Description
ATTENTION!!! This course is reserved EXCLUSIVELY for law enforcement agencies.
NOTE: If there are sufficient requests, the course may also be held on SATURDAY 11 and SUNDAY 12 July 2026. For information, please email: info@hackinbo.training
Introduction to Digital Forensics
Overview of Digital Forensics: This introductory section explores the history and evolution of digital forensics, highlighting its growing importance in the context of modern digital crimes. Different types of digital crimes will be discussed,
providing students with a solid foundation for understanding the scope and complexity of the field. Historical and contemporary case studies will be analysed to illustrate the impact of digital forensics on investigations and the legal system. The aim is to provide a clear understanding of how digital forensics fits into the landscape of cybersecurity and criminal investigations
Role of First Responders: This section focuses on the specific responsibilities and duties of first responders at a digital crime scene. It will outline the crucial role these professionals play in ensuring the integrity of
digital evidence from the earliest stages of the investigation. Protocols and guidelines for scene management, preliminary device identification, and documentation of activities will be covered. The importance of
effective communication with other members of the investigative team and compliance with legal procedures will be emphasised.
Basic principles of digital evidence collection: This introductory section establishes the fundamental principles that guide the collection of digital evidence, with a particular focus on the importance of the chain of custody and techniques for
preserving evidence. The chain of custody will be defined as the process of chronological documentation showing the sequence of custody, control, transfer, analysis, and disposal of digital evidence. Best practices will be presented to ensure that evidence is collected, stored, and presented in a manner that maintains its integrity and admissibility in court.
Evidence collection techniques: This section will cover the various types of digital evidence that can be collected, including computer files, email messages, web pages, and social media posts.
Operating procedures
Identification of digital evidence: this sheet focuses on recognising various forms of digital data and locating them within a system or device. Students will learn to identify different types of storage media,
file formats, and common locations where evidence can be found. Techniques for recognising hidden or encrypted data and for assessing the potential relevance of digital information will be provided. The goal is to
develop students’ ability to conduct an effective preliminary analysis to identify the most promising sources of evidence.
Collection and preservation of digital evidence: This section outlines specific methods for collecting data from various digital devices and techniques for preserving evidence to ensure its integrity. Protocols for
forensic imaging of hard drives, USB drives, mobile phones, and other devices using specialised software and hardware will be covered. Procedures for detailed documentation of the collection process, including
device metadata and case-relevant information, will be discussed. Long-term preservation techniques, such as creating backup copies and using secure storage media, will also be examined.
Collection and preservation of digital evidence in the cloud: This module extends the principles of digital evidence collection and preservation to the cloud environment, focusing on methods for acquiring data from major cloud services such as
Google, Apple, and Microsoft. Specific challenges posed by cloud computing, such as the distributed nature of data, jurisdictional issues, and service providers’ data retention policies, will be examined. We will discuss procedures for legally requesting data from cloud service providers, techniques for acquiring data via APIs or export tools, and strategies for preserving and analysing cloud data.
Tools and techniques
Overview of digital forensics tools: This section introduces students to a variety of software and hardware tools used in the field of digital forensics. Tools for forensic image acquisition,
disk analysis, data recovery, memory analysis, and log file examination will be presented. An overview of the capabilities of each tool and their specific applications in a forensic investigation will be provided. The goal is to familiarise students
with the landscape of available tools and prepare them for hands-on demonstrations.
Practical demonstration of the use of tools: This section describes live demonstrations on the use of various digital forensics tools. We will show how to use Linux distributions such as Caine, Tsurugi, software such as Axiom, UFED,
FTK Imager, Autopsy and other tools to perform specific tasks, such as acquiring disk images, analysing file systems and recovering deleted data. Students will observe step-by-step procedures and have the opportunity to ask questions to clarify concepts. These practical demonstrations will reinforce the theoretical understanding of the tools and prepare students for the practical exercises.
Practical exercises: This section provides students with the opportunity to use digital forensics tools on simulated case studies. Students will work individually or in groups to apply the knowledge and
skills acquired in previous lessons to realistic scenarios. Case studies simulating forensic investigations will be provided, allowing students to practise data acquisition, analysis and interpretation of results. Instructors
will provide feedback and support during the exercises to guide learning and ensure that students develop operational skills.
Elements of digital evidence analysis
Introduction to digital evidence analysis: This sheet introduces forensic analysis techniques and the interpretation of results obtained from the examination of digital evidence. The principles of data analysis, methods for identifying
patterns and anomalies, and strategies for reconstructing digital events and activities will be presented. The importance of critical thinking and logical reasoning in forensic analysis will be discussed, and guidelines will be provided for documenting and presenting results in a
clear and concise manner.
Data recovery techniques: This section focuses on techniques for recovering deleted, damaged, or encrypted data from digital storage devices. Various data recovery methods will be presented, including the recovery of deleted files,
carving data from unallocated space, recovery from damaged partitions, and the use of specialised data recovery software. The challenges posed by encryption and techniques for recovering encrypted data,
where possible, will be discussed. The goal is to provide students with the skills to recover important information that could be crucial to an investigation.
Log File and System Data Analysis: This card explores the interpretation of operating system log files and the analysis of file metadata to gain insight into user activities and system events.
Common log file formats, techniques for analysing logs to identify significant events, and strategies for extracting metadata from various file types will be presented. The importance of timestamps, user information, and
other metadata for reconstructing events and creating a timeline of activities will be discussed.
Reporting
Creating a digital forensics report: This section is dedicated to the structure and techniques for writing an effective forensic report. The essential components of a forensic report will be presented, including the introduction,
methodology, results, conclusions, and recommendations. Guidelines for clear, concise, and objective writing will be discussed, avoiding ambiguity and misinterpretation. Examples of forensic reports will be provided, and best practices for presenting technical information in a way that is understandable to a non-technical audience will be analysed.
Practical exercises and assessment
Practical exercises on real-world case scenarios: This final section of the course involves students working on real-world case scenarios to apply the skills learned during the course. Students will be divided into groups and assigned complex case studies that simulate complete forensic investigations. They will be required to use the tools and techniques they have learned to collect, analyse and interpret digital evidence, and then present their findings in a forensic report. Instructors will supervise the exercises and provide
detailed feedback on participants’ performance.
Assessment of acquired skills: Students will be assessed on the basis of the skills acquired during the course. Assessment may include a combination of written examinations, practical assessments of exercises, case study presentations and the quality of forensic reports produced. The assessment criteria will be clearly defined and communicated to students at the beginning of the course. The aim is to ensure that students have achieved an adequate level of competence in key areas of digital forensics.
Feedback and course closure: This final session gives students the opportunity to provide feedback on the course and participate in a closing session. Students will be encouraged to share their opinions on the effectiveness of the course, its strengths and areas for improvement. Instructors will provide a summary of the main topics covered and answer any final questions.
REQUIRED SKILLS: Basic computer skills, basics of networks and the Internet.
REQUIRED MATERIALS: Laptop, smartphone, USB stick.
SOFTWARE: Caine, Autopsy, FTK, Photorec.
NOTE:
Lunches, coffee breaks and admission tickets to HackInBo® WINTER Edition 2026 events included!