Foundations In Digital Forensics
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Foundations In Digital Forensics 2024
Rob Attoe
Lead Developer
Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.
As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.
Course Objectives
This four-day course is designed for the investigator/examiner entering the field of digital forensics and provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices. The course covers in depth architecture and functionality of the FAT File System and their related metadata pertaining to stored objects on the physical media. Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting volumes that contain existing data. File management and directory structure characteristics will be examined in detail as well as techniques for discovering potential evidence that maybe pivotal to a successful examination. This will be followed by topical areas of interest to include file headers and file hashing and recovery of deleted files and basic analysis of a windows-based system. This course incorporates an investigative scenario, providing hands-on experience with examination of collected evidence.
Primary Learning Objectives
Foundations in Digital Forensics - Day 1
Day 1 of the Spyder Forensics Foundations in Digital Forensics course begins with an overview of the course along with an introduction to the Instructor.
Once the intriductions are over we will look the basics of forensic examinations methodology and include a discussion on to triage evidence and creating workflow plans and timeline analysis.
As a first responder your role is vital in the collection of data and we will look at situations that allow you to transport devices securely to an established evidence storage location where forensic imaging can be completed.
This is not always advisable so we will also look at scenarios where a more experienced examiner may be called upon to conduct on-site imaging and acquisition of memory.
Instructor Led Lab
- Outline the different types of analysis the examiner will
encounter - Discuss the challenges for the forensic examiner
- Describe the forensic and incident response process
- Examination considerations
In this module, we will discuss the scientific method for approaching problems, specifically as it relates to digital forensics. Coupled with the scientific method, we will discuss forensic methodology regarding digital evidence examinations and the associated investigative techniques used when conducting forensic examinations. These techniques will include how to triage evidence, how examiners develop workflow plan and using timeline analysis to assist with examinations. We will also discuss what to do when additional evidence collections are needed.
- Outline the different types of analysis the examiner will
encounter - Discuss the challenges for the forensic examiner
- Describe the forensic and incident response process
- Examination considerations
This module will aid the first responder in all phases of the collection and storage of digital evidence. Many situations may necessitate calling a knowledgeable examiner to the scene to complete the imaging or more extensive triage procedures at the scene. This module is intended to address only those situations that do not require the immediate
onsite imaging of media. Instead, we will discuss situations that allow for the collection of devices by a first responder for transport to an established evidence storage location where proper forensic imaging may be completed. It is also intended to train the first responder in identifying situations which may necessitate an on-scene response for imaging and the possible acquisition of memory.
- Identification of Potential Evidence
- Triage of evidence and encryption detection
- “Bag & Tag” of the Evidence processes
Instructor Led Lab
- Identification of Potential Evidence
- Triage of evidence and encryption detection
- “Bag & Tag” of the Evidence processes
Foundations in Digital Forensics - Day 2
During Day 2 we will discuss why seizure and preservation of digital equipment and evidence is the most important aspect of a forensic investigation and take a look at the industry recognized practices involved in this.
We will then move onto an examination of the MBR (Master Boot Record) alog with other things and understand how putting these all together is essential if we want to build a strong foundation in computer forensics.
Instructor Led lab
- Best practices in evidence collection
- Concepts of a digital fingerprint, Hashing
- Examination considerations
The most important stage in a digital forensic exam is seizure and preservation. The goal of any examiner should be to collect as much possible data for examination and using the most forensically sound method as possible. During this module we will examine how data is collected using industry recognized practices in the preservation of digital data and verification processes.
- Best practices in evidence collection
- Concepts of a digital fingerprint, Hashing
- Examination considerations
The structures that dictate how data will be laid out on a physical piece of media at the highest level are contained within the Master Boot Record and are called the Partition Table. During this module we will examine the Master Boot Record, the Partition Table, Extended Partitions and another partitioning scheme known as GUID Partition Tables (GPT). Understanding how these structures are laid out and more importantly, how they work together, is essential for building a strong foundation in computer forensics.
- Define Physical devices vs. Logical storage areas
- Identify partitioning schemes
- Understand each partition scheme’s data structures
- Describe the differences between MBR and GPT partitioned disks
- Examine the structure of an MBR and GPT partitioned disk
Instructor Led Lab
- Define Physical devices vs. Logical storage areas
- Identify partitioning schemes
- Understand each partition scheme’s data structures
- Describe the differences between MBR and GPT partitioned disks
- Examine the structure of an MBR and GPT partitioned disk
Foundations in Digital Forensics - Day 3
Day 3 of the Foundations in Digital Forensics course looks at what is considered the most simplistic of the files systems supported by Windows FAT, but even though it is considered simplistic it is aslo something that has to be considered during any digital forensic investigation and we will look at Formatting, Saving and deleting FAT volumes.
We will then look at the hostory of the Microsoft NT family of Operating Systems and investigate the various artifacts associated with each sysem.
