theknowledgeacademy

Digital Forensics
Training
 theknowledgeacademy

About Us
The world's largest provider of classroom and online
training courses
 World Class Training Solutions
 Subject Matter Experts
 Highest Quality Training Material
 Accelerated Learning Techniques
 Project, Programme, and Change Management, ITIL®
Consultancy
 Bespoke Tailor Made Training Solutions
 PRINCE2®, MSP®, ITIL®, Soft Skills, and More
theknowledgeacademy Course Syllabus
Module 1: Introduction 4

Module 2: Digital Forensics Process 14

Module 3: Cybercrime Law 32

Module 4: Digital Forensic Readiness 44

Module 5: Computer Forensics 58

Module 6: Challenges in Digital Forensics 69

 theknowledgeacademy

 Digital Forensics

Module 1:
 Forensic Science
Introduction
 Digital Evidence
Digital Forensics
 Digital forensics, also known as computer forensics or cyber forensics, is a specialised field of forensic science
that focuses on the investigation, recovery, analysis, and preservation of electronic data. It plays a critical role in
investigating and solving cybercrimes, fraud, data breaches, and other computer-related incidents.

 The following are the key aspects of digital forensics:

Data Recovery Malware Analysis

Evidence Preservation Network Forensics

Data Analysis Mobile Device Forensics

theknowledgeacademy
Digital Forensics
1. Data Recovery

 Digital forensic experts use specialised tools and techniques to recover data from various digital devices,
including computers, smartphones, tablets, servers, and storage media.

2. Evidence Preservation

 It is crucial to preserve the integrity of digital evidence to ensure it remains admissible in a court of law. Digital
forensic professionals follow strict protocols to protect and document the chain of custody for digital evidence.

3. Data Analysis

 Once data is recovered, forensic analysts examine it for signs of criminal activity or misuse. They look for digital
artefacts, such as timestamps, metadata, and file structures, to reconstruct events and actions taken on digital
devices.

theknowledgeacademy
Digital Forensics
4. Malware Analysis

 In cases involving computer viruses digital forensics experts analyse the malware to understand its functionality,
origins, and impact on the compromised systems.

5. Network Forensics

 This subfield involves monitoring and analysing network traffic to identify security breaches, unauthorised
access, and cyberattacks. It is especially important for investigating incidents like data breaches and hacking.

6. Mobile Device Forensics

 Digital forensic professionals specialise in extracting and analysing data from mobile devices like smartphones
and tablets. This can include call logs, text messages, GPS data, and application usage.

theknowledgeacademy
Forensic Science
 Forensic science is a multidisciplinary field of science that involves the application of various scientific principles
and techniques to investigate and solve crimes.

 It plays a crucial role in the criminal justice system by providing scientific evidence and analysis to help law
enforcement agencies, lawyers, and courts in the investigation, prosecution, and defence of criminal cases.

 The following are some key aspects of forensic science:

Evidence Crime Scene Digital

Analysis Toxicology Ballistics
Investigation Forensics

theknowledgeacademy
Forensic Science
1. Evidence Analysis

 Forensic scientists analyse physical evidence collected from crime scenes, such as DNA, fingerprints, hair, fibres,
blood, firearms, and drugs. They use specialised techniques and instruments to examine and compare these
pieces of evidence to establish links between suspects, victims, and crime scenes.

2. Crime Scene Investigation

 Forensic experts are often involved in the collection, preservation, and documentation of evidence at crime
scenes. They carefully record the details of the scene to maintain the integrity of the evidence.

3. Toxicology

 Toxicologists study substances like drugs, alcohol, and poisons in biological samples to determine if they played
a role in a crime, accident, or death.

theknowledgeacademy
Forensic Science
4. Ballistics

 Ballistic experts examine firearms, ammunition, and

projectiles to determine the source of bullets or shell casings
found at crime scenes. They can match these with specific
firearms.

5. Digital Forensics

 This branch deals with the recovery and analysis of digital data
from computers, smartphones, and other electronic devices.

 It is often used to uncover digital evidence related to

cybercrimes, fraud, and other computer-related offenses.

theknowledgeacademy
Digital Evidence
 Digital evidence refers to any information or data that is stored or transmitted in a digital format and can be
used as evidence in legal proceedings, investigations, or disputes.

