The Magical World of Digital Forensics: From Crime Scenes to Cloud Evidence with Jason Jordaan

Jason Jordaan, Principal Forensic Analyst and hands-on leader in digital forensics, brings over two decades of experience investigating cybercrime. As someone who recently submitted his PhD thesis on the core skills and knowledge areas for digital forensics, Jason offers both academic rigor and practical wisdom.

In this episode, Jason shares the evolution of digital forensics from computers to cloud and IoT, the critical importance of documentation and discipline, and how AI is creating new challenges for investigators. His passion for the field shines through as he explains why digital forensics is both incredibly demanding and deeply rewarding.

You can read the complete transcript of the episode here >

How has digital forensics evolved over the past two decades?

Jason’s career spans the entire evolution of digital forensics, from traditional computers to today’s cloud-native, IoT-connected world.

The Early Days: Computers and Servers

Twenty years ago, digital forensics focused primarily on desktop computers and servers. The devices were relatively straightforward, and the evidence was contained on physical hard drives.

The Mobile Revolution

As mobile phones became ubiquitous, the balance shifted to nearly 50-50 between computers and mobile devices. Today, mobile devices dominate—and as Jason notes, a 512GB iPhone is essentially the same as an SSD hard drive in most laptops.

The Cloud Era

Now, evidence is increasingly cloud-based:

• Virtual machines in cloud service providers
• Cloud services and SaaS applications
• Distributed data across multiple jurisdictions

The IoT Expansion

Digital forensics now extends to “less typical” devices:

• Drones: Extracting data from drones used in crimes
• Motor vehicles: Digital systems in cars
• IoT devices: Smart home devices, security cameras
• Smartwatches: Apple Watch, Fitbit, and similar wearables

Looking Forward

Jason is waiting for the day he has to do forensics on robots and AI systems. As he puts it: “Digital forensics has always got to evolve with those changes.”

What impact does this evolution have on the field?

The constant evolution of technology creates significant challenges for digital forensics practitioners:

The Challenge of Staying Current

The biggest impact: Practitioners must constantly keep themselves up to date. This is particularly challenging for those without formal qualifications in computer science or computer engineering.

Jason emphasizes that those with formal CS/CE qualifications are “taught the way of the computer”—they understand the fundamental principles that allow them to adapt to new technologies.

The Six-Month Rule

Jason’s stark warning: “I can’t sit on my butt for six months and say, I’m just going to not learn anything because I’m tired of learning. In six months time, my knowledge may be obsolete.”

Multi-Jurisdictional Complexity

It’s not just technology—laws are constantly adapting too. Because of the borderless nature of digital technologies, practitioners must understand:

• Changes in legislation across multiple countries
• Different legal systems (common law, civil law, Sharia law)
• Varying evidence standards and procedures

Jason works worldwide from South Africa, recently presenting on Qatari and Saudi Arabian cybercrime legislation. The scope of required knowledge is vast.

What are the core skills needed for digital forensics?

Jason’s PhD thesis focused on identifying the core knowledge areas for digital forensics. He breaks them down into six essential domains:

1. Computer Science and Computer Engineering

This is non-negotiable. Without this foundation, you’ll struggle in digital forensics. Understanding how computers work at a fundamental level allows you to adapt to new technologies.

2. Applied Law

You don’t need to be a lawyer, but you must understand:

• How to apply the law in different contexts
• How to testify in court
• Evidential issues and standards
• Legal procedures across jurisdictions

3. Forensic Science

Digital forensics is a subset of forensic science. You must understand:

• Scientific principles
• What makes good scientific evidence
• Forensic methodology and standards

4. Searches and Seizures

The practical ability to:

• Enter a scene (building, company, crime scene)
• Identify and collect digital evidence
• Follow proper procedures for evidence handling

5. Forensic Acquisitions

How to secure and collect evidence in a forensically sound manner:

• Extract data from laptops with NVMe drives
• Collect evidence from mobile devices
• Acquire data from drones, vehicles, and IoT devices

6. Forensic Examination and Analysis

• Examination: Identifying potentially relevant digital evidence
• Analysis: Reconstructing events, rolling back evidence to see what happened in the past

These core knowledge areas evolve over time, but you need competency in each to succeed.

