Digital Forensics

It is a scientifically derived and proven method towards the presentation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal: or helping to anticipate unauthorised actions shown to be disruptive to planned operations.


Contact Us:
Digital Forensics Services
Training and Certification




Uncovering the truth beyond digital imagination


In 1998, the Digital Forensics Laboratory (DFL) was established under National ICT Security & Emergency Response Centre (NISER). The four years of intensive research in Computer Forensics resulted in DFL officially announcing digital forensics services in 2002. In the year 2007, NISER underwent a transformation and was renamed CyberSecurity Malaysia. In the same year, DFL developed into Digital Forensics Department (DFD).


Since then, we have strengthened our technology and resources while offering full-fledged digital forensics investigations and examinations in the areas of audio and video forensics. With the aim of providing a clear understanding of the kind of services we offer, the trademark "CyberCSI" was introduced to the stakeholders and to the public.


Our clients are from Law Enforcement Agencies (LEA's), Government-Linked Companies (GLC) and private agencies. Some of our distinguished clients include the Royal Malaysia Police (RMP), Malaysia Anti Corruption Commission (MACC), Royal Malaysia Customs (RMC), Malaysian Communication & Multimedia Commission (MCMC), Ministry of Domestic Trade, Co-operatives & Consumerism (MDTCC), Central Bank of Malaysia, Security Commissions and many more including from defense council in civil cases.

To date, we have contributed in solving numerous forensics cases; including high profile cases such as the Altantuya Shaariibuu murder case, the V.K. Lingam Video Clip, DSAI China Doll video clip case, insult Sultan Perak case, insult Sultan Johor case, illegal online soccer gambling during World Cup 2010, illegal Ponzi scheme Danafutures, Maldives credit card fraud case and many more including cases in Intellectual Property Court.

Among notable achievements include our analysts being gazetted under the Criminal Procedure Code 399 on February 23rd, 2009. This is the same gazette that was awarded to Malaysia Chemistry Department on August 3rd, 2004. All reports and testimonials from our analysts are acceptable by the Malaysia Court of Law.







a. Digital Forensic

  • Computer Forensics

    "What one can hide, another can discover."

    Computer Forensics is the application of scientific examination and data analysis performed on computer storage media to discover potential digital evidence for the purpose of presentation in a court of law.


  • Mobile Phone Forensics

    "Every action leaves trail of evidence."

    The application of scientific examination and data extraction performed on mobile phone devices for the purpose of presentation in a court of law.


  • Audio Forensics

    "It is more than just a sound that you are hearing."

    The application of digital audio science and technology performed on digital audio files or media to discover potential digital evidence for the purpose of presentation in a court of law.


  • Video Forensics

    "Evidence does not lie."

    The application of digital video science and technology performed on digital video file or media to discover potential digital evidence for the purpose of presentation in a court of law.


  • First Responder

    "Securing the digital evidence."

    The task of assisting Malaysia's Law Enforcement Agencies (LEA'S) in joint-raid activities related to digital crimes.



b. Data Recovery

"Digging in deep to recover loss data."

The process of salvaging data from damaged, failed, corrupted or inaccessible digital storage media and making it readable using computer applications. Noted examples are hard disks, thumb drives, memory cards and servers.



c. Data Sanitisation

"Erasing all valuable data trails."

The process of erasing all important data trails from an unused data storage. Files are not completely deleted when using an operating system's default delete function. The data sanitisation process is to ensure that all data can never be recovered. Any highly sensitive data will be unrecoverable or inaccessible if it falls into the wrong hands once it has been sanitised.



d. Expert Witness

"The truth and nothing but the truth."

The litigation process is critical and complicated. It is the outcome of the process that matters in these types of situations. With the records of success rates in state and federal courts, our analysts are committed to providing objectives with clarity. This service is matched with vast knowledge and expertise in the field of digital forensics to conclude complex matters in a court of law. Testimonials given by analysts are recorded from beginning to end, including early case assessments to findings reports.

Our credible, reputable and experienced analysts have undergone comprehensive training programmes, are experienced and exposed to digital forensics-related legal proceedings. From fraudulent schemes to harassment and seditious charges, they are well-versed and are prepared to give their testimonials when required.