 The following are some examples of digital evidence:

01 Electronic Documents 04 Social Media Data

02 Multimedia Files 05 Computer Logs

03 Databases 06 Metadata

theknowledgeacademy
Digital Evidence
1. Electronic Documents

 These include text documents, spreadsheets, presentations, and other types of files created and stored
electronically. Digital evidence can include emails, chat logs, and any text-based communication.

2. Multimedia Files

 Digital evidence can consist of images, audio recordings, videos, and animations. These may be relevant in cases
involving visual or audio evidence, such as surveillance footage or recorded phone conversations.

3. Databases

 Information stored in electronic databases, such as customer records, financial transactions, or inventories, can
be used as digital evidence in cases related to fraud, embesslement, or data breaches.

theknowledgeacademy
Digital Evidence
4. Social Media Data

 Content from social media platforms, including posts, comments, messages, and profiles, can be collected as
digital evidence in cases involving cyberbullying, harassment, defamation, or criminal activities.

5. Computer Logs

 Log files generated by computer systems, networks, or applications can provide a detailed record of system
activities, user actions, and security incidents. These logs can be valuable in cybersecurity investigations.

6. Metadata

 Metadata is data about data and can include information about when a file was created, modified, and
accessed, as well as who created it.

theknowledgeacademy
 theknowledgeacademy

 Introduction

 Identification Phase

Module 2:  Collection Phase

Digital Forensics Process  Examination Phase

 Analysis Phase

 Presentation Phase
Introduction
 Digital forensics is a systematic and methodical process used to
investigate and analyse digital devices and data to uncover
evidence for legal purposes. This process typically involves
several key steps.

 Firstly, identification and preservation, where potential

evidence is identified, isolated, and secured to prevent
tampering.

 Secondly, the acquisition phase, where data is collected from

the identified sources using forensically sound techniques.

 Next, comes the examination phase, where experts analyse

the acquired data for relevant information.

theknowledgeacademy
Introduction
(Continued)

 Following that, the analysis phase involves interpreting the

findings to draw conclusions and generate reports.

 Lastly, the presentation of findings to legal authorities or in a

court of law is a crucial step in the digital forensics process,
where the evidence collected is presented in a clear and
compelling manner to support investigations and legal
proceedings.

 This process plays a pivotal role in solving cybercrimes and

maintaining the integrity of digital evidence.

theknowledgeacademy
Identification Phase
 The identification phase in digital forensics is the initial step in the investigative process. During this phase,
forensic investigators identify potential sources of digital evidence that may be relevant to a case.

 The following are key activities in the identification phase:

01 02 03 04 05

Case Assessment Evidence Data Sources Documentation Legal Compliance

Identification

theknowledgeacademy
Identification Phase
1. Case Assessment

 Forensic experts assess the nature of the case, its scope, and the potential digital evidence involved. They
collaborate with legal authorities and stakeholders to understand the specific objectives of the investigation.

2. Evidence Identification

 Investigators identify digital devices and storage media that could contain relevant information, such as
computers, mobile phones, servers, external hard drives, or cloud accounts.

3. Data Sources

 They pinpoint potential data sources, including files, emails, logs, databases, and communication records, which
may hold crucial information related to the case.

theknowledgeacademy
Identification Phase
4. Documentation

 Proper documentation is essential in this phase.

Investigators document the location and condition of
digital evidence, take photographs, and create an initial
inventory to maintain a chain of custody.

5. Legal Compliance

 It is important to ensure that the identification process

adheres to legal and ethical standards, respecting privacy
rights and obtaining necessary warrants or permissions
when required.

theknowledgeacademy
Collection Phase
 The collection phase in digital forensics is a critical step that follows the identification phase and involves the
systematic gathering of digital evidence from the identified sources.

 The following are the key aspects of the collection phase:

Evidence Forensically Sound

Data Imaging
Preservation Methods

Logs and
Chain of Custody
Documentation

theknowledgeacademy
Collection Phase
1. Evidence Preservation

 Before collecting any data, investigators take measures to ensure the preservation of evidence. This includes
securing the physical integrity of devices and data to prevent any alteration, damage, or loss.

2. Forensically Sound Methods

 Collection is performed using forensically sound techniques and tools that maintain the integrity of the
evidence. This ensures that the collected data will be admissible in court and stands up to legal scrutiny.