How do you tackle the challenges of new technologies and encryption?

Jason’s practice has built a culture of continuous learning and knowledge sharing:

Research as KPIs

Team members have research projects as part of their key performance indicators. The organization supports and encourages research that will ultimately be shared with the community.

Bi-Weekly Learning Sessions

At least once every two weeks, the team has online learning engagements where one member shares something new they’ve encountered. This creates internal knowledge management and levels up everyone’s skills.

Formal Education

Most team members have at least master’s degrees in forensic science, engineering, or computer science. The organization encourages continuous education.

Culture of Sharing

The team doesn’t just share internally—they share with the broader community through presentations at B-sides, ethical hacker initiatives, and security awareness programs.

Jason’s philosophy: “When you learn yourself, you kind of give.” He uses a Buddhist monk story about emptying your cup—by giving knowledge to others, you free yourself to learn more.

From a competitive perspective, building the community forces everyone to innovate and constantly improve. When everyone rises, the quality of digital forensics improves, leading to more justice.

How do you ensure chain of custody and evidence authenticity?

Jason’s answer is emphatic: Document, document, document. And when you think you’ve documented enough, you haven’t—document some more.

The Golden Rule

“If you don’t write it down, it didn’t happen.”

From the time you acquire a device to the time you present evidence in court, you must have the entire process fully documented with no gaps. Even a millisecond gap allows someone to argue reasonable doubt.

Documentation Methods

• Written documentation
• Video recordings
• Digital camera photos (even with mobile phones)
• Processes and procedures

The Consequences of Poor Documentation

Jason shares a cautionary tale: Called in to assist law enforcement with a high-profile case, he asked to see the evidence. They brought out a plastic bag full of phones and hard drives and dumped it on the table.

His questions: Where did this phone come from? Which building? Whose desk? Who had it?

Their answer: “We didn’t document any of that.”

Jason’s response: “I can’t touch any of this evidence. All of this evidence is tainted.”

The case that might have taken months ended up taking years because the evidence couldn’t be used.

What is hashing and why is it critical?

Beyond documentary chain of custody, there’s scientific evidence preservation through hashing.

What is Hashing?

Creating a one-way mathematical hash (MD5, SHA-1, SHA-256, SHA-512) generates a digital fingerprint of the evidence.

How It Works

1. Seize a piece of digital evidence
2. Calculate the mathematical hash
3. Store the hash value
4. Later, recalculate the hash
5. If the values match, the evidence hasn’t been altered

Courtroom Demonstrations

Jason has demonstrated this in court:

• Create a text file with “hello world”
• Calculate the hash value
• Change a single character
• Recalculate—completely different hash
• Change it back—same hash as original

Judges’ eyes light up: “This is some kind of magic!”

By understanding the mathematics, you can prove the integrity of digital evidence scientifically.

How do you avoid getting overwhelmed by data?

Jason’s answer: Discipline.

The Challenge

The sheer amount of information on modern systems is astronomical. It’s easy to get lost in the data and distracted by “shiny objects.”

The Solution

Focus on exactly what you’re trying to prove. Don’t get distracted.

Documentation as a Tool

Contemporaneous notes help manage the overwhelming data:

• Flag interesting items to come back to later
• Don’t get distracted now
• Follow your current thought process
• Document linkages between artifacts
• Build timelines chronologically

The danger: Inexperienced analysts do all documentation after completing the analysis. By then, they’ve started forgetting things.

The solution: Document as you go—your findings, your thoughts, your investigative decision steps.

How does digital forensics intersect with incident response?

Jason uses a powerful analogy:

Incident response: The building is on fire, call the firefighter to put it out

Digital forensics: The fire investigator who comes after to figure out what caused the fire

Different Purposes

Incident response: Resolve the incident NOW. Priority is business continuity. Organizations want the business running again—they don’t necessarily care about finding out what happened.

Digital forensics: Taking things to court. Holding someone liable or accountable. The focus is on evidence that can be used in legal proceedings.

Different Documentation Standards

In incident response, you might not document at the same level of detail because:

• It’s fast-paced
• The building is burning
• You don’t have time to write everything down while ransomware is encrypting systems

How They Work Together

They’re related by investigative techniques, but the outcomes are very different.

