Week 1 - Intro

Question 1

What is the core idea of Locard’s Exchange Principle?

Answer 1

“Every contact leaves a trace.” Evidence is transferred in a two-way exchange between the perpetrator, the victim, and the scene.

Question 2

In the physical world, what are the two types of trace evidence according to Locard?

Answer 2

Physical - hair, fibres, glass
Biology - blood, saliva, skin cells

Question 3

How does Locard’s principle apply to the digital world?

Answer 3

A trace is “any modification, subsequently observable, resulting from an event.”
A digital trace is “a change to the state of a computer system resulting from user actions.”

Question 4

Two-way exchange (digital)

Answer 4

Data left behind
Data taken

Question 5

Give examples of data taken vs. data left in digital forensics

Answer 5

Left: Logs, metadata, browser history.

Taken: Exfiltrated files, cloud sync data, downloads.

Question 6

List types of digital evidence with examples (5)

Answer 6

Files/data residues - temp files, cahce, browsing history
Logs - audit logs, systems
Metadata - GPS, device info, timestamps
Network traffic - data packets, IP addresses
Device forensics - call logs, drives

Question 7

Define Digital Forensics

Answer 7

The process of determining past actions on a computer system using preservation, collection, validation, and analysis to reconstruct events.

Question 8

What are the key processes involved in a DF investigation?

Answer 8

Preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation

Question 9

List technological challenges for digital forensics (3)

Answer 9

Speed of technology changes
Criminal/public awareness
Communications ….

Question 10

Why is encryption a challenge for digital forensics?

Answer 10

It makes data unreadable without the specific key, hindering the analysis and interpretation stages

Question 11

What are the main forensic requirements for evidence in court?

Answer 11

Documentation of process & ownership
Who did what to collect & analyse
Reliable & repeatable analysis
Open to challenge & criticism

Question 12

Name common ways digital forensic investigations can go wrong. (5)

Answer 12

Crime scene mishandling
Not safeguarding evidence
Allowing systems to change/overwrite data
Inappropriate tools
Assumptions/cognitive bias

Question 13

What is Cognitive Bias in forensics

Answer 13

A pitfall where an investigator makes assumptions or interprets data to fit a preconceived theory rather than following the evidence.

Question 14

What do the ACPO principles govern?

Answer 14

Good practice guide for computer-based electronic evidence – ensure integrity of digital evidence for court

Question 15

State ACPO Principle 1

Answer 15

No action by law enforcement/agencies should change data on computer or storage media that may be relied upon in court

Question 16

State ACPO Principle 2

Answer 16

If accessing original data is necessary that person must be competent and explain relevance/implications in evidence

Question 17

State ACPO Principle 3

Answer 17

An audit trail/record of all processes must be created and preserved. An independent third party should be able to examine those processes and achieve the same result

Question 18

State ACPO Principle 4

Answer 18

The person in charge of the investigation (the case officer) has overall responsibility for law adherence and these principles

Question 19

What are the four main ways digital forensics helps?

Answer 19

Attribution (who did what, where, when, how, why?)
Reconstruction (understanding crime)
Prevention (pre-emptive)
Prosecution (reporting results)

Question 20

List the four core processes in digital forensics

Answer 20

Collection: identify, secure, store evidence
Examination: obtain & explain info from devices/data
Analysis: significance & probative value
Reporting: process, record, testify

Question 21

In what types of cases/applications is digital forensics used?

Answer 21

Digital-enabled crimes (devices help commit crime)
Digital crimes (only exist digitally)
E-discovery (civil disputes, forensic readiness)
Intrusion investigation (digital security)

Question 22

Magistrates’ court

Answer 22

Start of most criminal cases

Question 23

Crown Court

Answer 23

Serious offences, appeals/sentencing from magistrates

Question 24

County Court

Answer 24

Civil matters (e.g. debt recovery, compensation, trespass orders)

Question 25

Court of Protection

Answer 25

Mental Capacity Act decisions

Question 26

Family Court

Answer 26

Family disputes

Question 27

Coroners Court

Answer 27

violent/unknown/unnatural deaths or state detention (person died in prison, police custody, or was involuntarily detained)

Question 28

Employment Court

Answer 28

workplace disputes

Question 29

Technology and construction court

Answer 29

tech-related crimes (e.g. computer/software, digital disputes like smart contracts, crypto, NFTs, IP in digital assets, algorithms, insolvency of crypto exchanges)

Question 30

Name the main difference between criminal and civil law (purpose, parties, proof standard)

Answer 30

Criminal: Punish wrongdoing/protect society; State vs Defendant; Beyond reasonable doubt. Civil: Resolve disputes/remedies; Claimant vs Defendant; Balance of probabilities.

Question 31

Who can instruct a digital forensic expert?

Answer 31

Claimant/Witness (build case - supports victim) Defence (challenge evidence) Prosecution (build case - support society) Court (as Single Joint Expert – impartial)

Question 32

What is the primary duty of a DF expert witness?

Answer 32

Impartial and objective – duty is ALWAYS to the COURT, not the paying client.

Question 33

Name the two key Civil Procedure Rules (CPR) parts for expert evidence

Answer 33

CPR Part 33 (Criminal) – service of expert evidence, hearsay. CPR Part 35 (Civil) – necessity, impartiality, reports, Single Joint Expert possible

Question 34

Key Requirements of DF Experts

Answer 34

Impartiality: objective/unbiased reports Methodology: validated/reliable Clear communication and plain English for judges/jury

Question 35

Expert witness, report, conclusion meanings

Answer 35

Expert witness: impartial qualified professional Expert report: details evidence/analysis/findings clearly Expert conclusion: professional opinion from report