Skip to main content Skip to navigation


SarahM Operation Poppins: An immersive Interactive case study driven module approach.
Like a lot of recent teaching developments, the pandemic and lockdowns forced us to re-evaluate how to deliver engaging remote content. Together with limited staffing resources there was an urgent operational requirement for case study driven teaching which kept a high level of interactive student engagement in a remote setting. The success of the resources trialled during this period led to the development of an outreach course which successfully trialled a whodoneit style of immersive investigation throughout the entire module. The result included animated character videos, interactive online and in person exercises for each activity area, and a virtual crime scene for additional reflection and learning. By the end of the module the students had solved their first mini digital forensics case. The technique has proven so successful in outreach trials it has now been developed into a full module for postgraduate students. This talk will briefly describe the development journey, the resulting module, and look at results from trials to date.

Professor Sarah Morris is an academic and practitioner of digital forensics based at the University of Southampton. Sarah has been active in this field for over 14 years and has experience on working on a wide range of criminal, civil, corporate, and media based investigations. Sarah is involved with various national advisories, and is a member of the Biometrics and Forensics Ethics Group (BFEG). Before finding out about digital forensics Sarah spent some time as a high school teacher and has always had a love of outreach activities and education. Sarah previously ran the NCSC certified Digital Forensics MSc at Cranfield University, and taught across all modules. Having won multiple awards for her teaching across the years and having a track record of innovation she was appointed Deputy Assistant Director of Education for Teaching and Research at Cranfield Defence and Security. Having left Cranfield in September to join Southampton she is now setting up Digital Forensics activity there and driving the way in immersive gamified education.


Taking 3 Random Devices to create a Forensic Profile.

Within Crime & Policing, Cybercrime is the major growing area of reported crime. The estimated cost to the UK economy is estimated to be in the region of £27 billion per annum with computer enabled fraud and computer misuse accounting for the largest growths of reported crime in 2019/20.
To meet this challenge, there is an increasing need to be able to train more law enforcement professionals and cyber security industry specialists in digital evidence and cyber security techniques. One of the most critical training needs for First Responders and Digital Forensics Investigators is to be able to have digital evidence that is customized to their training needs and uniquely different to previous resources which can be forensically investigated, and evidence retrieved and analysed.
This requires the use of automation tools to take a wide range of base digital platforms Windows, Mac OSX and Linux and create digital evidence artefacts with different case scenario evidence. It is essential to have a wide base of material and many digital devices now are not just desktops or laptops but consumer devices or industrial IoT devices.

The challenge: Can we take 3 random digital evidence objects in a given abandoned residence or location crime scene and ask what does this evidence tell us about the owner or user these devices, develop a profile based on what the evidence reveals

This could be an abandoned caravan or a secret cannabis farm in an industrial unit with an unidentified corpse and no personal possessions other than a number of digital devices (NOT a phone)

Adrian Winckles is Director for the Cyber Security & Networking Research Group and Security Researcher at Anglia Ruskin University. He is OWASP Cambridge Chapter Leader, OWASP Europe Board Member, Chair of OWASP Education and Training Committee and is on the Board of the Cyber East Cluster. His security research programs include (in)security of software defined networks/everything (SDN/Sdx), novel network botnet detection techniques within cloud and virtual environments, distributed honeypots for threat intelligence, advanced educational techniques for teaching cybercrime investigation and virtual digital crimescene/incident simulation. He has successfully completed a contribution to the European FP7 English Centre of Excellence for Cybercrime training, research and education (ECENTRE). He is Chair of the BCS Cyber Forensics Special Interest Group. Adrian is also CTO for Xorb Security, an intelligent threat data capture startup.



CyberWomen@Warwick is a student-led initiative, created by a group of female students on the BSc Cyber Security course at Warwick. The women running CyberWomen@Warwick are passionate about inspiring more women into the industry, promoting inclusivity and positive change within STEM. Through regular social as well as formal events, CyberWomen@Warwick aims to empower the female voice in Cyber.

Within weeks of forming, CyberWomen@Warwick decided to run a national conference which gave voice to influential women in cyber. The entire conference was designed and delivered by BSc students and was part of the CyberKali project - an NCSC project held jointly by Warwick and Aston University.

This talk highlights the experiences of the students who led the initiative. From finding the speakers, finding rooms, organising bookings, ordering merchandise, this talk reflects on the experience of running a conference as a student.

Sophie Powell is a year three cyber security student. Sarah Tipper is a year two cyber security student.

