What are the 8 main steps in the digital forensics process (plus Step 0)?
0: Secure Scene & Preparation
1: Identification
2: Preservation
3: Collection
4: Examination
5: Analysis
6: Interpretation
7: Documentation
8: Presentation
What are the three key roles at a crime scene?
Investigator in Charge: Coordinates and controls contamination.
Evidence Custodian: Handles seized items.
Log Officer: Maintains the entry log.
How to prepare before attending crime scene?
Computer tool kit ready
Forensic paraphernalia (e.g. for live acquisition of RAM, for triage, i.e., evidence collection)
What does step 0 consist of? (secure the scene and prep)
Secure the whole scene
Minimise people (only auhtorised)
Use protection e.g. gloves, foot protection
Purpose of Step 1 (Identification)
Recognise and pinpoint potential digital evidence
What does step 1 consist of?
Initial briefing - understand nature of crime
Scope definition
Device and media recognition
Prioritisation
What is meant by scope definition in step 1?
It establishes legal boundaries (e.g., RIPA 2000, CMA 1990) to ensure the search is authorized and targeted.
Purpose of Step 2 (preservation)
protect integrity, prevent alteration (isolate first, analyse later)
Tasks done in step 2
Imaging - capture volatile data (RAM)
Environmental logging - document scene (photos, cables, serial numbers)
Isolation techniques used
Faraday bag - blocks wireless signals (Wi-Fi, Bluetooth, Cellular) to prevent a mobile device from being remotely wiped
Remove SIM card
Disconnect physical network connections
Disable wireless communications - airplane mode
Network isolation tools - firewalls, VPNs
Avoid user interaction
Power off policy
Keep it on - active encryption, volatile data needed, malware active
Keep it off - no encryption, volatile not required, risk of wipe/alteration
What is the first priority when handling Volatile Data?
Capture a RAM dump using trusted acquisition tools before the data is lost when power is removed. Save to external media.
Purpose of step 3 (collection)
Gather evidence forensically soundly
Difference between physical and logical collection?
Physical: Seizing the hardware (PC, phone).
Logical: Collecting specific files, logs, or cloud data with legal permission.
What is the Chain of Custody?
A chronological paper trail that tracks the handling, transfer, and storage of evidence to ensure it hasn’t been tampered with.
What must be documented in a Chain of Custody log?
Case/offence details
Victim/suspect
Date/time/location
Item description
Signatures of everyone who handled it.
Purpose of step 4 (examination)
Methodically review/extract data
Tasks carried our in step 4
Imaging - bit for bit copies (use write blocker)
Data recovery - deleted/hidden files, file carving
Keyword searches
Purpose of Step 5 (Analysis)
derive context/meaning
Tasks carried out in step 5
Timeline construction
Data correlation across sources
Pattern recognition
Purpose of Step 6 (Interpretation)
Understand significance in case context
Tasks carried out in step 6
Scenario formulation
Evidence relevance
Legal implications
Purpose of Step 7 (documentation)
clear unambiguous records/reports
Tasks carried out in step 7
Evidence logs
Activity reports
Findings summary
-
Week 1 - Intro35
-
Week 2 - Digital Forensics Process27
-
Week 3 - Disk and Filesystem Forensics57
-
Week 4 - Data Encoding and Basic File Forensics20
-
Week 5 - Documents, Emails and Image Forensic32
-
Week 6 - OS and Memory Forensics35
-
Week 7 - Network Forensics36
-
Week 8 - Mobile Forensics35
-
Week 9 - Case Studies, Challenges and Legal Aspects5