3. Data Imaging

 Investigators create exact copies (forensic images) of storage media, such as hard drives, USB drives, or mobile
phones. These images are used for analysis, leaving the original data untouched.

theknowledgeacademy
Collection Phase
4. Chain of Custody

 Maintaining a secure chain of custody is essential. This

involves documenting who handled the evidence, when,
and for what purpose, ensuring that it can be traced and
verified throughout the investigation.

5. Logs and Documentation

 Detailed records are kept of the collection process,

including the date, time, location, and individuals
involved. Any challenges or issues encountered during
collection are documented.

theknowledgeacademy
Examination Phase
 The examination phase in digital forensics is a crucial step in the investigative process where forensic experts
analyse the collected digital evidence in detail.

 The following points involves several key activities:

Keyword and Pattern

Data Recovery
Search

Timeline Analysis File Carving

Artefact Examination Hash Analysis

theknowledgeacademy
Examination Phase
1. Data Recovery

 Forensic tools and techniques are used to extract and recover hidden, deleted, or encrypted data from the
acquired forensic images. This may include text documents, images, videos, emails, chat logs, and other digital
artifacts.

2. Keyword and Pattern Search

 Investigators employ search algorithms to identify specific keywords, phrases, or patterns that are relevant to
the case. This helps in locating critical information quickly.

3. Timeline Analysis

 Investigators construct a chronological timeline of events by analysing timestamps, file access logs, and other
metadata associated with digital evidence. This can provide insights into the sequence of actions taken by a
suspect.

theknowledgeacademy
Examination Phase
4. File Carving

 File carving techniques are used to recover files that may not have intact file system structures, such as deleted
files or fragments of files. This is particularly important when dealing with damaged storage media.

5. Artifact Examination

 Investigators focus on specific digital artifacts, such as internet browsing history, registry entries, and chat logs,
to uncover evidence related to the case.

6. Hash Analysis

 Hash values of files are compared to known hash values of files with a known provenance to identify known
files or altered files.

theknowledgeacademy
Analysis Phase
 The analysis phase in digital forensics is a pivotal step that follows the examination of collected digital evidence.
During this phase, forensic experts delve deeper into the data to draw meaningful conclusions and insights.

 The following are the key components of the analysis phase:

Data Correlation Pattern Recognition Anomaly Detection

Contextualisation Hypothesis Testing

theknowledgeacademy
Analysis Phase
1. Data Correlation

 Investigators continue to correlate and link data points, establishing connections and relationships between
different pieces of digital evidence. This helps in building a comprehensive understanding of the case.

2. Pattern Recognition

 Analysts look for recurring patterns or trends within the data that may reveal important information, such as
suspect behavior or timelines of events.

3. Anomaly Detection

 Unusual or suspicious activities are identified by comparing the data to baseline or normal behavior. Anomalies
can point to areas of interest or potential evidence.

theknowledgeacademy
Analysis Phase
4. Contextualisation

 Investigators place the evidence within the context

of the case, considering the broader circumstances,
motives, and intentions of the involved parties.

5. Hypothesis Testing

 Analysts formulate hypotheses and test them

against the available evidence. This iterative process
helps in validating or refuting investigative theories.

theknowledgeacademy
Presentation Phase
 The presentation phase in digital forensics is the final step in the investigative process, where the findings and
results of the analysis and examination phases are organised and presented to legal authorities, stakeholders, or
in a court of law. This phase is essential for conveying the evidence in a clear and compelling manner.

 The following are the essential elements of the presentation phase:

Report Expert Chain of Relevance and

Visual Aids Custody
Generation Testimony Admissibility
Documentation

1 2 3 4 5

theknowledgeacademy
Presentation Phase
1. Report Generation

 Forensic experts prepare comprehensive reports that document all relevant findings, including the
methodology used, evidence collected, analysis process, and conclusions drawn. These reports serve as a
crucial reference for legal proceedings.

2. Visual Aids

 Visual aids, such as charts, graphs, timelines, and diagrams, are often used to help illustrate complex technical
information and make it more accessible to the audience.

3. Expert Testimony

 In legal proceedings, forensic experts may be called upon to provide expert testimony to explain their findings,
methodologies, and the significance of the evidence.

theknowledgeacademy
Presentation Phase
4. Chain of Custody Documentation

 The presentation phase includes documentation of

the chain of custody, ensuring that the evidence's
handling and integrity are clearly established and
verifiable.

