Foundations In Digital Forensics
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Rob Attoe
Lead Developer
Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.
As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.
Course Objectives
This four-day course is tailored for investigators and examiners new to digital forensics, providing essential knowledge to effectively comprehend and investigate incidents involving electronic devices. Participants will delve into the architecture and functionality of the FAT File System, focusing on the associated metadata of stored objects on physical media. The program offers an in-depth exploration of partitioning structures, disk layouts, and the implications of formatting volumes that contain pre-existing data.
Additionally, the course thoroughly examines file management and directory structure characteristics, alongside techniques for uncovering potential evidence critical to successful examinations. Topics of interest will include file headers, file hashing, recovery of deleted files, and the basic analysis of Windows-based systems. To enhance learning, the course integrates an investigative scenario, allowing participants to gain hands-on experience in the examination of collected evidence. By the end of this program, attendees will be equipped with foundational skills and insights necessary for navigating the complexities of digital forensics, ensuring they are prepared to tackle real-world challenges in the field.
.
Primary Learning Objectives
Foundations in Digital Forensics - Day 1
Day 1 of the Spyder Forensics Foundations in Digital Forensics course begins with an overview of the course along with an introduction to the Instructor.
Once the intriductions are over we will look the basics of forensic examinations methodology and include a discussion on to triage evidence and creating workflow plans and timeline analysis.
As a first responder your role is vital in the collection of data and we will look at situations that allow you to transport devices securely to an established evidence storage location where forensic imaging can be completed.
This is not always advisable so we will also look at scenarios where a more experienced examiner may be called upon to conduct on-site imaging and acquisition of memory.
Instructor Led Lab
In this lab, participants will explore the various analyses forensic examiners encounter, including digital, physical, and chemical analyses. The session will address challenges such as technological complexities and time constraints while outlining the forensic and incident response process. Emphasizing systematic evidence collection and analysis, the lab will also discuss examination considerations, including legal compliance, documentation, and maintaining evidence integrity, ensuring attendees gain a comprehensive understanding of forensic examination techniques.
In this module, we will discuss the scientific method for approaching problems, specifically as it relates to digital forensics. Coupled with the scientific method, we will discuss forensic methodology regarding digital evidence examinations and the associated investigative techniques used when conducting forensic examinations. These techniques will include how to triage evidence, how examiners develop workflow plan and using timeline analysis to assist with examinations. We will also discuss what to do when additional evidence collections are needed.
- Outline the different types of analysis the examiner will
encounter - Discuss the challenges for the forensic examiner
- Describe the forensic and incident response process
- Examination considerations
This module will aid the first responder in all phases of the collection and storage of digital evidence. Many situations may necessitate calling a knowledgeable examiner to the scene to complete the imaging or more extensive triage procedures at the scene. This module is intended to address only those situations that do not require the immediate
onsite imaging of media. Instead, we will discuss situations that allow for the collection of devices by a first responder for transport to an established evidence storage location where proper forensic imaging may be completed. It is also intended to train the first responder in identifying situations which may necessitate an on-scene response for imaging and the possible acquisition of memory.
- Identification of Potential Evidence
- Triage of evidence and encryption detection
- “Bag & Tag” of the Evidence processes
Instructor Led Lab
This lab focuses on best practices for evidence collection, emphasizing the importance of digital fingerprints and hashing techniques. Participants will learn how digital fingerprints act as unique identifiers for files, ensuring integrity in investigations. The session will also highlight critical examination considerations, including meticulous handling and documentation of evidence to maintain its validity in legal contexts. Understanding these concepts will equip attendees to conduct effective digital forensic examinations in compliance with established protocols.
Foundations in Digital Forensics - Day 2
During Day 2 we will discuss why seizure and preservation of digital equipment and evidence is the most important aspect of a forensic investigation and take a look at the industry recognized practices involved in this.
