Foundations In Digital Forensics
32 Hours / 4-DayThis four-day course is designed for the investigator/examiner entering the field of digital forensics and provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices. The course covers in-depth architecture and functionality of the FAT File System and their related metadata pertaining to stored objects on the physical media. Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting volumes that contain existing data. File management and directory structure characteristics will be examined in detail as well as techniques for discovering potential evidence that may be pivotal to a successful examination. This will be followed by topical areas of interest to include file headers and file hashing and recovery of deleted files and basic analysis of a windows-based system. This course incorporates an investigative scenario, providing hands-on experience with the examination of collected evidence
What is Digital Forensics
- Outline the different types of analysis the examiner will encounter
- Discuss the challenges for the forensic examiner
- Describe the forensic and incident response process
- Examination considerations
Reasons for a Forensic Investigation
-
Discussions on the events that would lead to a request for a forensic examination
- Define Locards Exchange Principles in relation to digital evidence
Discuss the Types of Forensic Analysis
-
Outline the different types of analysis the examiner will encounter
-
Discuss the challenges of each and questions that need to be asked before an examination begins
-
Describe the forensic and incident response process.
Incident Response Process
- Discuss the role of the first responder
- Outline the stages of the incident response
- Review best practices in evidence collection
- Discussions in evidence preservation
Evidence Collections (imaging digital data)
- Digital Evidence collection principles
- Discussion on the need for Write-Blockers
- Imaging formats
- Physical Vs. Logical collection options
- Learn of the importance of imaging RAM
- Hashing fundamentals
Storage Media Partition Schemas
- Define Physical devices vs. Logical storage areas
- Identify partitioning schemes
- Understand each partition scheme’s data structures
- Describe the differences between MBR and GPT partitioned disks
- Examine the structure of an MBR and GPT partitioned disk
FAT File System
- Learn of the effects of formatting a volume to FAT
- Describe the structure and functionality of the system area
- Examine the concept of clusters and data area
- Describe changes that occur when a file or folder is saved
- Examine the effects of data when a file is deleted
- Describe the process to recover deleted files on a FAT volume.
Operating Systems Overview
- Learn to identify the core features of each New Technology Operating System
- List the key artifacts contained on modern systems
- Identify and review common folders on a Modern Operating System
Core System Artifacts
- Describe the function of the Windows recycle bin
- Learn of the forensic importance of Windows Thumbcache files
- Explore core system folders
Introduction to the Windows® Registry
- Define the Windows Registry
- Discuss Forensic benefits of examining the Registry
- Introduction into the recovering evidentially relevant data from the following registry files:
- SAM
- SYSTEM
- SOFTWARE
- NTUSER.DAT
Introduction into Windows® Shortcuts and Jumplists
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Examine registry data relating the recent file activity
- Introduction to Windows Jump Lists
- Perform Jump List Analysis
Course Information
- 32hrs of instruction
- Course manual
- Practical files
- Certificate of attendance
- Optional Practical Assesment
Prerequisites
To get the most out of this class, you should:
- Be familiar with Windows Operating systems.
Request the Syllabus
Contact Spyder Forensics for more details of the course.
Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.