Instructor Led Lab
- Describe the Format process
- List the FAT file system components
- Explain the concept of clusters
- Compare the differences between FAT16 and FAT32 system areas
- Differentiate between Partitioning and Formatting
FAT is by far the most simplistic of the file systems supported by the Windows family of operating systems. The FAT file system is characterized by the File Allocation Table (FAT), which is a flat table that tracks usage of the volume’s data area.
This module describes how the FAT File System organizes data. Understanding the rules of a FAT volume will aid the students with locating and recovering evidence that has otherwise been hidden to the casual user.
- Describe the Format process
- List the FAT file system components
- Explain the concept of clusters
- Compare the differences between FAT16 and FAT32 system areas
- Differentiate between Partitioning and Formatting
Instructor Led Lab
- Describe the Format process
- List the FAT file system components
- Explain the concept of clusters
- Compare the differences between FAT16 and FAT32 system areas
- Differentiate between Partitioning and Formatting
Instructor Led Lab
- Describe the process of deleting files on a FAT partition
- Describe directory entry updates
- FAT updates
- Data area changes
- Describe the process to recover deleted files
- Discuss difficulties in recovering deleted fragmented files
During this module we will describe the processes FAT undergoes when a file or folder is deleted.
- Describe the process of deleting files on a FAT partition
- Describe directory entry updates
- FAT updates
- Data area changes
- Describe the process to recover deleted files
- Discuss difficulties in recovering deleted fragmented files
During this module we will review the history of the Microsoft NT family of Operating Systems and review key forensic artifacts introduced at each version.
- Learn to identify the core features of each New Technology
Operating System - List the key artifacts contained on modern systems
- Identify and review common folders on a Modern Operating System
Instructor Led Lab
- Learn to identify the core features of each New Technology
Operating System - List the key artifacts contained on modern systems
- Identify and review common folders on a Modern Operating System
Instructor Led Lab
- Describe the function of the Windows recycle bin
- Learn of the forensic importance of Windows Thumbcache files
- Explore backup options on a Windows based system
During this module we will describe explore various artifacts on a Windows 10 Operating System, focusing on common items found on all installations.
- Describe the function of the Windows recycle bin
- Learn of the forensic importance of Windows Thumbcache files
- Explore backup options on a Windows based system
Foundations in Digital Forensics - Day 4
The final day of the course sees us looking at the Windows Registry and will drfine key navigation terms and also investigate why the Registry is of great benefit to the examiner is a digital forensic investigation.
Concluding the course will involve us delving into Windows Link Files and the many artifacts left behind by user interaction.
This module will introduce you the Windows Registry, defining key navigation terms and explore the SOFTWARE and SYSTEM registry files to report on Operating System settings.
- Define the Windows Registry
- Discuss Forensic benefits of examining the Registry
- Introduction into the recovering evidentially relevant data from
the following registry files:- SAM
- SYSTEM
- SOFTWARE
- NTUSER.DAT
- Basic analysis of the SOFTWARE and SYSTEM registry files
Instructor Led Lab
- Define the Windows Registry
- Discuss Forensic benefits of examining the Registry
- Introduction into the recovering evidentially relevant data from
the following registry files:- SAM
- SYSTEM
- SOFTWARE
- NTUSER.DAT
- Basic analysis of the SOFTWARE and SYSTEM registry files
Instructor Led Lab
- Define the Security Accounts Manager (SAM)
- Operating System access management
- Describe a Security Identifier (SID)
- Describe a Relative Identifier (RID)
- Identify Microsoft ‘Live’ Accounts
- Examine User Profile data in NTUSER
- Examine the purpose of the SYSTEM registry file
- Review core items of forensic interest
- Learn how Windows tracks
- HDD’s
- USB’s
- Locate items of interest within NTUSER.DAT
This module continues the introduction to the Windows Registry, defining key navigation terms and explore the SOFTWARE registry file to report on Operating System settings.
- Define the Security Accounts Manager (SAM)
- Operating System access management
- Describe a Security Identifier (SID)
- Describe a Relative Identifier (RID)
- Identify Microsoft ‘Live’ Accounts
- Examine User Profile data in NTUSER
- Examine the purpose of the SYSTEM registry file
- Review core items of forensic interest
- Learn how Windows tracks
- HDD’s
- USB’s
- Locate items of interest within NTUSER.DAT
During any forensic investigation, an examiner’s role is to locate items of evidential value that support the incident, this cooperative information can be the actual item or supporting artifacts that indicate the suspect was aware of the data and interacted with it. Most actions a user account enacts on the host system will leave traces within the Registry, File System and copies of actual file data located across the volume. Examiners must be familiar with typical Windows functions to determine how the items are created and typical locations of system artifacts.
During this module students will explorer the function of Windows Link files and the many artifacts left behind through user interaction with the host system.
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Introduction to Windows Jump Lists
- Perform Jump List Analysis
- Introduction to File System Integration with Link files
Instructor Led Lab
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Introduction to Windows Jump Lists
- Perform Jump List Analysis
- Introduction to File System Integration with Link files