Icon Menu
Icon Search

Foundations in Digital Forensics

This is a five-day course is designed for the investigator/examiner entering the
field of digital forensics and provides the fundamental knowledge to
comprehend and investigate incidents involving electronic devices. The
course covers in depth architecture and functionality of the NTFS and FAT File
Systems and their related metadata pertaining to stored objects on the
physical media. Attendees will gain insight into partitioning structures and
disk layouts and the effects of formatting volumes that contain existing data.
File management and directory structure characteristics will be examined in
detail as well as techniques for discovering potential evidence that maybe
pivotal to a successful examination. This will be followed by topical areas of
interest to include file headers and file hashing and recovery of deleted files
and basic analysis of a windows-based system. This course incorporates an
investigative scenario, providing hands-on experience with examination of
collected evidence

What You Will Learn

What is Digital Forensics

  • General overview of the world of digital forensic investigations.

Reasons for a Forensic Investigation

  • Discussions on the events that would lead to a request for a forensic examination.

Discuss the types of forensic analysis

  • Outline the different types of analysis the examiner will encounter

  • Discuss the challenges of each and questions that need to be asked before an examination begins

  • Describe the forensic and incident response process.

Incident Response Process

  • Discuss the role of the first responder

  • Outline the stages of the incident response

  • Review best practices in evidence collection

  • Concepts of a digital fingerprint, HASHing

  • Discussions in evidence recovery.

Partitioning and Format Review

  • Describe the differences between MBR and GPT partitioned disks

  • Examine the structure of an MBR and GPT partitioned disk

  • Learn of the effects of formatting a volume to FAT

  • Learn of the effects of formatting a volume to exFAT

  • Learn of the effects of formatting a volume to NTFS.

FAT File System

  • Describe the structure and functionality of the system area

  • Examine the concept of clusters and data area

  • Describe changes that occur when a file or folder is saved

  • Examine the effects of data when a file is deleted

  • Describe the process to recover deleted files on a FAT volume.

NTFS File System deep dive

  • List file system support for each NT operating system

  • Identify NTFS Metadata Files

  • List the function of each Metadata file

  • Describe a File Record Entry

  • List the components of an NTFS Attribute

  • Examine the B+ Tree structure of directories

  • Describe the effects of data when a file is deleted.

Operating Systems Overview

  • Learn to identify the core features of each NT Operating System

  • List the key artifacts contained on modern systems

  • Identify and review common folders on a NT Operating System.

Windows® System Artifacts

  • Describe the purpose of User Account Control

  • Discuss the forensic importance of Windows Prefetch and Superfetch

  • Learn how to examine ShadowCopies

  • Examine the function and forensic importance of the Recycle Bin.

Introduction to the Windows® Registry

  • Define the Windows Registry

  • Discuss Forensic benefits of examining the Registry

  • Introduction into the recovering evidentially relevant data from the following registry files:
    SAM
    SYSTEM
    SOFTWARE
    NTUSER.DAT

Introduction into Windows® Shortcuts

  • Introduction to Windows Shortcuts

  • Examine Link File Anatomy

  • Introduction to Jump Lists and analysis.

Thumbnail Caching

  • Learn of the functions Windows uses to cache thumbnail images

  • Discuss user interaction characteristics

  • Examine the internal structure of each cached database.

Microsoft Browser Examinations

  • Gain an overview of Internet Explorer

  • Introduction to Microsoft Edge

  • Examine storage locations

  • Discuss implications of InPrivate browsing

  • Introduction to ESE Database analysis

Contact Fulcrum for more information and to schedule a course.

Details

Duration - 5 days

Dates & Locations

  • Available Virtual Class (Live Remote)

Enquire about this training course