Digital Forensics MSc/PgCert/PgDip


  • Emphasis on practical aspects
  • Start date - September
  • Designed for full or part-time study
  • Modular structure
Forensic Computing

Delivered by the Cranfield Forensic Institute this course focuses on providing the knowledge and skills required to conduct comprehensive forensic examinations of digital devices. Guest lectures are delivered by Digital Forensic practitioners throughout the course, with guest lecturers coming from both law enforcement and private companies.

Please note the MSc is available as a full and part-time option. The PgCert and PgDip are only available as a part-time option.

Course overview

The Digital Forensic MSc is available both full-time and part-time. Students will complete a number of taught modules each with theoretical and practical elements and, for the MSc, an individual research project.

Individual Project

The individual project will involve academic research in a specific area of digital forensics. The student will produce a substantial dissertation detailing their investigation and findings. Students are pushed to produce high quality, novel research during this period, and research outcomes are often at the cutting edge of the subject.


Taught on a modular basis.


  • Investigation and Evidence Collection
    Module LeaderDr Karl Harrison - Lecturer in Forensic Archaeology
    • Construction of the forensic strategy
    • Evidence selection and collection
    • Scene photography
    • Digital photography
    • Sample integrity and contamination issues
    • Assessment of evidence
    • Packaging and transportation
    • Scene reporting
    • Handling intelligence – assessment and communication.
    Intended learning outcomes

    On successful completion of the module you will be able to:

    • Analyse and evaluate various different strategies of major scene investigation to consider the various effects of different approaches.
    • List and define the range of evidence collection and investigation techniques available to the crime scene investigator.
    • Describe and evaluate the relative merits of the range of systematic crime scene procedures vital to successful investigations.
    • Evaluate which of these procedures are appropriate to a particular crime scene and apply these procedures appropriately during a crime scene exercise.
    • Generate a crime scene report which objectively critiques the methodologies used and draws justified conclusions appropriate for the evidence.
    • Transfer theoretical and practical knowledge of evidence identification, recording and retrieval into the various roles of forensic specialists.
  • Reasoning for Forensic Science
    Module LeaderProfessor Keith Rogers - Professor of Materials/Medical Science
    • Experimental design
    • Interpretation and assessment
    • Effective framing and rebutting of arguments
    • Problem solving
    • Evidential types
    • Use of relevant statistics for design and interpretation
    • Courtroom statistics.

    The syllabus will follow the general course of a generic investigative process from the appropriate framing of a question to the critical interpretation of data and information. The appropriate use of data in well constructed arguments will be considered in order to distinguish between fact, opinion and speculation. Intellectual rigour will be challenged, and the ability to identify weakness in argument will be developed. Data will be examined for reliability and reproducibility with a focus on the distinct features of forensically related data. Appropriate use of descriptive and hypothesis testing statistics will be practiced and the ‘prosecutor’s fallacy’ explored. Bayes’ Theorem will be considered and rehearsed through case studies

    Intended learning outcomes

    On successful completion of the module you will be able to:

    • Recognise the fundamental features of effective experimental design
    • Explain how confidence may be secured through effective reliability and reproducibility assessments
    • Frame and defend an effective argument concerning quantitative information
    • Understand the minimum requirements for presenting scientific evidence in court
    • Distinguish between evidential types used in court and research environments
    • Apply appropriate statistics to forensic evidence for analysis and interpretation
    • Explain the statistical processes to the layman
    • Apply Bayes’ Theorem to forensic evidence.
  • Forensic Computing Foundations
    • Digital data storage, formats, structures, and interpretation
    • Computer architecture and boot process, including BIOS and UEFI
    • Hard disk structures and data retrieval process
    • Disk partitioning
    • File system analysis, FAT, NTFS and exFAT
    • Microsoft Windows forensic artefacts, e.g. Windows Registry, Link Files, Prefetch Files, Recycle Bin etc.
    • An introduction to Mac OS X and Linux operating systems
    • Digital investigation strategies and processes, e.g. keyword searching, file carving etc.
    • Writing notes and reports.
    Intended learning outcomes

