Foundations In Digital Forensics
40 Hours / 5-DayThis is a five-day course is designed for the investigator/examiner entering the field of digital forensics and provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices.

What is Digital Forensics
-
General overview of the world of digital forensic investigations.

Reasons for a Forensic Investigation
-
Discussions on the events that would lead to a request for a forensic examination.

Discuss the types of forensic analysis
-
Outline the different types of analysis the examiner will encounter
-
Discuss the challenges of each and questions that need to be asked before an examination begins
-
Describe the forensic and incident response process.

Incident Response Process
-
Discuss the role of the first responder
-
Outline the stages of the incident response
-
Review best practices in evidence collection
-
Concepts of a digital fingerprint, HASHing
-
Discussions in evidence recovery.

Partitioning and Format Review
-
Describe the differences between MBR and GPT partitioned disks
-
Examine the structure of an MBR and GPT partitioned disk
-
Learn of the effects of formatting a volume to FAT
-
Learn of the effects of formatting a volume to exFAT
-
Learn of the effects of formatting a volume to NTFS.

FAT File System
-
Describe the structure and functionality of the system area
-
Examine the concept of clusters and data area
-
Describe changes that occur when a file or folder is saved
-
Examine the effects of data when a file is deleted
-
Describe the process to recover deleted files on a FAT volume.

NTFS File System deep dive
-
List file system support for each NT operating system
-
Identify NTFS Metadata Files
-
List the function of each Metadata file
-
Describe a File Record Entry
-
List the components of an NTFS Attribute
-
Examine the B+ Tree structure of directories
-
Describe the effects of data when a file is deleted.

Operating Systems Overview
-
Learn to identify the core features of each NT Operating System
-
List the key artifacts contained on modern systems
-
Identify and review common folders on a NT Operating System.

Windows® System Artifacts
-
Describe the purpose of User Account Control
-
Discuss the forensic importance of Windows Prefetch and Superfetch
-
Learn how to examine ShadowCopies
-
Examine the function and forensic importance of the Recycle Bin.

Introduction to the Windows® Registry
-
Define the Windows Registry
-
Discuss Forensic benefits of examining the Registry
-
Introduction into the recovering evidentially relevant data from the following registry files:
SAM
SYSTEM
SOFTWARE
NTUSER.DAT

Introduction into Windows® Shortcuts
-
Introduction to Windows Shortcuts
-
Examine Link File Anatomy
-
Introduction to Jump Lists and analysis.

Thumbnail Caching
-
Learn of the functions Windows uses to cache thumbnail images
-
Discuss user interaction characteristics
-
Examine the internal structure of each cached database.

Microsoft Browser Examinations
-
Gain an overview of Internet Explorer
-
Introduction to Microsoft Edge
-
Examine storage locations
-
Discuss implications of InPrivate browsing
-
Introduction to ESE Database analysis
Course Information
- 40hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
Prerequisites
To get the most out of this class, you should:
- Be familiar with Windows Operating systems.

Download the Syllabus
Download a printable copy of the course description and key learning points.

Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.