4-week module: forensic science

In this 4-week module, the aim is to introduce you to some key concepts and techniques which you can use to develop your own knowledge and procedures for forensic analysis. Because we’re dealing with cyber security incidents, we’ll concentrate on repsonding to incidents and the use of “dead box” forensic techniques (i.e. those where we can seize a device and take an image of its secondary storage devices in particular).

There will be a lot of hands-on exercises which will run on cloud-based Virtual machines, but if you want the software for yourself, we’ll be using the CAINE 11 forensic toolkit with the addition of the older Win-UFO toolkit. (Note – the Windows tools require admin. privileges and WILL trigger malware warnings or be blocked by most Windows malware protection systems. The Linux live distribution is equally dangerous…)

It would also be beneficial if you could spend a bit of time revising the following key concepts:

  • CPU architecture, including data representation (bit patterns and their interpretations) and Direct Memory Access. (Tarnoff Chapters 2,3 and 15)
  • Operating system functions – resource management, scheduling, memory management (Dusseau & Dusseau Chapters on Virtualization)
  • Discs and file systems – sectors, partitions, clusters/minimum allocation units. (Dusseau and Dusseau chapters 35 to 40).


The free online books below may help:

Computer Architecture and O/S revision

Tarnoff: Computer Organization and Design Fundamentals

Dusseau and Dusseau : Operating Systems, 3 easy pieces


Learning materials and schedule

As always, the learning materials, lab and exercises will be released in advance, and the plan is to have video walk-throughs of each lab. Exercise: you can use if you get stuck (and to prove that the exercises have been tested) The Week numbers are suggestions – feel free to work faster if you want to, but you should aim to complete each block of material by the end of the week that contains it.


The task will be in two parts

  • Part 1: the investigation of an incident and the potential digital evidence associated with it. (You will be provided with an image file to analyse). You will be required to produce a forensic analyst’s report for this.
  • Part 2: preparation of a detailed plan, containing recommended actions to take to carry out a proper investigation of related or similar incidents occurring in the organisation described in the scenario for part 1.

It will be possible to complete Part 1 using only the tools provided to you in the virtual machines. Part 2 will require some further reading.

This folder

The folder containing this message will be where any extra reference material or links to interesting/useful things (not used elsewhere in the module) will appear.

ISO/IEC standards

ISO/IEC 27037, 27041, 27042 and 27043 are particular useful for this module – and the model they present is used as the basis for the recommended structure of a digital investigation. You can obtain copies via the University Library’s subscription to BSI online

27040, on storage security, also has some relevance to preservation, redaction and destruction considerations.

Selected Reference material

This is a slightly random selection, and their inclusion here is not necessarily an indication of their relative importance, or of the scope of the module. They may be harder to locate than some of the references, or a better reference for the topic than you might find via a simple Google search.

  • The PDF files are in the directory
  • ACPO Good Practice Guide Version 5
  • ASCII Code Table
  • ATA-6 Attachment Specification
  • File Signatures (see below)
  • Forensically Interesting Spots in the Windows 7 File System and Registry
  • Guidance for Experts
  • How Unique Is Your Web Browser
  • Into the boxes Jan 2010 (User assist Keys)
  • Private browsing A window of forensic opportunity
  • The joys of complexity and the deleted file
  • The Meaning of LIFE (Linkfiles)
  • Time and date issues in forensic computing – a case study
  • US Department of Justice – Forensic Examination of Digital Evidence
  • Use links below to access these two below:
  • Don’t trust spell cheques
  • The Forensics Wiki


File Signatures Table


(Thanks to Gary Kessler for making this available to the community – the most up to date copy of this information can be found at his website: https://www.garykessler.net/library/file_sigs.html ).


This table of file signatures (aka “magic numbers”) is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner’s Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia’s List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.


This list is not exhaustive. Interpret the table as the magic number generally indicating the file type rather than the file type always having the given magic number. If you want to know to what a particular file extension refers, check out some of these sites:


Some other useful information:


If you are using a Linux/Unix system, you can use the file command to determine the file type based upon the file signature, per the system’s magic file.


And, one last and final item — if you are searching for network traffic in raw binary files (e.g., RAM or unallocated space), see Hints About Looking for Network Packet Fragments.



The following individuals have given me updates or suggestions for this list over the years: Devon Ackerman, Nazim Aliyev, Vladimir Benko, Arvin Bhatnagar, Sam Brothers, David Burton, Alex Caithness, Björn Carlin, Per Christensson, Oscar Choi, JMJ.Conseil, Cornelis de Groot, Jeffrey Duggan, Jean-Pierre Fiset, Peter Almer Frederiksen, Tim Gardner, Chris Griffith, Linda Grody, Andis Grosšteins, Paulo Guzmán, Rich Hanes, George Harpur, Brian High, Eric Huber, Broadus Jones, Axel Kesseler, Nick Khor, Art Kocsis, Bill Kuhns, Andreas Kyrmegalos, Anand Mani, Kevin Mansell, Davyd McColl, Michal, David Millard, Bruce Modick, Lee Nelson, Dan P., Jorge Paulhiac, Carlo Politi, Stanley Rainey, Cory Redfern, Bruce Robertson, Thomas Rösner, Anli Shundi, Erik Siers, Mike Sutton, Matthias Sweertvaegher, Erik van de Burgwal, Øyvind Walding, Jason Wallace, Daniel Walton, Franklin Webber, Mike Wilkinson, Gavin Williams, and David Wright. I thank them and apologize if I have missed anyone.