    On successful completion of this module a student should be able to:

    • Construct an overall digital forensic workflow that satisfies the requirements of evidential admissibility
    • Construct, justify, and carry out a forensically sound process for disk imaging
    • Conduct detailed manual forensic reconstruction of stored data (e.g. disk partition, file system, operating system, and application structures) including artefacts that may be unreadable by standard forensic tools
    • Given a set of instructions for a case, construct an examination strategy to recover admissible digital evidence, and given a disk image, carry out that strategy to locate and extract digital evidence
    • Produce appropriate documentation to accompany a digital forensic examination, including notes, statements and reports.
  • Internet Forensics
    • Internet history, addressing and services, including the role of Internet authorities and registries
    • Internet architecture and protocols
    • IP addresses and domains
    • Web browser architectures and data
    • SQLite database binary analysis and query structure
    • ESE and index.dat data storage
    • Web server administration forensics
    • Social network artefacts
    • Email
    • Internet-specific crime.
    Intended learning outcomes

    On successful completion of the module students will be able to:

    • Explain the function and operation of common Internet protocols
    • Interpret evidence recovered from the use of Web browsers
    • Debate the attribution and reliability issues of Internet-derived evidence
    • Recover evidence from Internet transactions.
  • Courtroom Skills
    • Role and legal responsibilities of the forensic expert
    • Civil and criminal procedure rules
    • Excellence in report and statement writing
    • Presentation of evidence in court
    • Preparation for examination-in-chief and cross-examination.
    Intended learning outcomes

    On successful completion of the module you will be able to:

    • Define the role and responsibilities of the expert witness
    • Construct an effective expert witness report
    • Develop the skills to present oral evidence in court effectively and respond successfully to cross-examination.


  • Digital Crime and Investigation
    Module LeaderDr Sarah Morris - Lecturer in Forensic Computing
    • Background and introduction to digital forensic science
    • Investigation of digital crime
    • Planning and executing a search and seizure operation in the context of a digital crime based investigation
    • Introduction to the tools and techniques used to examine digital evidence
    • Reports and statements
    • Relevant UK and European law.
    Intended learning outcomes

    On successful completion of this module a student should be able to: 

    • Evaluate the impact of key concepts in digital forensic science and related legislation on the forensic workflow
    • Create an effective search and seizure plan for a digital investigation
    • Conduct a simple digital forensic examination
    • Construct an appropriate report in respect of a digital crime investigation and examination
    • Apply knowledge to act as a source of assistance and information in relation to digital evidence and crime.
  • Network Forensics
    • Seizure planning for home to corporate networks
    • Local area network (LAN) technologies and protocols
    • Building a network
    • Wireless network analysis
    • Mapping a suspect network
    • Recovering server and client artefacts
    • Remote access.
    Intended learning outcomes

    On successful completion of the module students will be able to:

    • Identify potential sources of admissible evidence on a network of computers
    • Explain the function of common network devices and protocols
    • Formulate a strategy for the recovery of evidence from any specific network
    • Apply appropriate methods for the recovery and analysis of evidence from a networked computer.
  • Advanced Forensic Computing
    Module LeaderDr Sarah Morris - Lecturer in Forensic Computing
    • Forensic Analysis of the Registry and its binary format
    • Structure and Analysis of Optical Media Disk Formats
    • Virtual Machine Forensics
    • Forensic Analysis of Dynamic Disks, Spanned Disks, Striped Volumes
    • Approaches to Anti Forensic Techniques
    • Forensically Exploiting Operating System Indexes
    • Forensic Analysis of Volume Shadow Copies
    • Forensic Analysis of recently introduced features in Windows.
    Intended learning outcomes

    On successful completion of this module a student should be able to:

    • Compare and identify the raw data formats used on optical media and artefacts created during their creation
    • Evaluate anti-forensic methods
    • Apply a range of techniques to extract forensic evidence of data or system usage which is otherwise inaccessible
    • Extract and interpret information from complex binary artefacts on a system
    • Trace and interpret areas of the registry from which useful forensic material is likely to be found
    • Create and run Virtual Machines for both previewing and experimentation.
  • Programming for Digital Forensics
    • Introduction to programming concepts
    • Development environments
    • Software development techniques
    • Software testing
    • Data types
    • Operators
    • Containers
    • String handling
    • Sequences and Mappings
    • Conditionals
    • Loops
    • File handling
    • Functions
    • Exception Handling.