4. Relevance and Admissibility

 Forensic experts must address any challenges to the

relevance or admissibility of the evidence raised by
opposing parties. They may be required to justify
their methods and procedures.

theknowledgeacademy
 theknowledgeacademy

 Introduction

 International Legal Framework of

Module 3: Cybercrime Law

Cybercrime Law  Digital Crime – Substantive Criminal Law

 Investigation Methods for Collecting Digital

Evidence

 International Cooperation to Collect Digital

Evidence
Introduction
 Cybercrime law is a body of law that deals with crimes committed using computers or the internet. It is a
relatively new field of law, as cybercrime has only become a major problem in recent decades.

 Cybercrime laws vary from country to country, but they typically address a wide range of offenses, including:

01 02 03 04 05

Hacking and Cyberbullying

Malware
Computer Data Breaches Online Fraud and
Attacks
Intrusion Harassment

theknowledgeacademy
Introduction
1. Hacking and Computer Intrusion: Gaining unauthorised access to
a computer system or network.

2. Malware Attacks: Deploying malware, such as viruses, Trojans,

and ransomware, to damage or disable computers and networks.

3. Data Breaches: Stealing or compromising sensitive data, such as

personal information, financial data, or intellectual property.

4. Online Fraud: Using computers or the internet to commit fraud,

such as phishing scams, identity theft, and credit card fraud.

5. Cyberbullying and Harassment: Using computers or the internet

to bully, harass, or intimidate others.

theknowledgeacademy
International Legal Framework of Cybercrime Law
 The international legal framework for addressing cybercrime is primarily built upon a combination of treaties,
conventions, and agreements that facilitate cooperation among countries to combat cybercrimes that cross
national borders.

 Below are some key elements of the international legal framework for cybercrime:

Mutual Legal Law

Interpol European Union Enforcement Cybersecurity
Assistance
(EU) Legislation Cooperation Initiatives
Treaties

theknowledgeacademy
Digital Crime – Substantive Criminal Law
 Digital crime, often referred to as cybercrime or computer
crime, encompasses a wide range of illegal activities that involve
the use of computers, computer networks, or digital
technologies as tools or targets of criminal conduct.

 Substantive criminal law refers to the body of laws that define

specific criminal offenses and prescribe the punishments for
those offenses.

 Substantive criminal law addresses various offenses related to

computer systems, networks, and digital data.

theknowledgeacademy
Digital Crime – Substantive Criminal Law
(Continued)

 Below are some common categories of digital crimes under substantive criminal law:

Unauthorised Access and Malware and Computer Virus

Hacking Distribution

Identity Theft and Fraud Data Breaches and Unauthorised Data Access

Online Harassment and Cyberbullying Online Child Exploitation

theknowledgeacademy
Digital Crime – Substantive Criminal Law
1. Unauthorised Access and Hacking

 Unauthorised access to computer systems or networks, often referred to as hacking, is a significant digital crime.

 This includes activities such as breaking into computer systems, stealing login credentials, or exploiting
vulnerabilities to gain unauthorised access. Laws related to hacking vary from jurisdiction to jurisdiction.

2. Malware and Computer Virus Distribution

 Creating, distributing, or deploying malware, viruses, ransomware, or other malicious software with the intent
to damage or compromise computer systems or data is a criminal offense in many jurisdictions.

 These actions can lead to charges of computer intrusion, data theft, or computer sabotage.

theknowledgeacademy
Digital Crime – Substantive Criminal Law
3. Identity Theft and Fraud

 Digital criminals may engage in identity theft or online fraud to steal personal information, financial data, or
credit card details for illicit purposes.

 Laws related to identity theft and fraud cover activities like phishing, credit card fraud, and identity fraud.

4. Data Breaches and Unauthorised Data Access

 Breaching the security of databases or systems to steal sensitive data, such as personal information, trade
secrets, or classified government information, is a common digital crime.

 Laws related to data breaches often impose strict penalties.

theknowledgeacademy
Digital Crime – Substantive Criminal Law
5. Online Harassment and Cyberbullying

 Cyberbullying and online harassment involve using digital platforms to intimidate, threaten, or harm individuals
or groups.

 These actions may lead to charges of cyberstalking, online harassment, or online defamation, depending on the
jurisdiction.

6. Online Child Exploitation

 The dissemination, possession, or creation of explicit materials involving minors is a grave offense. Laws
governing child exploitation are designed to protect minors from digital predators.

theknowledgeacademy
Investigation Methods for Collecting Digital Evidence
 Investigation methods for collecting digital evidence vary depending on the type of device or system being
investigated and the specific evidence being sought.

