Windows networks, network admin issues, permissions, policies, sharing and access, log files and registry entries.
      • Exchange server, and e-mail servers.
      • Seizing/securing evidence from a network or a machine that has been connected to a formal network.
      Intended Learning Outcomes

      On successful completion of this module you will be able to:


      • Appraise the advantages and disadvantages of shutting a network down in order to examine it for evidence.
      • Describe the topology of a specific network and demonstrate an understanding of how the network is seen by any particular user.
      • Understand and demonstrate, practically, methods by which files can be attributed to a user and identify who actually had access to them.
      • Demonstrate knowledge and understanding of the file ownership, access and storage systems used in common networks.


      • Formulate a strategy for the recovery of evidence from any specific network.
      • Identify and explore options with regard to methods used to identify and secure the required data.
      • Communicate effectively with system administrators in terms of identification of network types, operating systems and data storage areas.
      • Carry out a forensic examination of a hard disk from a networked machine and identify useful artefacts relevant to its connection to a network and its operation whilst connected.
      • Identify and document historical connections of other media and associated artefacts.

      Indicative Reading

      • Mastering Windows Network & Investigation, Steve Anson & Steve Bunting, John Wiley & Sons, Mar 2007, ISBN 0470097620.
      • Peter Norton’s Complete Guide to Networking, Peter Norton & Dave Kearns, SAMS Publishing, Sept 1999, ISBN 0672315939 (very good despite long run).
    • Fakes and Forgeries
      Module LeaderDr Andrew Shortland - Reader in Forensic Archaeomaterials

      The module will provide an understanding of the principles of forensic and scientific investigations into art objects.

      • Introduction to the art world.
      • Collectors, auction houses and museums.
      • Legal aspects of antiquities and antiques.
      • Object and material types.
      • Stone, ceramic, glass, metal, pigment, organics.
      • Scientific versus stylistic analysis.
      • Special considerations of sampling.
      • Quasi-non destructive and no-destructive techniques.
      • Relative and absolute dating.
      • Provenancing.
      Intended Learning Outcomes

      On successful completion of the module the student will be able to:

      • Describe the basic functioning of the art market.
      • Demonstrate a critical awareness of the legal roles of various players and the part that science can play.
      • Critically assess the various scientific and non-scientific techniques.
      • Demonstrate an understanding of how sampling strategies are applied and which techniques are of most use.
      • Be able to apply their knowledge to specific investigation of art objects to successfully come to a reasoned and balanced conclusion.
    • Trace Evidence
      Module LeaderDr David Lane - Reader in Analytical Physics and Advance

      The module will provide an understanding of the trace physical evidence and its associated forensic examination.

      • Trace evidence concepts, direct and indirect transfer, retention time, transfer diagrams.
      • Fibre and hair construction.
      • Fibre and hair microscopy for identification and comparison.
      • Glass construction and forensic examination.
      • Paint characterisation.
      • Soil analysis.
      • Shoe and tyre print examination.
      • Tool marks and fingerprints.
      • Case studies in trace evidence.
      Intended Learning Outcomes

      On successful completion of the module you will be able to:

      • Explain the concept of ‘trace’ evidence and describe how the term can be applied to a wide range of physical evidence.
      • Transfer theoretical and practical knowledge of trace evidence analysis into forensic examinations and scenes of crime investigations.
      • Recover trace evidence using appropriate detection and collection techniques.
      • Identify and measure the most important features of selected types of trace evidence using appropriate analytical techniques.
      • Classify different types of trace evidence and use statistical techniques to compare samples.
      • Construct a transfer diagram to describe the physical contact between two objects or persons.
  • Assessment

    A mixture of written and practical examinations, oral presentations, assignments, and (MSc only) a thesis.

  • Start date, duration and location

    Start date: Full-time: September. Part-time: September

    Duration: MSc: 1 year full-time, up to 5 years part-time, PgDip: up to 4 years part-time, PgCert: up to 3 year part-time.

    Teaching location: Shrivenham

  • Overview

    This course provides detailed technical knowledge in a fast growing area. Classes of approximately twenty students can be accommodated.