    Selected Python Modules:

    • OS module
    • Hashlib module
    • Struct module
    • Regular expressions module
    • Subprocess module
    • SQLite3 module
    • Logging module.
    Intended learning outcomes

    On successful completion of this module a student should be able to:

    • Demonstrate a disciplined approach to software development
    • Design a programmatic solution for a problem in a digital forensics context
    • Implement a programmatic solution for a problem in digital forensics
    • Construct, implement and document an appropriate test strategy for a programmatic solution to a digital forensics problem
    • Construct appropriate supporting documentation for a program that performs a digital forensics task
    • Justify design decisions and implementation solutions made during the development of a programmatic solution to a digital forensics problem.
  • Digital Forensic Using Open Source
    Module LeaderDr Sarah Morris - Lecturer in Forensic Computing

    A compulsory pre-residential distance-learning workbook, which includes a practical exercise for self-assessment. This ensures that all students have some familiarity with Linux prior to the residential.

    • Linux Kernels, distributions, graphical environments, Unix platforms
    • Installing and configuring Linux and Linux applications
    • File system layout, system management and security concepts
    • Accessing devices, partitions, and file systems
    • Using a desktop (GUI) environment,  common desktop applications, the shell and common command-line utilities
    • Tools for basic process functions, such as viewing, converting, cryptographic hashing
    • Identification and acquisition of disks and partitions. Import, export, and cloning of disk images, working with split, compressed or encrypted images
    • Search concepts, including grep, find, and regular expressions
    • Analysis and carving tools
    • Identifying and using open source tools
    • Using scripting to automate processes and combine tools
    Forensic issues within the workflow, including repeatability and validity
    Intended learning outcomes

    On successful completion of this module a student should be able to:

    • Compare and contrast the primary operating system platform choices from a forensic examination perspective
    • Summarise and compare the range and capability of relevant tools available in the open source community
    • Use and navigate a Linux system
    • Apply standard Linux features, including the command shell and core utilities, to manage data and files in a forensic examination
    • Securely and efficiently transfer data to and from a Linux system
    • Apply core open-source forensic tools to forensic examinations
  • Mac OS X Forensics
    • Installation of Mac OS X
    • Use of Mac OS X Terminal
    • The Mac OS X boot process
    • Acquiring disk images using Mac OS X
    • Mounting disk images on Mac OS X
    • Identification of disks and partitions on Mac OS X including APM, MBR and GPT
    • The HFS+ file system
    • Bundles and packages
    • Property Lists
    • Safari browser analysis
    • Mail application analysis
    • Use of Spotlight
    • Log file locations and analysis
    • User accounts and FileVault
    • iOS backups and connected devices
    • PDFs and printing.
    Intended learning outcomes

    On successful completion of this module a students will be able to:

    • Analyse Mac OS X digital forensics artefacts at various levels of abstraction, including those related to partitioning, file systems and the operating system
    • Analyse the artefacts left on disk by built-in applications on Mac OS X
    • Construct and carry out a suitable digital forensic analysis approach for an Apple Mac
    • Evaluate the use of Mac OS X for conducting an examination of an Apple Mac against traditional digital forensics tools.
  • Fakes and Forgeries
    • Introduction to the art world
    • Collectors, auction houses and museums
    • Object and material types
    • Stone, ceramic, glass, metal, pigment, organics
    • Scientific versus stylistic analysis
    • Special considerations of sampling
    • Quasi-non destructive and no-destructive techniques
    • Relative and absolute dating
    • Provenancing.
    Intended learning outcomes