 There are some general principles that should be followed when collecting digital evidence, including:

1 2 3

Chain of Preservation of Collection of

Custody Evidence all Relevant
Evidence

theknowledgeacademy
International Cooperation to Collect Digital Evidence
 International cooperation to collect digital evidence is essential for combating cybercrime, which is increasingly
borderless in nature.

 When a cybercrime is committed, the perpetrators and the evidence may be located in different countries. This
can make it difficult for law enforcement agencies to investigate and prosecute cybercrimes on their own.

 There are a number of ways that countries can cooperate to collect digital evidence, including:

Mutual Legal Executive International

Assistance Treaties Agreements Organisations

theknowledgeacademy
International Cooperation to Collect Digital Evidence
1. Mutual Legal Assistance Treaties (MLATs)

 MLATs are treaties between two countries that allow them to cooperate on legal matters, including the
collection of digital evidence. MLATs typically establish a procedure for one country to request assistance from
another country in collecting digital evidence.

2. Executive Agreements

 Executive agreements are agreements between two countries that are negotiated and signed by the heads of
state or government. Executive agreements can be used to establish cooperation on a wide range of issues,
including the collection of digital evidence.

3. International Organisations

 International organisations like UNODC and the Council of Europe are vital for global cooperation on cybercrime.
They offer training and support to law enforcement worldwide and establish international standards for fighting
cybercrime.

theknowledgeacademy
 theknowledgeacademy

 Definition

 Law Enforcement Vs Enterprise Digital

Forensic Readiness

Module 4:  Why a Rational for Digital Forensic

Readiness?

Digital Forensic  Frameworks, Standards, and Methodologies

Readiness  Becoming Digital Forensic Ready

 Enterprise Digital Forensic Readiness

 Consideration for Law Enforcement

Definition
 Digital Forensic Readiness is a strategic approach that organisations
adopt to prepare for cyber incidents and security breaches.

 It involves the development of policies, procedures, and technical

capabilities to effectively collect, preserve, and analyse digital
evidence in a legally compliant manner.

 By establishing robust incident response plans, personnel training, and

the necessary technology infrastructure, Digital Forensic Readiness
enables organisations to minimise the impact of cyberattacks and
enhance their ability to investigate and prosecute cybercriminals.

 This proactive readiness is crucial in today's digital landscape, helping

organisations safeguard their data and maintain the integrity of digital
evidence in legal proceedings.

theknowledgeacademy
Law Enforcement Vs Enterprise Digital Forensic Readiness
Law Enforcement Digital Forensic Readiness

1. Objective: The primary goal of law enforcement digital forensic readiness is to prepare and equip law
enforcement agencies with the necessary tools and processes to investigate and gather digital evidence in
criminal cases. This includes activities such as cybercrime investigations, counter-terrorism efforts, and forensic
analysis in criminal proceedings.

2. Focus: Law enforcement digital forensic readiness centers on the legal aspects of evidence collection, adherence
to chain of custody, and maintaining the integrity of digital evidence for court purposes.

3. Challenges: Challenges in this context often revolve around strict legal requirements, preserving evidence for
prosecution, and maintaining the confidentiality and security of sensitive information.

theknowledgeacademy
Law Enforcement Vs Enterprise Digital Forensic Readiness
Enterprise Digital Forensic Readiness

1. Objective: Enterprise digital forensic readiness aims to prepare organisations, businesses, and enterprises to
effectively respond to and recover from digital incidents and breaches. This is critical for safeguarding sensitive
data, maintaining business continuity, and mitigating the impact of cybersecurity threats.

2. Focus: The focus of enterprise digital forensic readiness is on protecting corporate assets, intellectual property,
and customer data. It involves implementing incident response plans, monitoring systems for anomalies, and
gathering evidence for internal investigations or legal actions, such as lawsuits or regulatory compliance.

3. Challenges: Challenges often involve balancing the need for security with business operations, complying with
data privacy regulations, and ensuring that incident response procedures are well-defined and efficient.

theknowledgeacademy
Why a Rational for Digital Forensic Readiness?
 The rationale for digital forensic readiness is grounded in the growing importance of digital evidence and the
need for organisations and law enforcement agencies to effectively respond to digital incidents and cybercrimes.

