Foundations In Digital Forensics

40 Hours / 5-Day

This is a 5-day certification course is designed for the investigator/examiner entering the field of digital forensics that provides the fundamental knowledge to comprehend and investigate incidents involving electronic devices.  The course begins with detailed discussions on digital forensic examination principles and first responder responsibilities.  Using industry core principles student will learn how to forensically collect and image evidence for examination and how digital fingerprints can be used to verify data integrity.

Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting volumes that contain existing data.  The course covers in-depth analysis and functionality of the FAT File System and introduction into NTFS and its related metadata pertaining to stored objects within the volume.   File management and directory structure characteristics will be examined in detail as well as techniques for discovering potential evidence that maybe pivotal to a successful examination.  Midway within the course students will learn of core artifacts of interest in a Windows based examination, focusing on user interaction with files and applications through typical daily use and account ownership analysis.  This is a certification course where attendees can participate in the optional exam conducted at the conclusion of the course.

InquireRegister for an upcoming class

What is Digital Forensics

  • General overview of the world of digital forensic investigations.

Reasons for a Forensic Investigation

  • Discussions on the events that would lead to a request for a forensic examination

  • Define Locards Exchange Principles in relation to digital evidence

Discuss the Types of Forensic Analysis

  • Outline the different types of analysis the examiner will encounter

  • Discuss the challenges of each and questions that need to be asked before an examination begins

  • Describe the forensic and incident response process.

Incident Response Process

  • Discuss the role of the first responder

  • Outline the stages of the incident response

  • Review best practices in evidence collection

  • Concepts of a digital fingerprint, HASHing

  • Discussions in evidence recovery

  • Exercises in the collection and imaging of digital evidece

Partitioning and Format Review

  • Describe the differences between MBR and GPT partitioned disks

  • Examine the structure of an MBR and GPT partitioned disk

  • Learn of the effects of formatting a volume to FAT

  • Learn of the effects of formatting a volume to NTFS.

FAT File System

  • Describe the structure and functionality of the system area

  • Examine the concept of clusters and data area

  • Describe changes that occur when a file or folder is saved

  • Examine the effects of data when a file is deleted

  • Describe the process to recover deleted files on a FAT volume.

NTFS File System Introduction

  • List file system support for each NT operating system

  • Identify NTFS Metadata Files

  • List the function of each Metadata file

  • Describe a File Record Entry

Operating Systems Overview

  • Learn to identify the core features of each NT Operating System

  • List the key artifacts contained on modern systems

  • Identify and review common folders on a modern Windows Operating System.

Windows® System Artifacts

  • Describe the purpose of User Account Control

  • Discuss the forensic importance of Windows Prefetch and Superfetch

  • Learn how to examine ShadowCopies

  • Examine the function and forensic importance of the Recycle Bin.

Workflows in the Examaintion of User Interactions

  • Define the purpose of the Windows Registry

  • Discuss Forensic benefits of examining the Registry

  • Introduction into the recovering evidentially relevant data from the following registry files:
    SAM
    SYSTEM
    SOFTWARE
    NTUSER.DAT

Hardware Tracking and Analysis

  • Learn how Windows tracks hardware

  • Examination of data files containing details of hardware used in the system

  • Windows event log analysis.

Introduction into Windows® Shortcuts and Jumplists

  • Introduction to Windows Shortcuts
  • Examine Link File Anatomy
  • Introduction to Jump Lists and analysis.

Microsoft Browser Examinations

  • Examine Browser Characteristics 

  • Explore the Chromium Edge Browser
  • Exploit the databases containing History, downloads, keywords and much more using pre-built SQLite scripts.

Prerequisites

To get the most out of this class, you should:

  • Be familiar with Windows Operating systems.

Download the Syllabus

Download a printable copy of the course description and key learning points.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?

CONTACT US