Foundations In Digital Forensics

40 Hours / 5-Day

This is a five-day course is designed for the investigator/examiner entering the field of digital forensics and provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices.

InquireRegister for an upcoming class

What is Digital Forensics

  • General overview of the world of digital forensic investigations.

Reasons for a Forensic Investigation

  • Discussions on the events that would lead to a request for a forensic examination.

Discuss the types of forensic analysis

  • Outline the different types of analysis the examiner will encounter

  • Discuss the challenges of each and questions that need to be asked before an examination begins

  • Describe the forensic and incident response process.

Incident Response Process

  • Discuss the role of the first responder

  • Outline the stages of the incident response

  • Review best practices in evidence collection

  • Concepts of a digital fingerprint, HASHing

  • Discussions in evidence recovery.

Partitioning and Format Review

  • Describe the differences between MBR and GPT partitioned disks

  • Examine the structure of an MBR and GPT partitioned disk

  • Learn of the effects of formatting a volume to FAT

  • Learn of the effects of formatting a volume to exFAT

  • Learn of the effects of formatting a volume to NTFS.

FAT File System

  • Describe the structure and functionality of the system area

  • Examine the concept of clusters and data area

  • Describe changes that occur when a file or folder is saved

  • Examine the effects of data when a file is deleted

  • Describe the process to recover deleted files on a FAT volume.

NTFS File System deep dive

  • List file system support for each NT operating system

  • Identify NTFS Metadata Files

  • List the function of each Metadata file

  • Describe a File Record Entry

  • List the components of an NTFS Attribute

  • Examine the B+ Tree structure of directories

  • Describe the effects of data when a file is deleted.

Operating Systems Overview

  • Learn to identify the core features of each NT Operating System

  • List the key artifacts contained on modern systems

  • Identify and review common folders on a NT Operating System.

Windows® System Artifacts

  • Describe the purpose of User Account Control

  • Discuss the forensic importance of Windows Prefetch and Superfetch

  • Learn how to examine ShadowCopies

  • Examine the function and forensic importance of the Recycle Bin.

Introduction to the Windows® Registry

  • Define the Windows Registry

  • Discuss Forensic benefits of examining the Registry

  • Introduction into the recovering evidentially relevant data from the following registry files:

Introduction into Windows® Shortcuts

  • Introduction to Windows Shortcuts

  • Examine Link File Anatomy

  • Introduction to Jump Lists and analysis.

Thumbnail Caching

  • Learn of the functions Windows uses to cache thumbnail images

  • Discuss user interaction characteristics

  • Examine the internal structure of each cached database.

Microsoft Browser Examinations

  • Gain an overview of Internet Explorer

  • Introduction to Microsoft Edge

  • Examine storage locations

  • Discuss implications of InPrivate browsing

  • Introduction to ESE Database analysis


To get the most out of this class, you should:

  • Be familiar with Windows Operating systems.

Download the Syllabus

Download a printable copy of the course description and key learning points.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?