Part 6 of 6

Practical Lab

🕑 180-240 minutes 📖 Advanced Level 📋 Module 7

Practical Lab Overview

This practical lab integrates all the skills you've learned in Module 7. You will work through a realistic case scenario, creating documentation, drafting a Section 63 BSA certificate, writing a forensic report, and preparing for mock court presentation.

📚 Learning Objectives

By completing this lab, you will demonstrate mastery of forensic documentation, Section 63 BSA certification, report writing, and court presentation preparation through practical application.

Instructions
  • Work through each exercise sequentially
  • Use the templates and formats covered in Parts 1-5
  • For self-study, complete exercises and compare with provided guidelines
  • For instructor-led training, submit deliverables for evaluation
  • Estimated total time: 3-4 hours

Case Scenario

💻

Case: Corporate Data Theft Investigation

FIR No. 247/2025, PS Cyber Crime, Bengaluru

Background

TechSolutions Pvt. Ltd., an IT services company in Bengaluru, discovered that a former employee, Rajesh Kumar, allegedly stole proprietary client data and trade secrets before resigning. The company suspects he transferred data to a competitor, DataServe Technologies.

Allegation

Mr. Kumar is alleged to have copied confidential client databases, source code, and business proposals to an external USB drive and personal cloud storage during his notice period. An FIR has been filed under:

  • Section 318 BNS (Cheating)
  • Section 316(2) BNS (Criminal Breach of Trust by employee)
  • Section 43 IT Act (Unauthorized access and data theft)
  • Section 66 IT Act (Computer-related offences)

Evidence Seized

The following digital evidence was seized from Mr. Kumar's residence under a valid search warrant:

Evidence ID Description Details
DE-2025-00247-001 HP ProBook Laptop Model: 450 G8, S/N: 5CG1234567, 512GB SSD, Windows 11 Pro
DE-2025-00247-002 SanDisk USB Drive 64GB, S/N: 4C530001234567
DE-2025-00247-003 Samsung Galaxy S23 IMEI: 351234567890123, 256GB Storage

Examination Findings Summary

You have completed the forensic examination and found the following (use these findings for your exercises):

Laptop Findings (DE-2025-00247-001)

  • User account "rajesh.kumar" with login history from 01/01/2025 to 15/03/2025
  • Last login: 14/03/2025 at 22:47 IST (one day before resignation)
  • USB device (matching DE-002) connected 47 times between 01/02/2025 and 14/03/2025
  • File copy operations totaling 4.7GB detected in Windows Event Logs
  • Browser history shows Google Drive access with file uploads on 10/03/2025, 12/03/2025, 14/03/2025
  • Deleted folder recovered: C:\Users\rajesh.kumar\Documents\TechSolutions_Backup\ containing 234 files (client databases, source code)
  • Email client shows communications with contact@dataserve.in discussing "new opportunity" and "bringing valuable experience"

USB Drive Findings (DE-2025-00247-002)

  • Contains folder structure matching TechSolutions internal file server
  • 156 files totaling 3.2GB: Client_Database.xlsx, Project_Proposals/, Source_Code/
  • File metadata shows copy dates: 10/03/2025, 12/03/2025, 14/03/2025
  • Several files still have TechSolutions document headers and confidentiality notices

Mobile Phone Findings (DE-2025-00247-003)

  • WhatsApp chat with "Vikram - DataServe" discussing job offer and "useful data"
  • Google Drive app showing 4.7GB cloud storage used, synced with laptop
  • Photos of whiteboard with TechSolutions client information taken on 05/03/2025
  • Call logs showing 23 calls to DataServe Technologies number between February and March 2025

Hash Values

Evidence MD5 SHA-256
DE-2025-00247-001 a8f5c2d1e9b4f7c3a2d6e8b1 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
DE-2025-00247-002 b9e6d3c2f0a5e8d4b3c7f9a2 9d8c7b6a5e4f3d2c1b0a9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2e1d0c9b8
DE-2025-00247-003 c0f7e4d3a1b6f9e5c4d8a0b3 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2

Exercise 1: Evidence Documentation

1

Create Evidence Log and Chain of Custody

45-60 minutes

Using the templates from Part 2, create comprehensive documentation for all three evidence items.

Tasks:
  1. Complete evidence log entries for all three items (use format from Part 2)
  2. Create chain of custody records documenting transfer from seizing officer to examiner
  3. Document the acquisition process including tools used and hash verification
Deliverables
  • Three completed evidence log forms
  • Three chain of custody forms
  • Acquisition log with hash values
💡 Guidance

Remember to include: unique evidence IDs, complete physical descriptions with serial numbers, acquisition dates and methods (assume FTK Imager for laptop/USB, Cellebrite for mobile), calculated hash values, and storage location information.