CyberSecurity Malaysia’s analysts perform extensive research and analysis for better understanding of the case objectives and analysis results. By implementing this approach, critical and complex issues will be clearly clarified and understood by judges presiding over these proceedings.







a. Computer Forensics

  • Case Review 1 – Intellectual Property Theft

    An engineer from a large firm secretly emailed all tenders and documentation for a mega project to a rival company. The suspect was caught by his manager, and he tried to dispose all tracing evidence leading to the unscrupulous activity. Subsequently, his manager reported the case to the top management. In proving his guilt beyond a reasonable doubt, a computer forensic specialist was hired. The specialist conducted a forensic examination and analysis on the engineer's computer. All findings were put into a report. The result of the findings showed proof that the engineer had performed unauthorised actions of transferring the documents via email to a rival company.


  • Case Review – Illegal Investment Scheme Fund

    Bank Negara Malaysia received complaints from members of an investment scheme that they did not receive their monies that they were entitled to. Initial investigations found that the investment scheme they were in was actually illegal. Together with the forensics team, the location of the investment scheme was located and raided. All computers were seized. From the forensic examination and analysis conducted, the company's profile, investment scheme documents, revenue generation and list of customers was extracted. The findings showed that the business was indeed fraudulent and illegal. The case was later brought before the courts.



b. Video Forensics

  • Case Review - CCTV

    A robbery had occurred in one of the large banks in the country. The robbers managed to escape with a large amount of cash. However the Close-Circuit Camera Television (CCTV) of the bank had recorded the unfortunate event. A video forensics specialist was engaged to get the images of the robbers. The digital forensics team went to the crime scene, collected and acquired digital evidence from the DVR, and brought it back to their laboratory for further analysis.


    Frames that contained faces of the culprits were then extracted and enhanced to identify the suspects. The specialist then passed all details of the investigation to the police for further action.


  • Case Review – Image Impression

    An immigration officer managed to arrest a person at the airport. This happened when the suspect handed over his passport for clearance to travel overseas. The officer noticed that the picture used by suspect in his international passport was not the same as his appearance and suspected that he used a forged passport. A copy of a photo of the suspect's face and the passport was then handed over to a digital forensics specialist for a facial comparison. The findings and comparison result was then sent back to the immigration officer for further action.


    Frames that contained faces of the culprits were then extracted and enhanced to identify the suspects. The specialist then passed all details of the investigation to the police for further action.


  • Case Review – Video Authentication

    A video of an animal abuse was uploaded over the Internet. This video showed suspects were abusing an animal to death. An investigating officer and a video forensics specialist were put in charge to investigate this case. The case objective was to proof the authenticity of the video, as well as to prove that the individuals in the video were the suspects that they had arrested. All frames from the video were extracted, enhanced and analysed to determine whether the video has been edited and to confirm that the arrested suspects matched the individuals in the video. All findings and results based on the analysis were then used to prosecute the suspects in court.



c. Audio Forensics

  • Case Review – Sexual Harassment

    A company secretary lodged a police report stating that she encountered sexual harassment from her superior. She also surrendered her mobile phone to the police. The mobile phone contained an audio file which she recorded during the incident. The investigative officer then passed the mobile phone to the audio forensics specialist to process the audio file. The audio file was then extracted from the mobile device and the voice in the audio recording was compared to the suspect's voice sample. All findings were then presented to the investigative officer.


  • Case Review - Bribery

    A director of a corporation lodged a police report that he was being blackmailed by his own secretary. His secretary claimed that she had important information of him and wanted to upload them over the Internet. The secretary demanded money from the director in order for her not to expose the information. The director, however, managed to record their conversation using a voice recorder hidden in his jacket. The voice recorder was handed over to the police for further action. The police then brought the voice recorder to an audio forensics expert for voice comparison. The audio file was extracted and compared with the voice sample of the suspect. The findings were reported back to the investigation officer for further action.


  • Case Review - Threat

    A police commissioner received a death threat through a phone conversation from an unknown suspect. He managed to record this conversation using a voice recorder. With the assistance from a telecommunication service provider, the police located and identified the owner of the phone number. The suspect was then arrested by the police. The audio recording was passed to an audio forensics specialist for voice comparison. After examining the audio file, it was found that the voice in the recording was not clear due to noise disturbances in an outdoor environment. The specialist then cleaned out the noise in the audio file and compared the cleaned voice recording with the suspect's voice sample. All findings together with the report regarding this case was then submitted to the police for further investigation.



d. Mobile Phone Forensics

  • Case Review – Harassment on Short Messaging Service

    A newly-hired girl at a firm had received inappropriate text messages from her employer several times. She felt that her employer was harassing her. A domestic inquiry was set-up to investigate her case by the top management. A digital forensics specialist was hired to examine and analyse the content of her mobile device, as well as the content of her employer's mobile device. The report from the forensics specialist showed that the employer had indeed been sending obscene and harassing text messages to the victim. The employer was then sentenced in a disciplinary proceeding.