 Below are several key reasons why digital forensic readiness is crucial:

01 03 05
Increasing
Cyber Preserving
Threats Evidence

Digital Legal and Effective Incident

Transformation Regulatory Response
Compliance
02 04

theknowledgeacademy
Why a Rational for Digital Forensic Readiness?
1. Digital Transformation

 In today's digital age, organisations and individuals rely heavily on digital technology. Business operations,
personal communications, financial transactions, and critical infrastructure are all digitised.

 This makes digital evidence a valuable resource in investigations, legal proceedings, and incident response.

2. Increasing Cyber Threats

 The prevalence and sophistication of cyber threats, including cyberattacks, data breaches, and online fraud, have
been steadily rising.

 These incidents can result in significant financial losses, reputation damage, and legal consequences. Digital
forensic readiness helps organisations and law enforcement agencies investigate and mitigate these threats
effectively.

theknowledgeacademy
Why a Rational for Digital Forensic Readiness?
3. Legal and Regulatory Compliance

 Many industries and jurisdictions have enacted regulations and laws that require organisations to protect
sensitive data, report data breaches, and cooperate with law enforcement in investigations. Digital forensic
readiness ensures compliance with these legal requirements.

4. Preserving Evidence

 Digital evidence is highly volatile and can be easily tampered with or lost if not properly preserved. Digital
forensic readiness involves establishing procedures and tools for the proper preservation of evidence, ensuring
its admissibility in court.

5. Effective Incident Response

 Rapid response to security incidents is critical to minimise damage and prevent further compromise. Digital
forensic readiness includes having an incident response plan in place, which enables organisations to contain,
investigate, and recover from security incidents efficiently.

theknowledgeacademy
Frameworks, Standards, and Methodologies
Frameworks

 A framework is a high-level, conceptual structure that provides a

foundation for developing specific strategies, processes, or systems.

 Frameworks are often broad and flexible, offering a set of guidelines,

principles, and best practices to guide decision-making and problem-
solving.

 They do not prescribe specific steps but serve as a scaffolding upon

which organisations or individuals can build tailored solutions.

 Frameworks are adaptable and can be applied to various situations

and industries.

theknowledgeacademy
Frameworks, Standards, and Methodologies
Standards

 Standards are specific, well-defined guidelines, specifications, or criteria established to ensure consistency,
quality, and interoperability in various processes, products, or services.

 They are often developed and maintained by standard-setting organisations, industry groups, or government
agencies.

 Standards can be mandatory or voluntary, depending on their purpose and adoption.

 Compliance with standards may be required by law or contract, or it can be a choice to enhance quality and
marketability.

theknowledgeacademy
Frameworks, Standards, and Methodologies
Methodologies

 Methodologies are systematic, step-by-step approaches or sets of practices used to solve specific problems,
achieve goals, or complete tasks efficiently and effectively.

 They are more prescriptive and detailed than frameworks and standards, providing specific instructions and
processes to follow.

 Methodologies are often tailored to a particular domain, industry, or project type.

 They are particularly valuable in project management, research, software development, and other fields where a
structured approach is crucial.

theknowledgeacademy
Becoming Digital Forensic Ready
 To become digital forensic ready, organisations should take the following steps:

1. Identify their Digital Assets: This includes identifying all of the devices and systems that contain digital data, as
well as the types of data that is stored on those devices and systems.

2. Assess their Digital Forensic Capabilities: This includes identifying the skills, knowledge, and tools that the
organisation has in place to collect, preserve, and analyse digital evidence.

3. Develop a Digital Forensic Readiness Plan: This plan should document the organisation's digital assets, digital
forensic capabilities, and procedures for responding to digital forensic incidents.

4. Implement the Digital Forensic Readiness Plan: This includes training employees on the plan and testing the
plan on a regular basis.

theknowledgeacademy
Enterprise Digital Forensic Readiness
 Enterprise digital forensic readiness (DFR) is the ability of an organisation to collect, preserve, and analyse digital
evidence in a forensically sound manner whenever an incident occurs. This includes having the necessary
policies, procedures, tools, and training in place.

 Enterprise DFR programs typically focus on the following areas:

Identifying Digital Evidence

Preserving Digital Evidence

Collecting Digital Evidence

Analysing Digital Evidence

theknowledgeacademy
Enterprise Digital Forensic Readiness
(Continued)

• Identifying Digital Evidence: Organisations must be able to identify all of the potential sources of digital
evidence within their organisation. This includes devices such as computers, smartphones, tablets, and servers,
as well as cloud storage services and social media platforms.

