Digital Forensics Training

OVERVIEW

Digital forensics is not a single skill — it is a family of specialist disciplines, each requiring its own tools, methodologies, and depth of technical knowledge. The investigator who excels at extracting evidence from a Windows workstation operates in an entirely different environment from the one responding to a cloud breach, investigating a SCADA incident, or analysing IoT sensor data from a connected facility.

Our digital forensics training portfolio covers the full investigative spectrum — from the fundamentals of computer and mobile forensics through to specialist disciplines in network, cloud, IoT, and SCADA/ICS environments, anchored by a dedicated module on forensic report writing that ensures technical findings translate into legally defensible, court-ready documentation.

All programmes are delivered by our certified examiners, led by Dr. R. Tombari Sibe (FNSE, CCISO) — practitioners with active investigative experience and an unmatched track record of training forensic professionals across Nigeria's law enforcement, financial, and corporate sectors.

Modules can be taken individually or combined into a tailored learning pathway — and our team can advise on the right combination for your organisation's specific environment, risk profile, and professional development objectives.

TRAINING MODULES

MODULE 1: COMPUTER FORENSICS

The foundational discipline of the field. This module provides comprehensive, hands-on training in identifying, acquiring, preserving, and analysing digital evidence from computers and storage media in a legally defensible, forensically sound manner.

Delivered by certified examiners with real-world investigative experience, the programme takes participants from foundational concepts through advanced forensic analysis — equipping them to conduct computer forensic examinations in both professional and law enforcement contexts.

What you will learn:

• Foundations of Digital Forensics: Principles of digital evidence, legal frameworks including the Evidence Act and Cybercrimes Act, ethical obligations, and international standards (ISO/IEC 27037).
• Forensic Evidence Acquisition: Write blocking, forensic imaging, hash verification, and chain-of-custody procedures — the foundational skills that determine whether evidence will be admissible.
• File System Analysis: Understanding NTFS, FAT, ext2/3/4, and other file systems — and what each reveals about file activity, deletion, and modification history.
• Deleted File Recovery: Techniques for recovering deleted files, fragments, and metadata from hard drives and SSDs using industry-standard forensic tools.
• Registry and Log Analysis: Windows registry forensics, event log analysis, and the investigative intelligence embedded in system artefacts.
• Email and Browser Forensics: Analysing email archives, browser histories, cached web content, and download records.
• Timeline Analysis: Reconstructing user activity and event sequences using timestamps across multiple evidence sources.
• Forensic Reporting: Writing clear, technically accurate, legally appropriate forensic reports for court, disciplinary proceedings, and regulatory matters.

Best suited for: Law enforcement, corporate security and fraud teams, legal practitioners handling digital evidence, IT professionals transitioning into forensics, compliance officers, and students entering the field.

MODULE 2: MOBILE FORENSICS

Mobile devices are now the primary evidence source in the majority of criminal and civil investigations in Nigeria. WhatsApp messages, call records, GPS histories, social media activity, banking app logs, and deleted communications all tell stories that trained examiners know how to read — and those stories frequently determine outcomes in court.

This module provides comprehensive, hands-on training in the forensic examination of smartphones, tablets, and SIM cards, covering both Android and iOS platforms and using the industry-standard tools that qualified examiners use in professional practice.

What you will learn:

• Mobile Device Architecture: Hardware, software, and storage architecture of Android and iOS devices — the foundation for forensic analysis.
• Forensic Extraction Methods: Physical, logical, file system, and advanced extraction techniques — including chip-off and JTAG methods for locked or damaged devices.
• Data Acquisition With Industry Tools: Hands-on use of Cellebrite UFED and other industry-standard tools for mobile data extraction.
• Application Data Analysis: Decoding and analysing data from WhatsApp, Facebook Messenger, Instagram, banking apps, email clients, and hundreds of other applications.
• SIM Card Forensics: Extracting and analysing SIM card data including contact lists, SMS records, and network identifiers.
• Deleted Data Recovery: Techniques for recovering deleted messages, photos, app data, and call logs from mobile device storage.
• Location and GPS Analysis: Reconstructing movement patterns from GPS data, cell tower records, Wi-Fi connection histories, and geolocation metadata embedded in media files.
• Reporting: Documenting mobile forensics findings in court-admissible reports.

Best suited for: Law enforcement investigators, corporate security and HR professionals, fraud investigators, lawyers handling digital evidence, and anyone building a career in digital forensics.