Along with Ana Vijay, Elise Ghent, Jenny McCullagh, and Rosie Marlton - also on the CyberWomen@Warwick exec - Sophie and Sarah are deeply passionate about empowering the female voice in cyber.



Is the Digital Forensic Tool User Interface Broken? "Is the Digital Forensic Tool User Interface Broken?

The NPCC (2020, p.5) states that: Digital forensic (DF) science - examining digital evidence to support investigations and prosecutions - was once niche but is now very much mainstream. Over 90% of all crime is recognised as having a digital element, and society's accelerating use of technology means the critical role DF science plays will only grow. They identify three core challenges:
1. the sheer volume of data and devices leading to backlogs and delays in investigations;
2. the complexity of digital examinations including the variety of devices available, use of encryption, the number of data formats used, and the increasing use of cloud storage; and
3. the need to maintain the legitimacy of the police in the digital landscape given 1 and 2 and law enforcement's need to work in new ways to deal with these issues. (ibid.)
Given the volume of data and complexity of the examinations this research interviewed 12 DF practitioners in an attempt to understand how the user interface of DF tools may exacerbate these issues, and what their suggestions may be to mitigate these. This work explores the responses, provides an initial analysis, and provides suggestions for how these findings may feed into the next generation of DF tools.

This workshop then asks participants to consider the user interface design considerations of DF tools and asks the questions:
What do you think is wrong with the user interface of DF tools that you use in your teaching?
How might these issues be alleviated?
Do you ask students to consider user interface design considerations when DF tool testing?
Do you have any students working on any DF user interface design assessments or projects.

Dr Paul Stephens is Director of Academic Studies in Law, Policing & Social Sciences, and a Principal Lecturer in Cybercrime & Digital Policing at Canterbury Christ Church University. He is Co-Vice Chair of the IFIP 11.12 Working Group on Human Aspects of Information Security and Assurance and is a founding committee member of the BCS Cybercrime Forensics Specialist Group . He works with, and teaches, representatives of law enforcement organisations from across Europe on digital crime related matters. He has worked in collaboration with the College of Policing and the Justice Institute of British Columbia to develop and deliver academic Masters courses. He has led European Commission funded training development and delivery in digital forensics for EU members states and law enforcement agencies including Europol, CEPOL, Interpol, and UNODC. His co-authored books include Policing Digital Crime (published by Routledge) and Investigating Digital Crime (published by Wiley). He has also contributed to Blackstone's Handbook for Policing Students (published by Oxford University Press).

Danny Werb is a Lecturer and PhD candidate in Computing and Digital Forensics at Canterbury Christ Church University. His research is focused on the user experience aspect of digital forensics tools and those who use them, with a particular lens on the feasibility of Virtual Reality to augment and enhance the practitioner's experience. Danny has taught on several modules including Cybersecurity, Digital Forensics, Advanced Computer Networks, and Operating Systems, and currently leads on Data Recovery and Analysis.


Are we preparing our students for real world digital forensics?

The teaching of digital forensics must be restricted, by its very nature, as we can’t teach students everything. There is a new threat to best practice that we have encountered in our research, which could lead to a miscarriage of justice, where an innocent person is falsely accused of a crime. In our research we have found that hardware devices, such as the Rubber Ducky, Bash Bunny and the O.MG cable can be used to commit or facilitate a crime. These devices leave very little forensics evidence on the target device, other than showing that a file was accessed or that an illegal picture was downloaded and viewed. The user of the victim machine could easily be wrongly accused of a crime that they know nothing about, and they will not easily be able to prove their innocence. Forensics investigators might look no further than the access times of the file that was altered or the picture that was downloaded and viewed and would not even look for clues that might point to a hardware attack. This paper highlights the difficulties of proving that a hardware attack even took place and shows the lack of awareness amongst digital forensics investigators to this possibility.

This talk introduces this problem and reflects on our experiences of teaching this to students. This has been taught as a workshop to students, with a short lecture on the background to hardware attacks, followed by a practical interactive demonstration of the dangers of these devices. The response was very positive, and we currently have two masters students and an undergraduate student working on furthering this research as part of their project dissertation.

Damola Lawal. is a Ph.D. student at the University of Greenwich, working with Dr. David Gresty and Dr. Diane Gan on research into hardware attacks to prevent miscarriages of justice. He runs seminars for a wide range of undergraduate and postgraduate students within the digital forensics portfolio on this topic. He is also active in consultancy and training within the wider community. Damola holds a Masters in Computer Forensics and Cybersecurity, and different industry certifications such as the Cisco CCNA Security, EC-Council CEH, CISSP (Associate), and BCS CISMP. He is also a member of the (ISC)2.


