Introduction to Digital Forensics

Provided by

About the course

Introduction to digital forensics is designed to help commercial and government organizations collect, preserve and report on digital artefacts in a way which is suitable for use in investigations.
The course covers the broad topics essential to the digital forensics disciplines. It sets out a framework for investigations, covering the best practice as described by The National Police Chiefs' Council (NPCC) formally ACPO guidelines. Forensic fundamentals will be covered as well as the use of open source forensic tools. The data will be then analysed and an example report produced.

Participants to this course learn about the methods to identify, preserve, analysis and report on digital artefacts. Using a mixed approach of fundamentals and open source software, delegates will be able to select suitable tools and report on their findings in an evidential way.

The introduction to digital forensic course audience includes all teams across the IT, Security, Internal Audit, Law Enforcement and Government.

IISP Skills Alignment

This course is aligned to the following Institute of Information Security Professionals (IISP) Skills. More details on the IISP skills framework can be found here.

·         F3

Continuous Professional Development (CPD)

CPD points can be claimed for GCT accredited courses at the rate of 1 point per hour of training for GCHQ accredited courses (up to a maximum of 15 points).

Show less 

Delegates will learn how to

·         The purpose, benefits, and key terms of digital forensics.

·         Describe and adhere to the principles of the forensic framework

·         Understand the importance of the chain of custody

·         Demonstrate a basic knowledge of key locations in different operating systems

·         Identify how different file systems represent files and how they deal with deletion etc.

·         Understand where timestamps and other meta data comes from

·         Have knowledge of the legal framework in which they operate, and the expected level of ethical behaviour expected.

·         Reporting and 5x5x5 procedures.

Outline

Module 1: Intro to Digital forensic

·         Describe what digital forensics is

·         Identify which crimes use computer, cyber crime/ cyber enabled crime

·         What skills should a computer forensic expert have?

·         Introduce the forensic framework,

·         Collection

·         Examination

·         Analysis

·         Reporting

·         Extended Framework: Collection authority and legislation for digital evidence

Module 2: Forensic fundamentals

·         What is data and how is it represented in a computer?

·         Create a .txt and examine in a hex editor

·         Discuss number systems Binary and Hex

·         Look at different files, compare a word document with the same text as the .txt file from a)

·         What is a digital device and how do we collect its data?

·         Memory capture -brief at this stage

·         Look at Hard drives

·         What does a hard drive look like? (inc flash)

·         History CHS and LBA addressing

·         Use of encryption on equipment and how that effects the investigation

Module 3: Famework: Collection

·         Crime scene management

·         Recording the scene and documenting your actions

·         To switch off or not: discuss the issue and create a first responders flow chart

·         Safe removal of hard drives

·         Other media, 'pen' drives, optical media and other removables

·         Cloud based data

·         Mobile in brief on the air wiping

Module 4: Examination 1: Data acquisition and preserving evidence for court

·         Write blocking and disk imaging

·         Alternative methods of disk imaging

·         Principles of hashing

Module 5: Examination 2: File system Analysis

·         Demonstrate tools to mount the image

·         Describe how to identify and examine the file system

·         Look how different file system represent data on disk

·         Overview of FAT and NTFS

·         Look at the way deleted files are handled

·         Describe how to identify Operating systems

·         Look at default locations for user data

·         Overview of the windows registry and useful locations for data

Module 6: Analysis

·         Levels of persistence and what it means evidently e.g 'live'; 'deleted', 'over-written'

·         Time lines

·         Putting the suspect 'in front of the keyboard'

Module 7: Reporting forensic findings and digital intelligence

·         Understanding the scope of the investigation

·         Tone and style backing up the substance

·         An understanding of 'true' and how information can be presented in a neutral way

·         Overview of digital intelligence including open source

Module 8: Legal framework

·         Identify what authority the investigation is being performed

Understand the bounds of the investigation as defined in the scope

Module 9: Mobile Forensics: introduction

·         Handling of mobile devices to preserve data

·         Physical and logical analysis of mobile devices

Module 10: E-discovery: introduction

What is E-discovery?

Review of E-discovery tools and techniques.

Related article

The Cyber Pulse is QA's new portal to free Cyber content, including on-demand webinars, articles written by leading experts,