MODULE 3: NETWORK FORENSICS

When a network is compromised, the evidence of the attack flows through the same infrastructure that carried the attack itself. Network forensics is the discipline of capturing, preserving, and analysing that evidence — reconstructing what happened, determining how the attacker moved, and establishing what was accessed or taken.

This module provides both the conceptual understanding of network-based evidence and the practical skills to work with packet captures, network logs, flow data, and security appliance records.

What you will learn:

• Network Fundamentals for Forensics: TCP/IP, common protocols, and the forensic significance of each layer — the foundational knowledge that network analysis requires.
• Packet Capture and Analysis: Using Wireshark and other tools to capture, filter, and decode network traffic — extracting communications, files, and behavioural patterns from packet data.
• Log Analysis: Working with firewall, router, proxy, IDS/IPS, and server logs — correlating events across sources to reconstruct incident timelines.
• Intrusion Detection Evidence: Understanding IDS/IPS alert data, identifying false positives, and extracting meaningful investigative intelligence from detection system output.
• Network-Based Malware Identification: Recognising command-and-control traffic, data exfiltration patterns, and other network indicators of malicious activity.
• Wireless Network Forensics: Investigating incidents involving Wi-Fi networks, rogue access points, and wireless attack techniques.
• Evidence Preservation and Chain of Custody: Capturing and preserving network evidence in a manner appropriate for legal proceedings.
• Reporting: Documenting network forensics findings clearly and accurately for both technical and non-technical audiences.

Best suited for: Network administrators and engineers, SOC analysts, cybersecurity professionals, law enforcement investigators, IT auditors, and anyone involved in cybercrime investigation or security operations.

MODULE 4: CLOUD FORENSICS

As organisations migrate to cloud platforms, investigators without cloud forensics skills face an evidence landscape they cannot navigate. Evidence that once resided on physical servers within an organisation's premises now lives in distributed cloud environments — across multiple regions, behind API access controls, and subject to log retention policies that can erase critical evidence within days if it is not captured promptly.

This module equips investigators and security professionals with the forensic techniques, tools, and platform-specific knowledge needed to acquire, preserve, and analyse evidence from cloud environments.

What you will learn:

• Cloud Forensics Fundamentals: Shared responsibility models, cloud architecture concepts, and the forensic implications of distributed cloud environments.
• Evidence Acquisition in the Cloud: Legal and technical approaches to acquiring cloud evidence — API-based collection, log export, snapshot forensics, and regulatory request processes.
• Platform-Specific Forensics: AWS (CloudTrail, S3, VPC Flow Logs), Microsoft Azure (Activity Log, Defender for Cloud), Google Cloud (Cloud Audit Logs), and Microsoft 365 (Unified Audit Log, eDiscovery tools).
• Identity and Access Investigation: Investigating IAM events, privilege escalation, and credential compromise — the primary attack vectors in cloud environments.
• SaaS Forensics: Extracting forensic data from Microsoft 365, Google Workspace, and other SaaS platforms — including email metadata, document version histories, and collaboration records.
• Cloud Incident Investigation: Structured approaches to investigating cloud security incidents from initial detection through to root cause analysis and evidence documentation.
• Legal and Jurisdictional Considerations: Understanding the cross-border legal complexity of cloud evidence and the frameworks for obtaining it lawfully.

Best suited for: Digital forensics practitioners expanding into cloud environments, cybersecurity professionals in cloud-heavy organisations, law enforcement officers investigating cloud-related offences, IT professionals managing cloud infrastructure, and incident responders.

MODULE 5: IoT FORENSICS

The Internet of Things is rewriting the forensics playbook. Smart TVs, fitness trackers, connected vehicles, building access systems, industrial sensors, and home assistants all generate, store, and transmit data that can be forensically significant — and investigators who do not know how to access and interpret it are leaving compelling evidence behind.

This module provides a structured introduction to forensic investigation of IoT devices — covering the diverse architecture of connected devices, the forensic techniques appropriate to each category, and the evidentiary standards required to present IoT-derived evidence in court.