The Digital Forensics Project Day

The digital forensics project day is a day long group project, worth 20% of the module grade, which runs on the fourth day of the week long digital forensics module at Warwick. PG students are put into groups, deliberately mixed by nationality and gender, and given a substantive task which takes a day to solve. The task is assessed by presentation the following day.

In this talk, student tuned lecturer Sarah Aktaa (class of 2022) is joined by two current students to disseminate her experiences of the module from both sides of the student-lecturer fence. As a student, what were the experiences of this project day, and now one year on as a lecturer, what reflections does Sarah have?

Sarah Akhtaa is a teaching fellow at the University of Warwick. Sarah has completed the MSc Cyber Security Management degree and is involved with teaching digital forensics, cyber fundamentals, and the cyber context of software engineering.


D2WFP: Novel Protocol for forensically identifying, extracting, and analyzing deep and dark web artifacts

Criminal activities committed or facilitated using the deep and dark web facilities have considerably increased during the last decade. In essence, the use of private and anonymous browsing through TOR or other browsers brought a positive contribution to individuals' online security and privacy. Nevertheless, this technology enabled the creation of new segments of the web which aren't searchable via Google or accessible via standard browsers. Despite the advances in cyber forensics techniques, tools, and methods, few research works tackled the deep and dark web investigation. This research proposes a novel and comprehensive protocol aiming to guide and assist digital forensics professional in performing forensic investigations of crimes committed on or via the deep and dark web. The proposed protocol D2WFP includes new and deepen existing methods notably by establishing an order of performing tasks and sub-tasks to increase current tools and frameworks output accuracy and increase effectiveness. After a critical analysis of existing methods and guidelines employed by professional, we developed the new protocol built following a scientific and experimental approach. The protocol was then tested following a comprehensive and rigorous approach using several cases both computed and mobile-based crafted within our laboratory. The investigated were carried out using full version of OpenText FTK, Magnet AXIOM and Cellebrite UFED. The obtained results validate D2WFP efficiency in term of recovering forensics artifacts and facilitating findings interpretation, correlation, and presentation. In addition, D2WFP provide an educational impact allowing the integration of dark web forensics within DFIR curriculum for both under and post-graduate students.

Mohamed Chahine Ghanem (Chahine) is principal lecturer in cyber security and digital forensics. He is the deputy-director of the Cyber Security Research Centre and the Chair of Subject Standard Board for Computer Science and Applied Computing. He is also the course leader for Digital Forensics and Cyber Security BSc (Hons).
Chahine received a BEng in Computing in 2007 and an Engineering degree in System and Security in 2010. He also obtained his Digital Forensics MSc with distinction in 2015 and is currently finishing his PhD in Offensive Cyber Security. He is also a Fellow of HEA and holds a PGC in Academic Practice from City, University of London. He has over 10 years of experience in the field of digital forensics and incident investigation at law enforcement and at a corporate level.
Chahine is currently teaching several modules including Digital Forensics, Digital Crime Investigation and Ethical Hacking. Alongside this, he's researching within the University’s Cyber Security Research Centre on topics related to digital forensics and applied offensive cyber security, while seeking to take advantage of existing national and international funding opportunities.


Understanding Digital Forensic degree offerings in the context of UK Academia

Digital forensics degrees became very popular in the mid-late 2000s, and along with games design/programming, are often attributed as having turned the tide of decreasing computer science applications to HEIs. Student interest in computing was dwindling, and forensics became a very popular degree.

However, delivering these degrees, and especially - managing the student experience and expectations - was a huge challenge.

The number of digital forensics degrees being offered in the UK has decreased since then. This talk looks at the status quo, and by drawing on data relating to forensics and cyber security degrees at both UG and PG, we attempt to reason with where the discipline is headed, and provides specific focus on what the author believes to be the main challenges facing tutors within the domain.

Dr. Harjinder Singh Lallie is the director of the Academic Centre of Excellence in Cyber Security Education, and Discipline Group Leader for Cyber Security. Harjinder is a university reader at the University of Warwick and a visiting supervisor at the University of Oxford. Harjinder leads the education provision at the University of Warwick. Harjinder has more than twenty years of teaching experience and currently leads the MSc Cyber Security and Management degree, teaches three modules on the programme degree at Warwick and has taught the Digital Forensics module at the University of Oxford.
Harjinder’s research focuses on the area of complex attack modelling and the use of AI in digital forensics. He has published numerous research papers in the world’s top cyber security journals.