We will then move onto an examination of the MBR (Master Boot Record) alog with other things and understand how putting these all together is essential if we want to build a strong foundation in computer forensics.
Instructor Led lab
In this lab, participants will focus on critical processes for evidence identification in investigative contexts, emphasizing the triage of evidence to prioritize and assess its relevance. The session will also cover techniques for detecting encryption, essential for addressing data security challenges. Additionally, thorough training on “Bag & Tag” procedures will ensure proper collection, labeling, and documentation of evidence for integrity and chain of custody, crucial for legal proceedings.
The most important stage in a digital forensic exam is seizure and preservation of evidence. This critical phase ensures that data is collected without alteration or corruption, maintaining its integrity for later analysis. The goal of any examiner should be to gather as much relevant data as possible using the most forensically sound methods to ensure admissibility in legal contexts. In this module, we will explore how data is collected using industry-recognized best practices, including proper handling techniques, digital preservation methods, and verification processes like hashing to authenticate the integrity of the collected data. Additionally, we will discuss how to minimize contamination risks and ensure compliance with legal and procedural standards throughout the process.
- Best practices in evidence collection
- Concepts of a digital fingerprint, Hashing
- Examination considerations
The structures that dictate how data will be laid out on a physical piece of media at the highest level are contained within the Master Boot Record and are called the Partition Table. During this module we will examine the Master Boot Record, the Partition Table, Extended Partitions and another partitioning scheme known as GUID Partition Tables (GPT). Understanding how these structures are laid out and more importantly, how they work together, is essential for building a strong foundation in computer forensics.
- Define Physical devices vs. Logical storage areas
- Identify partitioning schemes
- Understand each partition scheme’s data structures
- Describe the differences between MBR and GPT partitioned disks
- Examine the structure of an MBR and GPT partitioned disk
Instructor Led Lab
In this lab, participants will explore the distinction between physical devices and logical storage areas to enhance their understanding of data organization. The session will cover various partitioning schemes, focusing on the unique data structures of MBR (Master Boot Record) and GPT (GUID Partition Table) disks. Through practical examination, learners will assess the structural characteristics of both MBR and GPT, gaining insights into effective storage management techniques and their implications for system performance and data integrity.
Foundations in Digital Forensics - Day 3
Day 3 of the Foundations in Digital Forensics course looks at what is considered the most simplistic of the files systems supported by Windows FAT, but even though it is considered simplistic it is aslo something that has to be considered during any digital forensic investigation and we will look at Formatting, Saving and deleting FAT volumes.
We will then look at the hostory of the Microsoft NT family of Operating Systems and investigate the various artifacts associated with each sysem.
Instructor Led Lab
This lab covers essential aspects of the disk drive format process, focusing on the FAT file system components, including the File Allocation Table, root directory, and data area. It explains clusters as the smallest storage units and discusses the differences between FAT16 and FAT32, particularly regarding volume size and the maximum number of files supported. Additionally, the lab differentiates between partitioning, which divides a disk into segments, and formatting, which prepares a partition for data storage by establishing a file system.
FAT is by far the most simplistic of the file systems supported by the Windows family of operating systems. The FAT file system is characterized by the File Allocation Table (FAT), which is a flat table that tracks usage of the volume’s data area.
This module describes how the FAT File System organizes data. Understanding the rules of a FAT volume will aid the students with locating and recovering evidence that has otherwise been hidden to the casual user.
- Describe the Format process
- List the FAT file system components
- Explain the concept of clusters
- Compare the differences between FAT16 and FAT32 system areas
- Differentiate between Partitioning and Formatting
Learn the process of saving files on a FAT (File Allocation Table) volume, including how files are allocated to clusters, the role of the File Allocation Table in tracking free and occupied space, and the implications for file retrieval and data integrity.