What you will learn:

• IoT Device Architecture: Hardware, firmware, operating systems, and communication protocols of the major IoT device categories — the foundational knowledge that forensic analysis requires.
• Evidence Identification: Recognising which IoT devices in an environment may hold forensically relevant data and understanding what types of data each device class typically stores.
• Data Extraction Techniques: Extracting data from IoT devices through logical interfaces, firmware extraction, cloud account access, and manufacturer subpoena processes.
• CCTV and DVR Forensics: Recovering, authenticating, and analysing footage from security cameras and digital video recorders — including from overwritten, damaged, or corrupted systems.
• Connected Vehicle Forensics: Accessing and interpreting location history, driver behaviour data, infotainment records, and communication logs from modern connected vehicles.
• Cloud-Connected IoT: Understanding how IoT devices interact with cloud backend services — and how to obtain forensically relevant data from the cloud components of IoT ecosystems.
• Evidence Admissibility: Documenting IoT forensics findings in a manner appropriate for court presentation, addressing the authenticity and reliability challenges that novel evidence types face.

Best suited for: Digital forensics practitioners, law enforcement investigators, cybersecurity professionals in IoT-heavy environments, IT security teams for smart building and industrial operations, and anyone building specialist forensics capability.

MODULE 6: SCADA / ICS FORENSICS

SCADA and Industrial Control Systems present forensic challenges that bear little resemblance to conventional IT environments. These systems are often decades old, run proprietary protocols, and are designed for reliability rather than security. Evidence artefacts are embedded in historian databases, controller event logs, and network traffic that require specialist knowledge to recognise and interpret. And the consequences of getting the forensic response wrong — disrupting live industrial operations — can be catastrophic.

This module provides a specialised, rigorous introduction to forensic investigation in OT environments — one of the rarest and most sought-after skills in the global security community.

What you will learn:

• ICS/OT Architecture: Understanding SCADA systems, PLCs, RTUs, HMIs, historian databases, and the network architectures of industrial environments — the essential foundation for forensic work in these settings.
• OT Threat Landscape: The specific threat actors, attack techniques, and malware families that target industrial control systems — including Stuxnet, Triton/TRISIS, and Industroyer — and what they leave behind forensically.
• Evidence Sources in OT Environments: Historian databases, controller event logs, engineering workstation artefacts, and network traffic — and how to identify and collect forensic evidence from each without disrupting operations.
• OT Network Analysis: Analysing industrial protocols including Modbus, DNP3, and OPC for anomalous traffic patterns indicative of attack or unauthorised activity.
• Safe Evidence Collection Procedures: Techniques for collecting evidence from live OT environments in ways that preserve operational integrity — the defining challenge of SCADA forensics.
• Malware Analysis in OT Contexts: Identifying, isolating, and analysing malicious code in industrial environments where safe execution and isolation are particularly complex.
• IT/OT Boundary Investigation: Investigating the increasingly common attack path from corporate IT networks into OT environments — and the forensic artefacts the traversal leaves.
• Reporting and Regulatory Documentation: Structuring forensic findings for operational teams, executive leadership, regulators, and legal proceedings.

Best suited for: Security professionals in energy, oil and gas, manufacturing, and utilities; forensic practitioners extending into OT environments; incident responders at organisations with OT infrastructure; and regulators overseeing critical infrastructure security.

MODULE 7: FORENSIC REPORT WRITING

The forensic report is the primary output of a digital investigation. It is the document that will be scrutinised by lawyers, challenged by opposing experts, evaluated by judges, and — in many cases — will determine whether the investigation achieves its purpose. A technically excellent investigation communicated through a poor report is an investigation that fails.

This module provides a systematic, practical approach to writing forensic reports that are clear, technically accurate, legally defensible, and genuinely useful to the legal teams and decision-makers who rely on them. It is a recommended complement to every other module in this portfolio.

What you will learn:

• Report Structure and Components: The anatomy of a forensic report — executive summary, scope and methodology, findings, analysis, conclusions, and appendices — and the purpose and requirements of each component.
• Writing for Non-Technical Audiences: Communicating technical findings clearly and accurately without oversimplifying — the core skill of forensic report writing that most practitioners underestimate.
• Facts, Inferences, and Opinions: The critical distinction between what the evidence shows, what can be reasonably inferred from it, and what constitutes expert opinion — and how to make these distinctions explicit and defensible in a report.
• Methodology Documentation: Writing methodology sections that are sufficiently detailed to be reproducible, defensible under challenge, and clear to non-forensic readers.
• Chain-of-Custody Documentation: Integrating chain-of-custody records into forensic reports in a format that satisfies legal requirements.
• Writing Precisely About Technical Findings: Avoiding ambiguity, passive constructions, and imprecise language that creates loopholes for adversarial challenge.
• Practical Report Review and Critique: Participants analyse and critique sample forensic reports — identifying weaknesses, improving structure, and revising language through structured exercises.
• Affidavit and Court-Specific Formats: Adapting forensic findings for affidavits, court-specific report formats, and summary documents for non-expert decision-makers.

