Skip to main content
Till KTH:s startsida

EP2780 Digital forensics and incident response 7.5 credits

Administer About course

This course lays the foundations of digital forensics and incident response. These two areas are closely related hut still differ in key ways. Digital forensics is the use of natural science methods to answer questions that are relevant in the justice system. This can be part of a criminal investigation, but also civil recourse, e.g. through a tort. In incident response the motivation of the forensic investigations is primarily to understand how intrusions have been realized so that further exploitation can be stopped and to ensure that the attacker is not able to reestablish a foothold in the system environment after the intrusion has been eradicated.

Information per course offering

Choose semester and course offering to see current information and more about the course, such as course syllabus, study period, and application information.

Termin

Information for Autumn 2025 Start 25 Aug 2025 programme students

Course location

KTH Campus

Duration
25 Aug 2025 - 24 Oct 2025
Periods
P1 (7.5 hp)
Pace of study

50%

Application code

50319

Form of study

Normal Daytime

Language of instruction

English

Course memo
Course memo is not published
Number of places

Places are not limited

Target group

Open for all master's programmes, as long as it can be included in your programme.

Planned modular schedule
[object Object]
Schedule
Schedule is not published

Contact

Examiner
No information inserted
Course coordinator
No information inserted
Teachers
No information inserted

Course syllabus as PDF

Please note: all information from the Course syllabus is available on this page in an accessible format.

Course syllabus EP2780 (Autumn 2025–)
Headings with content from the Course syllabus EP2780 (Autumn 2025–) are denoted with an asterisk ( )

Content and learning outcomes

Course contents

The course gives the student both practical and theoretical knowledge of technologies, methods, models, laws/rules that apply at investigations of digital crimes or incidents.

For example the course covers the following:

  • The history of forensics
  • Digital forensics and digital evidence
  • The investigation process of forensics/incident response
  • Legislation and international cooperations in digital forensics
  • Standards in the area and the requirements of an organisation that works with digital forensics or incident management
  • Computer forensics
  • Forensics for embedded systems and mobile units
  • Network forensics

Intended learning outcomes

After passing the course, the student should be able to:

  • describe central concepts, models and methods in digital forensics and incident response
  • describe the differences and similarities between a forensic situation and an incident response situation
  • apply known methods for data collection and analysis in given situations
  • plan and carry out data collection and data analysis for a forensic or incident analysis
  • present and explain conclusions from a forensic analysis and an incident analysis and propose future actions
  • explain the degree of certainty of the conclusions that can be drawn from a forensic analysis
  • explain how one distinguishes between digital forensics and incident response
  • critically review and source-critically assess a forensic report and an incident management report.

Literature and preparations

Specific prerequisites

Knowledge of cyber security, 6 credits, equivalent to completed course DD2391/DD2395/IK2206/IV1013.

Literature

You can find information about course literature either in the course memo for the course offering or in the course room in Canvas.

Examination and completion

If the course is discontinued, students may request to be examined during the following two academic years.

Grading scale

A, B, C, D, E, FX, F

Examination

  • LAB1 - Laborative work, 2.0 credits, grading scale: P, F
  • QUI1 - Written quizzes, 5.5 credits, grading scale: A, B, C, D, E, FX, F

Based on recommendation from KTH’s coordinator for disabilities, the examiner will decide how to adapt an examination for students with documented disability.

The examiner may apply another examination format when re-examining individual students.

Examiner

Profile picture Hamed Nemati

Ethical approach

  • All members of a group are responsible for the group's work.
  • In any assessment, every student shall honestly disclose any help received and sources used.
  • In an oral assessment, every student shall be able to present and answer questions about the entire assignment and solution.

Further information

Course room in Canvas

Registered students find further information about the implementation of the course in the course room in Canvas. A link to the course room can be found under the tab Studies in the Personal menu at the start of the course.

Offered by

EECS/Computer Science

Main field of study

Computer Science and Engineering

Education cycle

Second cycle

Supplementary information

In this course, the EECS code of honor applies, see: http://www.kth.se/en/eecs/utbildning/hederskodex.