  • Case Review – Death Threat

    Police officers seized a mobile device that was allegedly used by a suspect to send death threats via text messages to a victim. The mobile device was sent to a mobile phone forensics analyst for further examination and analysis. All related text messages was extracted and analysed. From the analysis, the related text messages were found and it matched the text messages that the victim had received. The text messages were then used as evidence in a court of law.


  • Case Review – Explicit Video Retrieval

    A mobile phone forensics specialist was assigned by the police to analyse a mobile device that was seized from a suspect. It was stated that the mobile phone contains an explicit video that the suspect recorded of his former lover. The suspect denied that he had such video on his mobile phone. The specialist analysed the mobile phone and all deleted content were extracted, including the explicit video. All the findings from the mobile phone were then used to charge the suspect.



e. First Responder

  • Case Review – Money Laundering

    A director of an international corporation was accused of money laundering. All transactions of the illegal business were saved in the company's server. A computer forensics specialist was engaged to obtain potential evidence from the server. Upon arrival at the crime scene, the specialist was told by the Head of Information Security that the server could not be shut down because it would cause massive losses to the business. The specialist then performed a live acquisition on the server in order to get the data. The image copy of the server was then used for the analysis. All the findings were then reported to the corporation for further action.


  • Case Review - Fraud

    A computer forensics specialist was engaged by a raiding officer to assist a raid on a company. The company was reported to be conducting an illegal business that involved fraudulent transactions. All the files and paperwork related to the case objectives was confiscated. There were also hundreds of computers found at the premise. To determine which computer might contain potential evidence, the specialist performed live analysis on the computers at the crime scene using the write blocker tool (a software-based write blocker that facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media). All information that was extracted was analysed by the specialist and findings were reported to the investigation officer.


  • Case Review – Seditious Comments

    A famous celebrity lodged a report claiming that a website posted an article that defamed him. Initial investigations revealed the location of the server that hosted the website. With the help of a computer forensics specialist, the web-hosting company was raided. Upon arrival at the crime scene, the computer forensics specialist secured the crime scene, and forensically acquired the data related to the website from the server.







Training Programmes

Our trainers are dedicated and motivated personnel, dealing with real day-to-day cases.

  • CSMDF- Essentials

    This course was designed for personnel who have no IT background, but are directly involved with digital and cybercrime related cases.


  • CSMDF01 - First Responder

    This course was designed for officers who are involved in identifying, seizing and preserving digital evidence at the crime scene.


  • CSMDF02 - Investigation & Analysis

    This course was designed for analysts who are directly involved in digital forensics by examining and analysing digital evidence.


  • CSMDF03 - Data Recovery (Advanced)

    This course was designed for analysts who conduct forensics examination and analysis at forensics laboratories.


  • CSMDF04 - Forensics on Internet Applications (Advanced)

    This course was designed for Information Security/forensics practitioners who intend to equip themselves with advanced forensics knowledge specifically concerning Internet Applications. Participants will be trained in a hands-on environment using the latest techniques and tools available.


For more information, please visit: CyberGuru.




Facts & Data


Digital Forensics Department Annual Report


Digital Forensics Department

CyberCSI 2nd Half Year 2012, Summary Report


CyberSecurity Malaysia

(PDF 1.2Mb)

Digital Forensics Department

CyberCSI Report for 2011


CyberSecurity Malaysia

(PDF 1.2Mb)

Digital Forensics Department

CyberCSI Report for 2010


CyberSecurity Malaysia

(PDF 344Kb)

Digital Forensics Department

CyberCSI Report for 2009


CyberSecurity Malaysia

(PDF 253Kb)

Digital Forensics Department

CyberCSI Report for 2008


CyberSecurity Malaysia

(PDF 132Kb)

Digital Forensics Department

CyberCSI Report for 2007


CyberSecurity Malaysia

(PDF 79.6Kb)