Best suited for: Digital forensics examiners at all experience levels, law enforcement investigators producing digital evidence reports, IT security professionals writing incident reports for legal or regulatory use, and anyone whose forensic findings may be used in legal or disciplinary proceedings.

SELECTING THE RIGHT MODULE FOR YOUR SECTOR

Not every organisation needs all seven disciplines — but most need more than one. The table below provides a starting point for organisations looking to identify the modules most relevant to their environment, risk profile, and investigative mandate.

Banking and Financial Services
Primary relevance: Computer Forensics, Mobile Forensics, Cloud Forensics, Forensic Report Writing Financial fraud, employee misconduct, and payment system incidents leave evidence across workstations, mobile devices, and cloud-hosted banking platforms. Mobile forensics is particularly critical given the dominance of WhatsApp and mobile banking apps in financial fraud cases. Cloud forensics addresses the growing proportion of banking infrastructure operating in cloud environments. Report Writing is essential for producing documentation that meets CBN evidentiary and regulatory standards.

Law Enforcement and Government
Primary relevance: Computer Forensics, Mobile Forensics, Network Forensics, IoT Forensics, Forensic Report Writing Law enforcement agencies require broad forensic competence across all endpoint types. Mobile forensics is the highest-priority discipline given the role of mobile devices in virtually every criminal investigation in Nigeria. Network forensics supports cybercrime investigation and surveillance evidence analysis. IoT forensics is increasingly relevant as connected devices appear at more crime scenes. Forensic Report Writing is foundational for all officers preparing evidence for prosecution.

Oil, Gas, and Energy
Primary relevance: SCADA/ICS Forensics, Network Forensics, Computer Forensics Nigeria's energy sector is a high-priority target for both state-sponsored and criminal threat actors. SCADA forensics is uniquely relevant to this sector — attacks on operational technology infrastructure require examiners with OT-specific knowledge. Network forensics supports incident investigation across complex industrial networks. Computer forensics addresses the IT-side of hybrid IT/OT incidents.

Legal and Professional Services
Primary relevance: Computer Forensics, Mobile Forensics, Forensic Report Writing Law firms, courts, and dispute resolution practitioners need forensic evidence they can use — and the forensic report writing module is as important as any technical discipline for professionals whose primary engagement with forensic work is through the reports produced. Computer and mobile forensics support evidence review, discovery, and expert witness preparation.

Telecommunications
Primary relevance: Network Forensics, Cloud Forensics, Computer Forensics Telecoms organisations face both external threats and complex internal incident investigation requirements. Network forensics is central to this sector — both for investigating breaches and for interfacing with law enforcement on lawful intercept and call record requests. Cloud forensics supports investigation of incidents in cloud-hosted telecoms infrastructure.

Manufacturing and Industrial Operations
Primary relevance: SCADA/ICS Forensics, IoT Forensics, Network Forensics Manufacturing environments increasingly blend traditional OT with IoT sensors, connected equipment, and IP-networked plant systems. SCADA forensics addresses incidents in control system environments. IoT forensics covers the rapidly expanding population of connected devices on the factory floor. Network forensics supports investigation of intrusions that traverse industrial networks.

Corporate Enterprise (Cross-Sector)
Primary relevance: Computer Forensics, Mobile Forensics, Cloud Forensics, Forensic Report Writing Most corporate organisations require a core capability across the three dominant evidence environments — endpoint, mobile, and cloud — backed by the report writing skills needed to translate findings into actionable documentation for HR, legal, and executive audiences.

DELIVERY FORMAT

All modules are available as instructor-led classroom training, on-site delivery at client premises, or as bespoke organisational programmes combining multiple disciplines into a structured learning pathway. Practical lab sessions form a core component of every module — participants work directly with forensic tools on realistic case scenarios drawn from the Nigerian context.

Organisations seeking to build comprehensive internal forensic capability can work with us to design a multi-module training pathway tailored to their team composition, existing skill levels, and investigative environment.