Exercise 2: Section 63 BSA Certificate

2

Draft Section 63 BSA Certificate

45-60 minutes

Using the comprehensive template from Part 3, draft a Section 63 BSA certificate for the laptop evidence (DE-2025-00247-001).

Tasks:
  1. Address all four mandatory conditions under Section 63(2)
  2. Include specific device identification details
  3. Include hash values for integrity verification
  4. Ensure the certificate is signed by an appropriate certifier
Assumptions for Certification:
  • Certifier: You as the forensic examiner who acquired and analyzed the evidence
  • The laptop was seized in working condition
  • Forensic acquisition was performed using standard methods
  • The working copy was used for analysis
Deliverables
  • Complete Section 63 BSA certificate for DE-2025-00247-001
  • Certificate should be ready for court submission

Exercise 3: Forensic Report Writing

3

Write Executive Summary and Findings Section

60-90 minutes

Using the report structure from Part 4, write an executive summary and key findings section for this case.

Tasks:
  1. Write a 1-2 page executive summary suitable for non-technical readers
  2. Document at least 5 key findings with specific details
  3. Include your expert conclusions on the investigative questions
  4. Reference supporting evidence with exhibit numbers
Questions to Address:
  • Did Mr. Kumar copy confidential data from TechSolutions?
  • When did the alleged data theft occur?
  • What evidence connects Mr. Kumar to DataServe Technologies?
  • What was the volume and nature of data allegedly stolen?
Deliverables
  • Executive summary (1-2 pages)
  • Findings section with at least 5 detailed findings
  • Conclusions section with expert opinion
📋 Evaluation Criteria
Clear, non-technical language in executive summary 20 points
Specific details (dates, quantities, file names) 20 points
Logical organization of findings 15 points
Evidence references (hash values, exhibit numbers) 15 points
Appropriate expert conclusions (within scope) 15 points
Professional formatting and presentation 15 points

Exercise 4: Court Preparation

4

Prepare for Cross-Examination

30-45 minutes

Anticipate and prepare responses to likely cross-examination questions from defence counsel.

Tasks:
  1. Identify at least 5 potential weaknesses or challenges in your findings
  2. Write prepared responses to anticipated cross-examination questions
  3. Note any limitations you would acknowledge
Potential Challenge Areas:
  • Could someone else have used Mr. Kumar's devices?
  • How do you know the files were confidential?
  • What if Mr. Kumar was authorized to copy these files?
  • Could the data have been planted after seizure?
  • How reliable are your forensic tools?
Deliverables
  • List of 5+ anticipated challenges
  • Prepared responses for each challenge
  • Acknowledged limitations

Exercise 5: Mock Testimony

5

Practice Examination-in-Chief

30-45 minutes

Prepare and practice your examination-in-chief testimony for this case.

Tasks:
  1. Write an opening statement establishing your qualifications
  2. Prepare a narrative explanation of your examination methodology
  3. Write clear explanations of your key findings for a non-technical audience
  4. Practice delivering your testimony aloud (or with a partner)
Key Elements to Include:
  • Your qualifications and experience
  • How you received and verified the evidence
  • What tools and methods you used
  • What you found (in plain language)
  • Your expert opinion on what the evidence shows
Deliverables
  • Written testimony outline/script
  • Practice presentation (self-recorded or with partner)
💡 Practice Tips
  • Record yourself and review for filler words ("um," "uh")
  • Time yourself - aim for clear, measured delivery
  • Practice explaining technical terms simply
  • Have someone play "defence counsel" to challenge you

Submission Guidelines

📦 For Instructor-Led Training
  • Compile all deliverables into a single PDF or document package
  • Include your name and CDFP enrollment number
  • Submit via the designated submission portal
  • Deadline: As specified by your instructor
📚 For Self-Study
  • Complete all exercises using the case scenario provided
  • Compare your work against the templates and examples in Parts 1-5
  • Review the evaluation criteria to self-assess
  • Consider having a colleague review your work
📚 Lab Completion Summary
  • Exercise 1: Created evidence documentation (logs and chain of custody)
  • Exercise 2: Drafted Section 63 BSA certificate with all four conditions
  • Exercise 3: Wrote executive summary and findings for forensic report
  • Exercise 4: Prepared cross-examination responses
  • Exercise 5: Practiced examination-in-chief testimony
  • These skills integrate everything from Module 7 for real-world application
Previous: Court Presentation Take Module Quiz