IT Forensics



Mo 14-16 Uhr, Gebäude E 1.3, Saal 0.02

Beginn: 20.10.2014



Target audience

Students of computer science and related subjects. Basis knowledge in information security is helpful (e.g., knowing the definition of a cryptographic hash function).



Credit Points

3 ECTS credit points




The lecture deals with finding and evaluating legal evidence in IT systems, both for criminal prosecution and civil action.

Focus areas include:

  • Processes of IT forensics (with a focus on incidence response)
  • Analysis of storage media and file systems
  • Retrieval and analysis of RAM contents (e.g., cold boot attacks)
  • Attacks on passwords
  • (Basics of) evidence in civial actions and criminal proceedings
  • Role of technical experts in court

Exam dates

Exam dates are February 9th and April 15th.

The exam on April 15 starts at 09:15. The writing time is 1 hour and 45 minutes. No tools (calculators, mobile phones, smart watches, ...) will be allowed. If you bring something to eat or drink, make sure it does not disturb the other students. Do not use your own paper. Do not use pencils, but permanent ink (ball pen, ...). Please do not write in red.

Please do not forget to bring your student ID!


Room Assignment for the exam

The 2nd exam date is April 15th. The exam will take place in Günter-Hotz-Hörsaal (for all students).


Exam results

The exam results are available on and, respectively.


Exam review

Die Klausureinsicht zur 2. Klausur in IT-Forensik findet am Freitag, 24.4., 10:00-10:30 Uhr, in A5.4, Raum 0.14, statt.
The exam review for the 2nd IT Forensics exam takes place in A5.4, room 0.14, on Friday, April 24, 10:00-10:30 am.



The slides are available from within the university network, including VPN.

Chapter 0

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

 Examples for exam questions