Established in 1998, the Digital Investigation Unit aims to investigate digital devices and their associated data to provide intelligence, information, or evidence relating to system or user activity. This is achieved by a variety of casework, research, and education.
The Digital Investigation Unit (DIU), previously known as the Digital Forensics Unit and originally the Centre for Forensic Computing, is widely recognised as the United Kingdom’s unit of excellence for digital investigation education, research and consultancy. It was founded in 1998 by Professor Tony Sammes to meet a growing industry requirement for digital investigation education. The unit’s remit has always been to be active in casework, research, and education to ensure practitioner requirements stay at the heart of its outputs. The education offerings led to the development of the MSc in Forensic Computing, which later developed into the MSc in Digital Forensics.
In December 2015, Dr Sarah Morris took over as Head of the Unit; she obtained the first NCSC (GCHQ) certification for a Digital Forensics master's programme. Since then, with the assistance of a growing team of internal academic staff, PhD students and external practitioners as visiting lecturers, the unit has continued to develop its facilities, offerings and casework remit. From early 2021 the team is redeveloping its facilities, consultancy, and education to reflect its digital investigation expertise.
Our courses are developed to follow a variety of investigations from criminal to covert, encompassing all aspects of digital investigation. Each of our courses follow the DIU’s core principles:
- A maximum of half a session is taught and directly followed by practical exercises for the remainder of the session;
- Scenario-based learning, with each course following a novel, fun investigation throughout;
- Content and exercises are low level and, where possible, at the binary level;
- Content is driven by casework and research;
- Classroom management software is utilised throughout the DIU, providing an enhanced learning environment.
These core principles ensure the DIU offers exceptional education for our range of students, allowing them to gain vital skills and experience to directly feed into the workplace.
Supporting your business
Alongside our education and research offerings, the DIU actively fulfils digital investigation consultancy work. The unit operates in all areas of digital investigation, ranging in complexity, including:
- Encrypted or obscured data;
- Deleted and fragmented files;
- Internal workings of operating systems;
- Destructive and non-destructive acquisition techniques.
Our previous work has included:
- The investigation of a smart washing machine;
- Working with celebrity clients;
- Manually recovering data from a partially damaged RAID device;
- Document analysis to ensure authenticity;
- Using the DIU’s chip off acquisition method to a mobile device for data analysis.
We are interested and perform scholarship in all aspects of digital investigation, particularly those involving technical solutions. The DIU’s current scholarship work includes:
- Sneaky-Peaky: an onsite automated investigation robot assistant;
- Documenting and standardising non-trivial acquisition approaches;
- Game console investigation;
- Document investigation;
- Smart home investigation;
- Identification of digital devices using crime scene dogs;
- Volume shadow copy investigation;
- APFS file system investigation;
- IOT investigations;
- Developing an AI/machine learning based approach to identify malware attack vectors on Android devices;
- SMURF: Social Media User Relationship Framework.
The Teaching Lab is the predominant space for digital investigation teaching. Using a custom-built laboratory enables us to ensure each session has a suitable practical exercise to reinforce the theoretical material. Currently, the laboratory can seat up to 25 students. For each module, the relevant bespoke machines are added to the laboratory; a custom-built OS image with relevant software and data is created for each course. Alongside this, interactive whiteboards, machine learning and a variety of digital devices are used to enhance the student experience.
Scene Investigation Laboratory
The Scene Investigation Lab provides a practical environment for simulated investigation scenes. The laboratory is on the DIU private secured network enabling us to simulate a variety of data activity. A range of cameras and microphones are in the room to enable the room to be recorded for student reflection and review. 360-degree virtual views of the room are also available remotely. The laboratory is regularly adapted to allow users to experience a range of different investigations. The scene investigation laboratory is regarded as a great experience and opportunity to build new skills by our students.
Adaptable Research Environment
The Adaptable Research Environment (ARE) hosts a flexible research space to conduct an extensive suite of research. The ARE accommodates a practical area to perform a range of research, including virtual reality, gaming experimentation, network simulations and invasive acquisition approaches. The environment also includes a variety of bespoke machines, with access to an assortment of digital investigations tools, from open source to industry standard. Users have access to a comprehensive selection of equipment, from legacy data storage to current smart home devices for research needs.
Since the DIU’s inception in 1998, over 800 casework jobs have been performed by the team. The Casework Laboratory holds a selection of secure and sandboxed equipment to facilitate a range of consultancy work. The DIU works with clients across various sectors, including intelligence/information gathering, incident response, civil and criminal investigations.
The Evidence Store comprises secure storage facilities and acquisition stations. Physical and data storage is available, with each case being individually stored in line with the customers' requirements. The acquisition stations have a collection of open source and industry standard tools to perform a combination of acquisition techniques, including chip off and JTAG.