- Learn how files are saved on a FAT volume by exploring the following:
- Defining a directory entry
- How FATs are updated
- How data is written into the clusters
- How file slack works
Instructor Led Lab
In this lab, participants will gain insights into file storage on a FAT volume. The session will cover the definition of a directory entry, which is essential for locating files, and how File Allocation Tables (FATs) are updated with changes in file storage. Additionally, attendees will learn about writing data into clusters and the organization of storage space. The lab will also address file slack, highlighting the unused space within clusters during file allocation, providing a comprehensive understanding of FAT file systems.
Instructor Led Lab
In this lab, participants will learn how to delete files on a FAT (File Allocation Table) partition, including updating directory entries and FAT structures while making changes to the data area. The session will cover file recovery procedures, detailing steps to retrieve deleted files and highlighting challenges with fragmented files, which complicate reconstruction due to scattered segments. This comprehensive session aims to enhance understanding of file management and recovery methodologies within FAT systems.
During this module, we will explore the processes that the FAT (File Allocation Table) file system undergoes when a file or folder is deleted. When a file is deleted, the operating system removes the directory entry, making it seem as though the file no longer exists, while the actual data remains on the disk until it is overwritten. We will discuss how the FAT updates the allocation table to mark the clusters as free for new data, while the original data stays intact. The concept of file slack, which refers to the unused space in a cluster that may contain remnants of deleted files, will also be covered. Finally, we will address the implications for digital forensics, emphasizing the importance of understanding FAT deletion mechanisms for recovering deleted files and the tools used to analyze the FAT for potential data recovery.
- Describe the process of deleting files on a FAT partition
- Describe directory entry updates
- FAT updates
- Data area changes
- Describe the process to recover deleted files
- Discuss difficulties in recovering deleted fragmented files
During this module, we will review the history of the Microsoft NT family of Operating Systems, tracing its evolution from NT 3.1 to the latest versions. We’ll highlight significant enhancements, such as security improvements and user interface changes, while focusing on key forensic artifacts introduced with each iteration. Notable examples include the Event Log system in NT 4.0, the Windows Registry in NT 5.0 (Windows 2000), and NTFS features. Understanding these artifacts is crucial for forensic investigations, providing insights into user activities and system configurations, and will equip participants with the knowledge to analyze forensic artifacts in contemporary Microsoft operating systems.
- Learn to identify the core features of each New Technology
Operating System - List the key artifacts contained on modern systems
- Identify and review common folders on a Modern Operating System
Instructor Led Lab
In this lab, participants will focus on the fundamental features of various NT Operating Systems. Through guided exploration, learners will compile a list of essential artifacts found on contemporary systems, enhancing your understanding of system architecture. The lab will also encourage participants to identify and examine common folders within a Modern Operating System, fostering familiarity with file organization. This hands-on experience aims to equip students with practical knowledge to navigate and utilize modern operating systems efficiently while gaining insight into their core functionalities.
Instructor Led Lab
This lab focuses on essential aspects of Windows operating systems. Participants will learn about the Windows Recycle Bin functionality and the forensic significance of Thumbcache files that retain thumbnail images useful in investigations. Lastly, attendees will explore backup options on Windows systems, emphasizing data preservation and recovery strategies. Overall, this lab aims to equip learners with crucial knowledge for effective Windows system management and forensic analysis.
During this module, we will explore various artifacts present on a Windows 10 Operating System, focusing on common items found across installations. Participants will learn to identify essential components such as the Windows Registry, which stores configuration settings, and the NTFS file system, which manages file storage and retrieval. We will delve into user profile artifacts, including the AppData folder, which contains application-specific data, and the Event Viewer logs that provide accounts of system events. Additionally, we will examine prefetch files that offer insights into application usage. By understanding these artifacts, participants will gain valuable skills in forensic analysis, enabling them to investigate and interpret data on Windows 10 systems effectively.
