Foundations In Digital Forensics
40 Hours / 5-DayThis is a 5-day certification course is designed for the investigator/examiner entering the field of digital forensics that provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices. The course begins with detailed discussions on digital forensic examination principles and first responder responsibilities. Using industry core principles students will learn how to forensically collect and image evidence for examination and how digital fingerprints can be used to verify data integrity.
Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting volumes that contain existing data. The course covers in-depth analysis and functionality of the FAT File System and its related metadata pertaining to stored objects within the volume. File management and directory structure characteristics will be examined in detail as well as techniques for discovering potential evidence that may be pivotal to a successful examination. Midway within the course students will learn of core artifacts of interest in a Windows-based examination, focusing on user interaction with files and applications through typical daily use and account ownership analysis. This is a certification course where attendees can participate in the optional exam conducted at the conclusion of the course.
What is Digital Forensics
- Outline the different types of analysis the examiner will encounter
- Discuss the challenges for the forensic examiner
- Describe the forensic and incident response process
- Examination considerations
Reasons for a Forensic Investigation
-
Discussions on the events that would lead to a request for a forensic examination
- Define Locards Exchange Principles in relation to digital evidence
Discuss the Types of Forensic Analysis
-
Outline the different types of analysis the examiner will encounter
-
Discuss the challenges of each and questions that need to be asked before an examination begins
-
Describe the forensic and incident response process.
Incident Response Process
- Discuss the role of the first responder
- Outline the stages of the incident response
- Review best practices in evidence collection
- Discussions in evidence preservation
Evidence Collections (imaging digital data)
- Digital Evidence collection principles
- Discussion on the need for Write-Blockers
- Imaging formats
- Physical Vs. Logical collection options
- Learn of the importance of imaging RAM
- Hashing fundamentals
Storage Media Partition Schemas
- Define Physical devices vs. Logical storage areas
- Identify partitioning schemes
- Understand each partition scheme’s data structures
- Describe the differences between MBR and GPT partitioned disks
- Examine the structure of an MBR and GPT partitioned disk
FAT File System
- Learn of the effects of formatting a volume to FAT
- Describe the structure and functionality of the system area
- Examine the concept of clusters and data area
- Describe changes that occur when a file or folder is saved
- Examine the effects of data when a file is deleted
- Describe the process to recover deleted files on a FAT volume.
Operating Systems Overview
- Learn to identify the core features of each New Technology Operating System
- List the key artifacts contained on modern systems
- Identify and review common folders on a Modern Operating System
Core System Artifacts
- Describe the function of the Windows recycle bin
- Learn of the forensic importance of Windows Thumbcache files
- Explore backup options on a Windows based system and how to recover data in the ShadowCopy BLOBs
Introduction to the Windows® Registry
- Define the Windows Registry
- Discuss Forensic benefits of examining the Registry
- Introduction into the recovering evidentially relevant data from the following registry files:
- SAM
- SYSTEM
- SOFTWARE
- NTUSER.DAT
Introduction into Windows® Shortcuts and Jumplists
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Examine registry data relating the recent file activity
- Introduction to Windows Jump Lists
- Perform Jump List Analysis
- Introduction to File System Integration with Link files
Microsoft Browser Examinations
- Review Chromium-based browsers
- Locate key folders of interest within the user profile
- Learn of the new data storage files and their interpretation
Course Information
- 40hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
- Practical Assesment
Prerequisites
To get the most out of this class, you should:
- Be familiar with Windows Operating systems.
Request the Syllabus
Contact Spyder Forensics for more details of the course.
Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.