• Collecting Digital Evidence: Organisations must be able to collect digital evidence from a variety of sources in a
forensically sound manner. This means that the evidence must be collected in a way that preserves its integrity
and admissibility in court.

• Preserving Digital Evidence: Organisations must be able to preserve digital evidence in a forensically sound
manner until it is needed for an investigation or trial. This means that the evidence must be stored in a secure
and reliable manner.

• Analysing Digital Evidence: Organisations must be able to analyse digital evidence to extract relevant
information, such as the source of a security incident, the identity of a perpetrator, or evidence of employee
misconduct.

theknowledgeacademy
Consideration for Law Enforcement
 Consideration for law enforcement refers to the respect, empathy, and understanding that individuals,
communities, and institutions should show towards police officers and the challenges they face in their line of
duty.

 It involves recognising the importance of law enforcement in maintaining public safety, upholding the rule of
law, and protecting communities from crime and harm.

 This consideration includes fostering positive interactions with law enforcement, following legal guidelines, and
cooperating with officers during investigations.

 At the same time, it also means holding law enforcement agencies accountable for any misconduct and
advocating for fair and just policing practices that prioritise community safety and individual rights.

 Balancing the need for effective law enforcement with respect for civil liberties is a key aspect of consideration
for law enforcement.

theknowledgeacademy
 theknowledgeacademy

 Introduction

Module 5:  Evidence Collection

Computer Forensics  Examination

 Analysis
Introduction
 Computer forensics is a specialised field within digital
investigation that focuses on the collection, preservation,
analysis, and presentation of electronic evidence from
computers and digital devices.

 It plays a crucial role in uncovering and understanding

cybercrimes, data breaches, and unauthorised digital activities.

 Computer forensic experts use advanced techniques and tools

to examine hard drives, memory, network traffic, and software
applications to trace digital footprints and recover deleted data.

 This discipline is vital in legal proceedings, cybersecurity, and

incident response.

theknowledgeacademy
Evidence Collection
 Evidence collection is a critical phase in computer forensics, ensuring the preservation of digital evidence for
analysis and legal proceedings.

 The following are the considerations in evidence collection:

01 Identification 04 Documentation

02 Preservation 05 Handling

03 Chain of Custody 06 Authentication

theknowledgeacademy
Evidence Collection
1. Identification

 Identify the scope of the investigation and the specific evidence needed. This involves understanding the nature
of the case and the relevant digital assets, such as computers, servers, and storage devices.

2. Preservation

 Ensure the integrity and original state of the evidence by taking steps to prevent any alteration or damage. This
includes creating a forensic image or clone of the storage media using specialised tools to maintain a bit-for-bit
copy.

3. Chain of Custody

 Maintain a meticulous record of who had custody of the evidence at all times. This establishes a clear and
unbroken chain of custody, which is essential for legal admissibility.

theknowledgeacademy
Evidence Collection
4. Documentation

 Document the physical state of the device, including labels, serial numbers, and any physical damage. Record
the date, time, and location of evidence collection. Keep detailed notes throughout the process.

5. Handling

 Use appropriate precautions when handling evidence to prevent contamination or tampering. Use static-free
bags and anti-static precautions for storage media. Maintain evidence in a secure and controlled environment.

6. Authentication

 Ensure that the evidence collected can be authenticated in court. This involves demonstrating that the evidence
has not been tampered with and that it is relevant to the case.

theknowledgeacademy
Examination
 The examination phase in computer forensics is a critical step where investigators analyse the digital evidence
collected during the evidence collection phase.

 The following is an overview of the examination phase in computer forensics:

01 03
02 Keyword and 04
Data Recovery
Pattern
Data Analysis Searches Timeline
Reconstruction

theknowledgeacademy
Examination
1. Data Recovery

 Forensic experts work to recover deleted, hidden, or

encrypted data from the acquired digital evidence.

 Specialised tools and techniques are employed to extract

information that may not be readily visible.

2. Data Analysis

 Investigators examine the recovered data, paying attention

to file attributes, timestamps, and metadata.

 They analyse file structures and relationships to understand

how data is stored and organised.

theknowledgeacademy
Examination
3. Keyword and Pattern Searches

 Investigators perform keyword searches to identify relevant

documents or communication.