- Describe the function of the Windows recycle bin
- Learn of the forensic importance of Windows Thumbcache files
- Explore backup options on a Windows based system
Foundations in Digital Forensics - Day 4
The final day of the course sees us looking at the Windows Registry and will drfine key navigation terms and also investigate why the Registry is of great benefit to the examiner is a digital forensic investigation.
Concluding the course will involve us delving into Windows Link Files and the many artifacts left behind by user interaction.
This module will introduce participants to the Windows Registry, providing a foundational understanding of key navigation terms used within it. Attendees will explore the SOFTWARE and SYSTEM registry files, which are crucial for reporting on operating system settings. By examining these components, participants will gain insights into how the registry stores configuration information, enabling them to effectively navigate and analyze the Windows Registry in the context of system management and forensic investigations.
- Define the Windows Registry
- Discuss Forensic benefits of examining the Registry
- Introduction into the recovering evidentially relevant data from
the following registry files:- SAM
- SYSTEM
- SOFTWARE
- NTUSER.DAT
- Basic analysis of the SOFTWARE and SYSTEM registry files
Instructor Led Lab
This lab focuses on the Windows Registry and its significance in digital forensics. Participants will explore the forensic advantages of analyzing the Registry, particularly in recovering relevant data from registry files such as SAM, SYSTEM, SOFTWARE, and NTUSER.DAT. The lab introduces basic analysis of the SOFTWARE and SYSTEM files, emphasizing their role in understanding system configurations and user activities.
Instructor Led Lab
This lab focuses on essential concepts in operating system access management, beginning with the Security Accounts Manager (SAM) and its role in user authentication. Participants will explore Security Identifiers (SIDs) and Relative Identifiers (RIDs), along with identifying Microsoft ‘Live’ Accounts. A key component will involve examining user profile data in the NTUSER.DAT file and understanding the significance of the SYSTEM registry file. The lab will also review core forensic elements and teach how Windows tracks hard drives and USB devices, enabling students to effectively locate pertinent items within NTUSER.DAT.
This module continues the exploration of the Windows Registry by defining key navigation terms and focusing on the SOFTWARE registry file. Participants will learn to navigate the registry effectively and understand the significance of the SOFTWARE file in reporting on operating system settings. The module will cover how the SOFTWARE registry file stores critical configuration information about installed applications and system components, enabling attendees to analyze system behavior comprehensively. Through practical examples and guided exercises, learners will gain essential skills for utilizing the SOFTWARE registry file in system management and forensic investigations, enhancing their ability to interpret Windows Registry data accurately.
- Define the Security Accounts Manager (SAM)
- Operating System access management
- Describe a Security Identifier (SID)
- Describe a Relative Identifier (RID)
- Identify Microsoft ‘Live’ Accounts
- Examine User Profile data in NTUSER
- Examine the purpose of the SYSTEM registry file
- Review core items of forensic interest
- Learn how Windows tracks
- HDD’s
- USB’s
- Locate items of interest within NTUSER.DAT
During any forensic investigation, an examiner’s role is to locate items of evidential value that support the incident, this cooperative information can be the actual item or supporting artifacts that indicate the suspect was aware of the data and interacted with it. Most actions a user account enacts on the host system will leave traces within the Registry, File System and copies of actual file data located across the volume. Examiners must be familiar with typical Windows functions to determine how the items are created and typical locations of system artifacts.
During this module students will explorer the function of Windows Link files and the many artifacts left behind through user interaction with the host system.
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Introduction to Windows Jump Lists
- Perform Jump List Analysis
- Introduction to File System Integration with Link files
Instructor Led Lab
This lab offers an in-depth exploration of Windows shortcuts and their functionalities. Participants will learn about shell link functionality and the anatomy of link files, gaining an understanding of how these elements operate within Windows. The session will also cover Windows Jump Lists, enabling effective analysis. Additionally, the lab introduces how link files integrate with the file system, helping participants understand shortcuts’ interaction with broader system operations. By the end, attendees will have a solid foundation in managing and utilizing Windows shortcuts efficiently.