Rounding Up

SUMMARIES
 Rounding Up
SUMMARIES
 Process You Would Follow To Acquire,
Preserve And Analyze A Digital Evidence
For Signs Of Manipulation.
1- Preparation and Legal
Authorization

 Obtain legal authorization (e.g., search warrant,

consent form, or court order) to access and
examine the suspect’s device(s) and/or document.
 Review case background and scope of
investigation to tailor acquisition and analysis
goals.
 Determine the source of the document (e.g., local
storage, email, USB drive, cloud storage).
 2- Acquisition of the
Document
The aim is to collect the document without altering it, along with metadata and context. This involves:
 Identify Source Devices and Media
 Locate where the document was created, stored, or transferred: computer hard drives, flash drives,
email servers, cloud platforms (e.g., OneDrive), or backups.
 Forensic Imaging
 Create a bit-by-bit forensic image of the device containing the document using tools like:
 FTK Imager, EnCase, X-Ways
(This includes: All files, deleted files and unallocated space, Preserves timestamps and
hidden/embedded data)
 Hashing for Data Integrity
 Generate cryptographic hash values (MD5, SHA-1, or SHA-256) of the original media and the
image:
 Original Media Hash = Forensic Image Hash (Any mismatch implies tampering).
 3-Preservation of the
Evidence

Ensure that the original evidence is not altered or tampered with:

 Use Write Blockers
 For physical drives, use hardware write blockers during acquisition to prevent any writing.
 Secure Storage
 Store original media in a sealed, labeled evidence bag in a locked evidence room or digital evidence
vault.
 Chain of Custody Documentation (Use a chain of custody form or digital evidence management
system)
 Record:
 Who collected the evidence
 When and where it was collected
 How it was transported and stored
 Each person who accessed it, and for what purpose
 4 - Analysis of the Word
Document

The analysis is aimed at detecting manipulations, authorship, timestamp

inconsistencies, and metadata anomalies.
 Metadata Analysis using tools like Microsoft Office internal properties viewer,
ExifTool, Autopsy or EnCase by checking for:
 Document creation and modification dates
 Author name, last modified by
 Revision number
 Time spent editing
 Embedded content (e.g., images, hyperlinks)
 Hidden text or comments
 Software and version used
 5 - Reporting and
Documentation

Prepare a comprehensive forensic report, detailing:

 Acquisition and hashing process
 Chain of custody logs
 Tools and methods used
 Metadata findings
 Identified manipulations or anomalies
 Expert interpretation of inconsistencies
(Ensure that all analysis is repeatable and that another forensic expert can independently verify your
results).
6 -Maintaining Forensic
Soundness

Throughout the process:

 Use verified forensic tools and document their version and
configuration
 Work only on forensic copies of the evidence, never the
original
 Maintain detailed notes of all actions performed
 Avoid introducing bias — stick to evidence-based conclusions
7 - Presentation in Court (If
Required)

 Be prepared to defend your methods and

findings in court
 Demonstrate chain of custody and forensic
soundness
 Present findings in a clear, non-technical manner
An Outline Of A Digital Forensic
Report
Title Page

Case Title: Investigation into Suspicious Login Activity

on University of Cape Coast Network

Date of Report: July 29, 2025

Investigator: [Your Name], Digital Forensics Analyst

Affiliation: [Your Department or Consultancy]

Executive Summary

 On July 29, 2025, the University of Cape Coast ICT Directorate

reported multiple suspicious login attempts to the student and
staff portal between 2:00 AM and 4:30 AM. These logins
originated from an internal IP address range, raising concerns of
a potential unauthorized access or compromised account.