I would like to give particular thanks to Danny Mares of Mares and Company, author of the MaresWare Suite (primarily for the “subheaders” for many of the file types here), and the people at X-Ways Forensics for their permission to incorporate their lists of file signatures.

Finally, Dr. Nicole Beebe from The University of Texas at San Antonio posted samples of more than 32 file types at the Digital Corpora, which I used for verification and additional signatures. These files were used to develop the Sceadan File Type Classifier. The file samples can be downloaded from the Digital Corpora website.



All information on this page © 2002-2015, Gary C. Kessler. Permission to use the material here is extended to any of this page’s visitors, as long as appropriate attribution is provided and the information is not altered in any way without express written permission of the author.


Additional Resources


A collection of useful and/or interesting material
Quality standards, procedures and laws.

Forensic Science Regulator’s Codes

Angus’ paper on the development of the ISO/IEC 270xx standards

Ministry of Justice Procedure rules

Scottish Courts & Tribunals Procedure rules

Parliamentary Legislation Database


Expert Witnesses from the lawyers’ perspective

“Qualifying and tendering”: https://www.youtube.com/watch?v=AZ1cyFy7hJQ

A law school mock trial: https://www.youtube.com/watch?v=jweJYTCe4a8

How to build a cross-exam: https://www.youtube.com/watch?v=-Kha__fMWIg

“Neutralising (aka tricky questions)”: https://www.youtube.com/watch?v=Ws5P2avXIQA

MITEC – provider of some nice free tools, one of which is used on a couple of slides.

General marking criteria


1. There are two questions. Answer both questions. Note that the two questions are related


and both deal with the scenario given below.


2. In all questions, the marks are awarded for addressing the problems set, the quality of your


discussion and justification of your assumptions/choices/conclusions etc.


3. You are expected to research your answers and to cite appropriate academic and/or other


sources in an appropriate format for the type of report you have been asked to write. It is


probably not sufficient to use only the module notes.


4. You may need to make assumptions about the systems involved in order to propose


solutions; this is acceptable provided any such assumptions are realistic, clearly stated and


do not conflict with any information provided to you.


5. Present your answers on A4 pages, with a minimum 11pt font, minimum 120% line spacing


(what Word calls “Multiple 1.08”), and minimum 2cm margins either side.


Each question has an indicated number of pages in which to answer it. Cover page and reference


lists or bibliographies do not count towards these limits. Excess pages will not be marked.




During the pandemic, the offices of the University of Grand Fenwick’s Computer Science dept. had


been largely unoccupied, with only essential admin. and support staff on duty. Academic staff have


been permitted to access their offices occasionally, in order to pick up essential books, papers and


equipment, or between face to face teaching sessions.


Because of this, the IT manager has taken the opportunity to conduct an audit and maintenance


exercise to identify all equipment present in dept. and perform essential updates.


During this process, a device was found plugged into a USB docking station in one of the staff offices.


The member of staff whose office it is denies all knowledge of this device and reports that it they do


not believe it was present when they last checked their office on 4th November 2020. The device


was found on 25th January 2021.


The IT manages is concerned that this device may be evidence of a breach, or attempted breach, of


security and has requested that you carry out an examination of it and provide further advice (see




A suitably qualified technician has imaged the device and will provide you with the image and a


record of the examination of the physical device, which includes photographs, any serial numbers




Background – the department runs a mixture of Debian Linux and Windows desktop machines in staff


offices, with some staff also using Macintosh, Chrome, Android and iOS devices on the wireless


network. It has its own Windows servers for data storage (accessible from Windows and Linux


desktops) and a contract with Google for email, cloud data storage and other services (accessible by


anyone with a departmental user account).. Access to central University services is available via the


dept. network which is connected to the main University network through a managed switch.




1. [40 marks] Examine the device image, and related information, and produce your report, for


senior management (some of whom are not IT specialists), giving as much information as possible


about the device’s involvement, or potential to be involved, in a security breach. Your report is not


intended to be used for court proceedings at this stage, but should highlight anything which may be


significant should a prosecution be required. Maximum length: 5 pages.


2. [60 marks] Produce a plan for how you would conduct an investigation to determine which


systems had been affected by an incident involving a device of this type, including details of the


nature of any evidence you would hope to recover from affected systems, how/where you would


find this evidence, and what it would mean. Your plan should include consideration of any legal as


well as technical issues which affect the ability to present any of the relevant evidence in court in


this case.


NOTE: This should be a plan which will work for FUTURE investigations, and should not necessarily


be specific to this incident. It should be possible for a competent IT technician to follow the plan and


recover evidence without having to further interpret the plan. The plan must include sufficient


information for the IT team to prepare, in advance, for an investigation to be carried out as soon as


an incident has been detected. Maximum length: 10 pages.


Mark allocation – for guidance only.


In Question 1, marks will be allocated for clarity & usability of your report (10), application of sound


forensic methods (10) and use of appropriate analytical & interpretive methods (20).


In Question 2, marks will be given for identification of potential evidence sources (25), consideration


of evidential issues (10), evidence of structured planning (15) and overall usability & clarity of the


plan (10).


Task Additional notes Task Image File and Help Forensically Interesting Spots in the Windows 7 File System and Registry Guidance for Experts- 2010 edition How Unique Is Your Web Browser Private browsing A window of forensic opportunity – Offprint The joys of complexity and the deleted file The Meaning of LIFE Time and date issues in forensic computing – a case study US Department of Justice – Forensic Examination of Digital Evidence ACPO Good Practice Guide Version 5 ATA-6 Attachment Specification File Signatures Table Forensic Analysis of Cyber Incidents Pre-reading and Intro