Jason’s perspective: “I don’t want to be putting out the fire. I want to become a police officer, not a firefighter.”

The Paramedic Principle

If someone is bleeding and in pain, the paramedic’s priority is life-saving attention—even if it means destroying evidence. Jason is okay with that.

The key: Find the happy medium. Sometimes you won’t get evidence, and that’s acceptable if people acted with best intentions and best interests at heart.

How can organizations prepare for digital forensics?

Jason introduces the concept of forensic readiness—preparing an environment to optimize evidence collection.

1. Optimize Logging

Many organizations have no logging whatsoever. Proper logging helps:

• Incident responders
• Forensic investigators
• Security teams

The question: How do you architect your environment to optimize the data you may need?

2. Train Your Team

Not every organization can afford full-time digital forensics people. But you can:

• Ensure incident responders have basic training in preserving evidence
• Have “first aid qualified” people for digital evidence
• Train people not to mess up the evidence

3. Build Partnerships Before You Need Them

Don’t wait for something bad to happen to build relationships with digital forensics partners.

The problem: Procurement processes can take weeks or months. By then, it’s too late.

The solution: Identify partners in advance. This might include:

• Private digital forensics firms
• Local law enforcement with good capacity
• Regional specialists

Jason’s friend from Scotland Yard: “Investigations are contacts.” You better have the contacts beforehand, not after something bad happens.

How is AI impacting digital forensics investigations?

AI introduces new attack vectors and new investigation challenges.

AI-Powered Attacks

Phishing and vishing: Instead of manually reading emails and crafting messages, attackers can:

• Feed emails into large language models
• Generate messages that write exactly like the CEO
• Use voice samples to train models that speak like the CEO
• Combine LLMs with voice generation for convincing impersonation

The Detection Challenge

It’s becoming very difficult to detect AI-generated content. But there’s hope:

The Locard Principle: Everything leaves a trace.

When you generate a fake video using an algorithm, there will be a trace—whether it’s:

• A fingerprint from the algorithm
• Mathematical artifacts
• Model-specific patterns

The Solution

Organizations like MedEx Forensics (recently acquired by Magnet) are developing research to:

• Identify different software models used to generate deepfakes
• Look for algorithmic indicators in generated videos
• Create fingerprints showing “this was created with this application”

The Requirement

You must understand how the AI technology works. This comes back to computer engineering and computer science—if you understand the technology, you can look for distinctive fingerprints.

Using AI to Fight AI

We may use AI models to help identify AI-generated content. It’s an arms race, but the fundamental principle remains: understand the technology, and you can find the traces.

What advice would you give to someone entering digital forensics?

The Right Attitude

You must have:

• Love for technology: Genuine passion for how things work
• Real curiosity: Desire to dig and figure out what happened
• Self-directed learning: Don’t wait for someone to train you
• Mental fortitude: Ability to handle the impact of your work

For Students

Don’t waste time on two-day or three-day digital forensics courses. Instead:

1. Get a degree in computer science or computer engineering
2. Understand the technology deeply
3. This gives your career longevity
4. You can grow as technology grows

For Career Changers

If you’re later in your career (e.g., a police investigator with a knack for computers):

• Self-study is viable
• YouTube videos, GitHub repos, online courseware
• Major universities make courseware freely available
• There’s no excuse not to learn

The Reality Check

Jason tries to discourage people initially because:

• Digital forensics is hard
• Your work impacts human lives
• If you do your job well, someone might go to prison for 30 years
• You’ll encounter threats
• You’ll see nasty things you don’t want to see

The pressure: “I am only as good as my last case. If I mess up in court, my career is done.”

The Reward

Despite the challenges, it’s one of the most rewarding professions. Jason could never imagine doing anything else.

The spark: If you love solving problems, love technology, and love to dig and figure out what happened, there’s a natural home for you in digital forensics.

People Also Read

• What is Incident Response?
• Understanding Emotional Intelligence in Security Leadership
• Continuous Security and Incident Response
• The Human Firewall: Designing for Behavior
• AI, Deepfakes, and the Evolving Threat Landscape