    On successful completion of the module the student will be able to:

    • Describe the basic functioning of the art market
    • Demonstrate a critical awareness of the legal roles of various players and the part that science can play
    • Critically assess the various scientific and non-scientific techniques
    • Demonstrate an understanding of how sampling strategies are applied and which techniques are of most use
    • Be able to apply their knowledge to specific investigation of art objects to successfully come to a reasoned and balanced conclusion.
  • Trace Evidence
    Module LeaderDr David Lane - Reader in Analytical Physics and Advance
    • Trace evidence concepts, direct and indirect transfer, retention time, transfer diagrams
    • Fibre and hair construction
    • Fibre and hair microscopy for identification and comparison
    • Glass construction and forensic examination
    • Paint characterization
    • Soil analysis
    • Blood spatter
    • Finger prints
    • Marks as evidence.
    Intended learning outcomes

    On successful completion of the module you will be able to:

    • Investigate a wide range of physical evidence using the concept of ‘trace’ evidence
    • Project manage a systematic trace evidence search using appropriate detection and collection techniques to recover trace evidence of different types
    • Justify the categorisation of trace evidence by identifying and measuring their most important features using appropriate analytical techniques
    • Assess the number and distributions of different types of trace evidence and use
    • Appraise different categories of trace evidence and synthesise a model for how trace evidence transfer has occurred
    • Present a case for physical contact between two (or more) objects or persons using a transfer diagram
    • Report on a trace evidence investigation in a clear and concise manner.
  • Forensic Exploitation and Intelligence
    • Role of communication and information sharing
    • FORINT in Long term policing strategy
    • Exploitation and Military Intelligence
    • Pattern analysis, GIS and mathematics in forensic intelligence
    • Technical exploitation
    • Forensic exploitation
    • Planning and direction of forensic intelligence
    • Collection, processing, production, management and dissemination of FORINT
    • Forms of output and report from FORINT.
    Intended learning outcomes

    On successful completion of the module you will be able to:

    • Distinguish evidential types for use in court and for intelligence purposes
    • Evaluate the levels and range of forensic exploitation techniques
    • Manage and prioritise the exploitation of forensic intelligence derived from people, places and vehicles
    • Critically assess how forensic intelligence interfaces with other intelligence sources
    • Establish and maintain a FORINT exploitation policy within the frameworks of forensic best practice and the recognised intelligence cycle.


The assessments on this course are a mixture of written and practical exams, oral presentations, coursework assignments and (MSc only) a thesis.

The coursework assignments vary, but will include conducting digital forensics examinations of disk images for particular scenarios, conducting research into the artefacts left by applications, and further written assignments on digital forensic processes and theory.

Start date, duration and location

Start date: Full-time: September. Part-time: September

Duration: Full-time MSc - one year, Part-time MSc - up to three years, Full-time PgCert - one year, Part-time PgCert - two years, Full-time PgDip - one year, Part-time PgDip - two years

(For MOD status students the duration may vary, subject to annual review.)

Teaching location: Shrivenham


This MSc is specifically designed to provide you with the practical skills, knowledge base and research skills to work as a digital forensics practitioner.


This course is highly practical and technical in both delivery and assessment. It is designed to enable participants to conduct comprehensive forensic computing examinations and cutting-edge digital forensic research.

Your teaching team

You will be taught by staff from Cranfield University and external lecturers, many of whom are world leaders in their field and who understand the problems of translating theory into practice.

Cranfield Lecturers

Facilities and resources


There are comprehensive facilities and resources to support study on the Forensic Computing course.

Digital Forensics Laboratories

The majority of taught modules will be delivered in a dedicated digital forensics teaching computer laboratory regularly reconfigured for different modules, and equipped with all the necessary hardware and software. For example for the “Mac OS X Forensics” module, the PCs are removed and replaced with Apple Macs, for the “Network” module students build their own network and connect to a domain, and for the “Forensic Computing using Linux” module the standard Windows build is replaced with Linux.