 Following this alert, I was assigned to conduct a forensic

investigation to determine the source, scope, and nature of the
activity and whether university systems or accounts were
compromised.
Scope of Investigation

The scope of this investigation included:

 Reviewing server and authentication logs

 Identifying the user accounts involved
 Tracing the IP addresses and timestamps
 Examining endpoint devices (where possible)
 Preserving and analyzing relevant digital evidence
Methodology

The investigation followed standard digital forensic procedures,

ensuring data integrity and admissibility:
 Log data from the central authentication server and firewall were
forensically acquired using read-only access.
 System snapshots were taken of suspect machines in the
university’s computer lab.
 Tools used included Wireshark, Autopsy, etc for log analysis.
 All data was hashed using SHA-256 to maintain forensic
soundness.
 Findings

 Between 2:00 AM and 4:30 AM, 64 login attempts were made from IP
address 192.168.42.17, linked to a computer in the Social Science
Faculty’s lab in the Social Sciences Block.
 The attempts involved 9 different student accounts and 2 administrative
accounts.
 One account successfully logged in using valid credentials at 2:47 AM.
 Further analysis revealed the use of a brute-force attack script, likely
deployed via a USB drive on the lab machine.
 Evidence of unauthorized access was confirmed; logs showed subsequent
download of a staff timetable file and a student grade summary.
Preservation of Evidence

 Thehard drive of the compromised system was imaged

using FTK Imager, and the original disk was sealed
and stored securely.
 Chainof custody was documented for all devices and
data handled.
 Screenshots and log excerpts were preserved for
reporting.
Conclusion

The investigation confirms that unauthorized access

occurred via a compromised endpoint within the
university’s internal network.
At least one student account was used to access sensitive
academic resources. The attack was targeted and likely
involved someone familiar with campus infrastructure.
Recommendations

 Immediate password reset for all affected accounts

 Mandatory 2FA implementation for staff logins
 Restricted access to lab computers during off-hours
 Improved intrusion detection systems on internal subnets
 Continued monitoring for further anomalous behavior
Attachments

 Hash Verification Summary

 Log Extracts (Firewall, Server Authentication)
 Screenshots of Brute-force Script
 Chain of Custody Form
 Network Topology Diagram
 Legal and procedural considerations you
would take into account before presenting
digital evidence in court with respect to the
Cybersecurity Act, 2020 (Act 1038)
 Legal and Procedural
Considerations for Presenting
Digital Evidence
Before this digital evidence can be presented in court, several legal and procedural
considerations must be taken into account, particularly in alignment with Ghana’s
Cybersecurity Act, 2020 (Act 1038).

First of all, the admissibility of digital evidence in court requires assurance of its
integrity and authenticity. To achieve this, it is critical that the digital logs and IP tracking
data collected from the university servers and Facebook’s login history are forensically
preserved, ensuring they remain unaltered. This includes computing cryptographic hash
values for any extracted evidence and documenting each stage of acquisition, analysis, and
handling through a well-maintained chain of custody. Any evidence collected without
these safeguards may be deemed inadmissible or challenged for tampering.
 Legal and Procedural
Considerations for Presenting
Digital Evidence
Secondly, under Section 58 of the Cybersecurity Act, only authorized cybersecurity
professionals or certified forensic investigators are permitted to handle, analyze or present
such evidence in legal proceedings. As such, all findings and digital extractions must be
conducted by certified personnel and their tools and procedures must meet recognized
forensic standards.
Thirdly, respecting data protection and privacy rights is critical. Section 45 of the Act
emphasizes the lawful interception and access to personal data. Before accessing logs from
or correlating the IP address with individuals, proper judicial authorization or a warrant
must be sought. Any evidence obtained unlawfully or without respecting these procedures
may violate the suspect’s rights and risk being excluded from court proceedings.
Furthermore, Presenting findings must include both technical and contextual clarity,
outlining not only how the incidence occurred but also the limitations of the evidence.
 Legal and Procedural
Considerations for Presenting
Digital Evidence
 Finally, all digital evidence must be clearly documented and
reported in a form that is understandable to both legal
authorities and laypersons. This includes maintaining a formal
digital forensic report, mapping login times, IP address
geolocation.
 In summary, the investigation and handling of this case must
align with the Cybersecurity Act 2020, uphold data privacy
laws, and follow forensic best practices to ensure the evidence
is admissible, credible, and legally defensible when presented in
court.
Wishing You Well