 This can involve searching for specific terms, phrases, or

patterns that may be of interest to the investigation.

4. Timeline Reconstruction

 A critical aspect of examination is creating a timeline of

events.

 This involves using timestamps from files, logs, and system

records to piece together the sequence of actions taken on
the system or network.

theknowledgeacademy
Analysis
 The analysis process involves a comprehensive and systematic review of data, files, and system artefacts to
uncover insights, establish a timeline of events, and build a comprehensive understanding of what transpired.

 The following is an overview of the analysis phase:

01 02 03 04

Malware User Activity Registry Network Traffic

Analysis Analysis Analysis Analysis

theknowledgeacademy
Analysis
1. Malware Analysis

 If malware is suspected or detected, experts analyse its code

and behaviour to determine its purpose, origin, and potential
impact on the compromised system.

2. User Activity Analysis

 Investigators examine user account activity, including

login/logout times, application usage, and internet history.
This helps establish the actions of individuals in the system.

theknowledgeacademy
Analysis
3. Registry Analysis

 In cases involving Windows systems, the Windows Registry is

thoroughly analysed to identify changes made by users or
malicious software. This can reveal information about
installed software, user profiles, and system settings.

4. Network Traffic Analysis

 Network traffic captures are analysed to identify suspicious

or unauthorised activities, such as data exfiltration or lateral
movement by attackers.

theknowledgeacademy
 theknowledgeacademy

Module 6:  Computational Forensics

Challenges in Digital  Automation and Standardisation

Forensics
Computational Forensics
 Computational forensics plays a significant role in addressing the evolving challenges in digital forensics. This
specialised field leverages advanced computational techniques and tools to tackle complex issues.

 The following points define how computational forensics works:

01 02 03 04

Volume of Data Data Encryption and Anti-Forensics

Heterogeneity Obfuscation Techniques

theknowledgeacademy
Computational Forensics
1. Volume of Data

 The sheer volume of digital data generated daily presents a

major challenge.

 Computational forensics employs data mining, machine

learning, and data reduction techniques to efficiently sift
through vast datasets.

2. Data Heterogeneity

 Digital evidence comes in various formats, from text and

images to databases and network traffic.

 Computational forensics focuses on developing methods to

handle diverse data sources.

theknowledgeacademy
Computational Forensics
3. Encryption and Obfuscation

 Encryption and data obfuscation techniques employed by

criminals make it difficult to access and interpret digital
evidence.

 Computational forensics includes cryptographic analysis and

decryption tools to recover encrypted data.

4. Anti-Forensics Techniques

 Attackers use anti-forensics techniques to cover their tracks.

 Computational forensics experts develop countermeasures

and techniques to detect and counter anti-forensics efforts.

theknowledgeacademy
Automation and Standardisation
Automation in Digital Forensics

 Automation refers to the use of software, scripts, and tools to perform tasks and processes in digital forensics
without manual intervention.

 The following ways define how it works:

Volume Handling Timely Response Consistency

theknowledgeacademy
Automation and Standardisation
(Continued)

• Volume Handling

 The sheer volume of digital data is a major challenge. Automation assists in efficiently processing large
datasets by automating repetitive tasks like data extraction, indexing, and keyword searching.

• Timely Response

 Cyber threats require rapid responses. Automated incident response systems can detect and respond to
security incidents in real time, minimising potential damage.

• Consistency

 Automation ensures consistency in evidence handling and processing, reducing the risk of errors and
ensuring that all relevant information is captured.

theknowledgeacademy
Automation and Standardisation
Standardisation in Digital Forensics

 Standardisation in digital forensics involves the establishment and adherence to predefined protocols,
procedures, and best practices across the field. These standards ensure consistency and reliability in digital
investigations.

 The following points explain how it works:

Evidence Handling Tools and Protocols Data Formats

theknowledgeacademy
Automation and Standardisation
(Continued)

• Evidence Handling

 Standardised procedures for evidence collection, preservation, and documentation ensure that evidence is
admissible in court and maintains its integrity throughout the chain of custody.

• Tools and Protocols

 Standardised tools and protocols facilitate interoperability and consistency across different digital forensic
laboratories and organisations. Investigators can rely on established methodologies.

• Data Formats

 Standardised data formats and storage methods enable easy data sharing and collaboration between
investigators, forensic tools, and agencies.

theknowledgeacademy