There is also a separate digital forensic student laboratory available for general use by students for coursework and research. This is equipped with the latest digital forensics software including Encase 6 and 7, FTK 5, Blacklight, NetAnalysis and WinHex.

In addition a digital forensics research laboratory is used by staff and by students conducting research projects. This contains mobile phone acquisition equipment, reconfigurable networks and customisable hardware.

A network forensics research laboratory is available for research into network protocols and evidence from servers.

A “Crime Scene Room” is used during search and seizure exercises where students will learn how to identify and secure the physical evidence upon which digital evidence resides. The room is equipped with cameras so actions can be recorded and played back in order to analyse and improve strategy and behaviour. It is reconfigured to simulate a variety of crime scenarios.

Learning resources

Lectures are delivered almost exclusively in the digital forensics teaching laboratory and these along with the practical sessions are supported using Moodle, an open source Virtual Learning Environment ensuring that notes are available electronically. Exercises and exercise data can be downloaded for later study and interactive digital exercises can be used to support the learning of complex subjects.

The Barrington Library provides resources to support the main teaching material where electronic and physical access is available to the latest digital forensics journals including Digital Investigation. Access to the latest textbooks, digital forensics magazines, and past Cranfield digital forensics theses that date back to 2002 are also accessible. Cranfield University subscribes to the latest library databases so digital forensics papers located in non-specialist journals can also be easily located during research and assignments. 

Full-time and part-time students will join together during classroom (residential study school) sessions. This is an ideal opportunity for networking.

Entry Requirements

Normally a first or second class Honours degree or equivalent in science, engineering or mathematics. Alternatively, a lesser qualification together with appropriate work experience may be acceptable.

The full-time course is ideally suited to recent graduates in a related subject such as Computer Science who wish to specialise in Forensic Computing. It is also suitable for those who have recently completed a BSc in Computer Forensics, Digital Forensics, Cybercrime Forensics or a related subject, who would wish to deepen their knowledge, improve their skills and increase their employability, in what is a very competitive market.

The part-time course is more suited to those already in full-time employment, such as law enforcement officers, government staff, security consultants, accountancy and banking organisations, corporate security personnel and members of associated agencies in both the UK and overseas. This programme could lead to a new career or promotion with an existing employer. Guidance may be sought by those who do not have the formal qualifications necessary to enrol immediately onto the programme, as to the best study route to take. Please contact us.

English Language

Students whose first language is not English must attain an IELTS score of 7


Home EU Student Fees

MSc Full-time - £9,000

MSc Part-time - £9,000 *

PgDip Full-time - £7,200

PgDip Part-time - £7,200 *

PgCert Full-time - £3,600

PgCert Part-time - £3,600 *

Overseas Fees

MSc Full-time - £17,500

MSc Part-time - £17,500 *

PgDip Full-time - £14,000

PgDip Part-time - £14,000 *

PgCert Full-time - £7,000

PgCert Part-time - £7,000 *


Students will be offered the option of paying the full fee up front, or to pay in four equal instalments at six month intervals (i.e. the full fee to be paid over the first two years of their registration). 

Fee notes:

  • The fees outlined apply to all students whose initial date of registration falls on or between 1 August 2016 and 31 July 2017.
  • All students pay the tuition fee set by the University for the full duration of their registration period agreed at their initial registration.
  • A deposit may be payable, depending on your course.
  • Additional fees for extensions to the agreed registration period may be charged and can be found below.
  • Fee eligibility at the Home/EU rate is determined with reference to UK Government regulations. As a guiding principle, EU nationals (including UK) who are ordinarily resident in the EU pay Home/EU tuition fees, all other students (including those from the Channel Islands and Isle of Man) pay Overseas fees.


For more information on funding please contact

Additional information is available here.

Application Process

Career opportunities

Our MSc course and it’s individual modules, or equivalent, are regularly cited in job adverts for digital forensics jobs.

This highlights our real-world learning, application to the work place and our relevance to practitioners