Digital Forensics

The Digital Forensics training course provides a strong foundational introduction to Digital Forensics on Microsoft Windows-based systems. You work in both a Windows and Linux environment for your investigative workstations and are exposed to theory and practical skills for an entry-level forensic examiner (acquisition, analysis and reporting), with exposure to advanced topics (live system and mobile forensics).

Objectives:

• Perform the essential duties of a Forensic Examiner
• Prepare for and execute digital forensic investigations on Windows-based systems
• Apply forensic methodologies to preserve, acquire, extract and analyze information of investigative importance
• Identify and analyze key Windows artifacts of investigative importance

Course Agenda:

• Defining digital forensics
• Articulating the importance of Locard's Principle
• Contextualizing digital forensics within incident response
• Explaining the role of digital forensics in investigations
• Criminal, civil and intelligence/anti-terrorism investigations
• Applying the scientific method to investigations
• Articulating the role of a digital forensic examiner
• Maintaining objectivity within investigations
• Ensuring confidentiality and integrity
• Exploring legal considerations of digital forensics
• Respecting privacy rights and expectations
• Addressing and reporting illegal information
• Defining and applying privacy principles
• Outlining the twelve privacy principles
• Addressing the duty to preserve in eDiscovery
• Examining the core operational principles of a computer
• Inspecting hard drive storage and architecture
• Reviewing the operations of computer memory
• Identifying multiple locations of digital evidence within a computer system
• Investigating alternate data streams
• Uncovering hidden data with Steganography
• Determining lab requirements
• Key components of a digital forensics lab
• Conducting tool validation
• Preparing and configuring a forensic workstation
• Demonstrating appropriate use of a hardware write-blocker
• Exploring key features of commercial and open source forensic software (e.g., EnCase, FTK, DD)
• Image acquisition
• Creating bit-for-bit copies of digital evidence
• Mounting and searching images
• Documenting the physical and digital crime scene
• Conducting crime scene photography
• Executing triage techniques and methodologies
• Managing the chain of custody
• Bagging and tagging physical evidence
• Documenting and demonstrating evidence continuity
• Identifying key Windows artifacts
• Recovering and searching the Windows registry
• Hibernation files, event logs, prefetch, shellbag and lnk files
• Password hash extraction and cracking
• Performing keyword searching, bookmarking and timeline analysis
• Developing strategies for effective keyword searching
• Reconstructing the order of events with timeline analysis
• Conducting e-mail, web browser and USB investigations
• Extracting and recovering deleted data from slack space
• Tracking user activity and addressing Trojan Defense
• Performing Mobile Forensics
• Safely handling mobile devices during investigations
• Examining the use of Faraday bags
• Demonstrating the use of mobile cables and write-blockers
• Preserving and acquiring evidence from mobile devices
• Investigating evidence located within the address book, calendar, mail, apps and SMS
• Recovering data from SIM cards
• Performing live memory acquisitions