  • Your teaching team

    You will be taught by staff from Cranfield University and external lecturers, many of whom are world leaders in their field and who understand the problems of translating theory into practice.
  • Facilities and resources

    Students will have access to every resource needed for a complete and high quality experience, including two dedicated computer laboratories, one for teaching and the other for private study/research. The resources available ensure that the education students receive in this rapidly developing discipline and the experience obtained whilst doing so is first class. 

    The private study/research laboratory is particularly relevant to the full-time students, who will not have access to a working laboratory as many of the part-time students do. This laboratory includes access to the latest versions of popular commercial software as used by professional forensic analysts. 

    The University believes that having access to a laboratory such as this is essential to the course, as assessment of the modules includes both written work, to demonstrate understanding of key concepts, and also practical assignments involving the completion of forensic examinations using realistic scenario-based disk images. 

    Students will also have access to cutting edge research material, including that conducted at Cranfield University. Also through the Barrington Library, students will have access to National and International publications. The Library also provides access to a range of up-to-date digital forensic textbooks, both physically and as e-books. 

    An added bonus will be that full-time and part-time students will join together during classroom (residential study school) sessions. This is an ideal opportunity for networking.

  • Entry Requirements

    Normally a 1st or 2nd class Honours degree or equivalent in science, engineering or mathematics. Alternatively, a lesser qualification together with appropriate work experience may be acceptable.

    The full-time course is ideally suited to recent graduates in a related subject such as Computer Science who wish to specialise in Forensic Computing. It is also suitable for those who have recently completed a BSc in Computer Forensics, Digital Forensics, Cybercrime Forensics or a related subject, who would wish to deepen their knowledge, improve their skills and increase their employability, in what is a very competitive market.

    The part-time course is more suited to those already in full-time employment, such as law enforcement officers, government staff, security consultants, accountancy and banking organisations, corporate security personnel and members of associated agencies in both the UK and overseas. This programme could lead to a new career or promotion with an existing employer. Guidance may be sought by those who do not have the formal qualifications necessary to enrol immediately onto the programme, as to the best study route to take. See contact details.

    Owing to the nature of this course, all candidates will be required to submit a completed Subject Access Form, and self sponsored candidates will also need to supply an additional character reference (three in total).

    English language

    Students whose first language is not English must attain an IELTS score of 7

  • Fees

    Home/EU student


    This is the total fee charged for the award and a payment plan system is offered.

    MSc Full-time - £8,500 *

    MSc Part-time - £8,500 *

    PgDip Full-time - £7,800 *

    PgDip Part-time - £7,800 *

    PgCert Full-time - £3,900 *

    PgCert Part-time - £3,900 *

    Overseas student

    MSc Full-time - £15,500 *

    MSc Part-time - £15,500 *

    PgDip Full-time - £11,500 *

    PgDip Part-time - £11,500 *

    PgCert Full-time - £5,750 *

    PgCert Part-time - £5,750 *

    Fee notes:

    • Fees are payable annually for each year of study unless otherwise indicated.
    • The fees outlined here apply to all students whose initial date of registration falls on or between 1 August 2014 and 31 July 2015 and the University reserves the right to amend fees without notice.
    • All students pay the annual tuition fee set by the University for the full duration of their registration period agreed at their initial registration.
    • Additional fees for extensions to registration may be charged.
    • Fee eligibility at the Home/EU rate is determined with reference to UK Government regulations. As a guiding principle, EU nationals (including UK) who are ordinarily resident in the EU pay Home/EU tuition fees, all other students (including those from the Channel Islands and the Isle of Man) pay international fees.
  • Funding

    For more information on funding please contact

  • Application process

  • Career opportunities

    The MSc could be an important be a stepping stone to an academic career in digital forensics.

    The reputation of the part-time course, which has been taught at the Centre for Forensic Computing since 2002, is second to none and graduates regularly go on to work with some of the top government organisations in the UK, including: 

    • Police forces (including Counter Terrorism Units)
    • HM Revenue & Customs
    • Financial Services Authority. 

    In addition, graduates have also worked for companies based in the UK and overseas, such as:

    • Barclays Bank PLC 
    • QinetiQ Group PLC
    • FTI Consulting Inc
    • KPMG LLP
    • Pricewaterhouse Coopers International Ltd.

    Employees in this field are usually either from the public sector, in the form of law enforcement, or in the private sector, where your skills may be used in dedicated digital forensics companies or to assist organisations such as the large accountancy companies or banks.

Related Areas