Foundations In Digital Forensics

40 Hours / 5-Day

This is a 5-day certification course is designed for the investigator/examiner entering the field of digital forensics that provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices.  The course begins with detailed discussions on digital forensic examination principles and first responder responsibilities.  Using industry core principles students will learn how to forensically collect and image evidence for examination and how digital fingerprints can be used to verify data integrity.

Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting volumes that contain existing data.  The course covers in-depth analysis and functionality of the FAT File System and its related metadata pertaining to stored objects within the volume.   File management and directory structure characteristics will be examined in detail as well as techniques for discovering potential evidence that may be pivotal to a successful examination.  Midway within the course students will learn of core artifacts of interest in a Windows-based examination, focusing on user interaction with files and applications through typical daily use and account ownership analysis.  This is a certification course where attendees can participate in the optional exam conducted at the conclusion of the course.

InquireRegister for an upcoming class

What is Digital Forensics

  • Outline the different types of analysis the examiner will encounter
  • Discuss the challenges for the forensic examiner
  • Describe the forensic and incident response process
  • Examination considerations

Reasons for a Forensic Investigation

  • Discussions on the events that would lead to a request for a forensic examination

  • Define Locards Exchange Principles in relation to digital evidence

Discuss the Types of Forensic Analysis

  • Outline the different types of analysis the examiner will encounter

  • Discuss the challenges of each and questions that need to be asked before an examination begins

  • Describe the forensic and incident response process.

Incident Response Process

  • Discuss the role of the first responder
  • Outline the stages of the incident response
  • Review best practices in evidence collection
  • Discussions in evidence preservation

Evidence Collections (imaging digital data)

  • Digital Evidence collection principles
  • Discussion on the need for Write-Blockers
  • Imaging formats
  • Physical Vs. Logical collection options
  • Learn of the importance of imaging RAM
  • Hashing fundamentals

Storage Media Partition Schemas

  • Define Physical devices vs. Logical storage areas
  • Identify partitioning schemes
  • Understand each partition scheme’s data structures
  • Describe the differences between MBR and GPT partitioned disks
  • Examine the structure of an MBR and GPT partitioned disk

FAT File System

  • Learn of the effects of formatting a volume to FAT
  • Describe the structure and functionality of the system area
  • Examine the concept of clusters and data area
  • Describe changes that occur when a file or folder is saved
  • Examine the effects of data when a file is deleted
  • Describe the process to recover deleted files on a FAT volume.

Operating Systems Overview

  • Learn to identify the core features of each New Technology Operating System
  • List the key artifacts contained on modern systems
  • Identify and review common folders on a Modern Operating System

Core System Artifacts

  • Describe the function of the Windows recycle bin
  • Learn of the forensic importance of Windows Thumbcache files
  • Explore backup options on a Windows based system and how to recover data in the ShadowCopy BLOBs

Introduction to the Windows® Registry

  • Define the Windows Registry
  • Discuss Forensic benefits of examining the Registry
  • Introduction into the recovering evidentially relevant data from the following registry files:
    • SAM
    • SYSTEM

Introduction into Windows® Shortcuts and Jumplists

  • Introduction to Windows Shortcuts
  • Shell link functionality
  • Link File Anatomy
  • Examine registry data relating the recent file activity
  • Introduction to Windows Jump Lists
  • Perform Jump List Analysis
  • Introduction to File System Integration with Link files

Microsoft Browser Examinations

  • Review Chromium-based browsers
  • Locate key folders of interest within the user profile
  • Learn of the new data storage files and their interpretation


To get the most out of this class, you should:

  • Be familiar with Windows Operating systems.

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?