Lesson 1Email and messaging sources: mailbox exports, SMTP/IMAP logs, message headers, retention policies, and eDiscovery considerationsThis section covers evidentiary artefacts from email and messaging platforms, including mailbox exports, protocol logs, message headers, retention rules, and eDiscovery workflows, emphasising authenticity, completeness, and defensible collection methods for Nigerian businesses.
Mailbox export formats and toolsSMTP, IMAP, and POP server logsMessage headers and routing analysisRetention and legal hold policiesChat and collaboration message exportsLesson 2Overview of corporate evidence sources: endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, SaaS audit logsThis section provides a structured overview of common company evidence sources, including endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, and SaaS audit logs, highlighting typical artefacts and access considerations relevant to Nigerian firms.
Endpoint and workstation artefactsServer and database log sourcesEmail and collaboration platformsNetwork, VPN, and remote access logsDLP, MDM, and SaaS audit telemetryLesson 3Data Loss Prevention and SIEM sources: DLP alerts, content inspection logs, SIEM event correlation and alert ingestion patternsThis section explores Data Loss Prevention and SIEM platforms as rich evidence sources, explaining DLP alert artefacts, content inspection logs, SIEM normalisation, correlation rules, alert triage, and ingestion patterns that affect completeness and investigative value in local settings.
DLP alert metadata and contextContent inspection and fingerprint logsEndpoint versus network DLP signalsSIEM parsing and normalisation rulesCorrelation rules and use case tuningLesson 4Application and collaboration platform evidence: audit logs, file version history, sharing links, access control lists, and collaboration metadataThis section focuses on application and collaboration platforms, examining audit logs, file version histories, sharing links, access control lists, and collaboration metadata, and explains how to reconstruct user actions and document access during investigations in Nigerian companies.
Application audit and activity logsFile version history and recoverySharing links and external accessAccess control lists and permissionsCollaboration comments and reactionsExporting workspace audit trailsLesson 5Prioritisation and legal holds: determining scope for quick preservation and issuing legal hold notices to custodians and systemsThis section explains how to prioritise evidence and implement legal holds, defining scope, identifying custodians and systems, issuing hold notices, coordinating with legal and HR, and monitoring compliance to prevent spoliation or premature deletion in compliance with Nigerian laws.
Scoping custodians and data sourcesRisk-based evidence prioritisationDrafting and issuing legal holdsCoordinating with legal and HR teamsMonitoring hold compliance and releaseLesson 6Network and perimeter evidence: VPN logs, proxy and firewall logs, NetFlow, packet captures (PCAP) collection and retention best practicesThis section details network and perimeter evidence, including VPN, proxy, and firewall logs, NetFlow and IPFIX records, and packet captures, with guidance on time synchronisation, storage, filtering, and defensible retention strategies for investigations in Nigerian networks.
VPN authentication and session logsProxy and web gateway activity logsFirewall rule hits and deny eventsNetFlow and IPFIX flow recordsPacket capture collection strategiesNetwork log retention and rotationLesson 7Mobile and removable media: mobile device backups, MDM logs, USB device histories and Windows device installation logsThis section examines mobile devices and removable media as evidence sources, focusing on backup artefacts, MDM telemetry, USB usage traces, and Windows device installation logs, with attention to preservation, validation, and chain of custody in Nigerian mobile environments.
iOS and Android backup artefactsMDM inventory and compliance logsUSB connection and usage historiesWindows device installation recordsPreserving mobile and USB evidenceLesson 8Server and cloud data acquisition: API-based exports, storage snapshots, object storage metadata, cloud provider audit logs (AWS CloudTrail, Azure AD logs, Google Workspace audit)This section addresses server and cloud data acquisition, including API-based exports, storage snapshots, object storage metadata, and cloud provider audit logs, with emphasis on scoping, throttling, integrity validation, and cross-region evidence preservation for Nigerian users.
Agent-based versus agentless collectionHypervisor and VM snapshot workflowsObject storage metadata and versionsAWS CloudTrail and CloudWatch logsAzure AD and Microsoft 365 auditsGoogle Workspace and GCP audit logsLesson 9Endpoint data acquisition: live response, volatile data capture, full disk imaging, filesystem snapshotsThis section covers endpoint data acquisition techniques, including live response, volatile memory capture, full disk imaging, and filesystem snapshots, with attention to tool selection, minimising impact, and maintaining evidentiary integrity and documentation in local setups.
Live response triage proceduresRAM and volatile data collectionFull disk and partition imagingFilesystem and volume snapshotsValidating hashes and chain of custody
