About the course
Introduction to Digital Forensics
*Terms and conditions apply. Only valid for those attending certain events across the above courses in March and April 2019, for new bookings confirmed and attended before the 30th April 2019. Pricing has been amended to reflect this discount and courses included in the offer. Not applicable with any other offer, discount structure or bundle purchase. Offer can only be used once. Existing bookings cannot be cancelled and re-booked using the offer. Bookings transferred to dates outside the promotional terms will be charged at RRP. QA's General Terms & Conditions of Business apply.
Updated for 2018, the Introduction to Digital Forensics course (QAIDIGFOR) is designed to help commercial and government organizations collect, preserve and report on digital artefacts in a way which is suitable for use in investigations.
The course covers the broad topics essential to the digital forensics disciplines. It sets out a framework for investigations, covering the best practice as described by The National Police Chiefs' Council (NPCC) formally ACPO guidelines. Forensic fundamentals will be covered as well as the use of open source forensic tools. The data will be then analysed and an example report produced.
Participants to this course learn about the methods to identify, preserve, analysis and report on digital artefacts. Using a mixed approach of fundamentals and open source software, delegates will be able to select suitable tools and report on their findings in an evidential way.
The introduction to digital forensic course audience includes all teams across the IT, Security, Internal Audit, Law Enforcement and Government.
IISP Skills Alignment
This course is aligned to the following Institute of Information Security Professionals (IISP) Skills. More details on the IISP skills framework can be found here.
Continuous Professional Development (CPD)
CPD points can be claimed for GCT accredited courses at the rate of 1 point per hour of training for GCHQ accredited courses (up to a maximum of 15 points).
Delegates will learn how to
- The purpose, benefits, and key terms of digital forensics.
- Describe and adhere to the principles of the forensic framework
- Understand the importance of the chain of custody
- Demonstrate a basic knowledge of key locations in different operating systems
- Identify how different file systems represent files and how they deal with deletion etc.
- Understand where timestamps and other meta data comes from
- Have knowledge of the legal framework in which they operate, and the expected level of ethical behaviour expected.
- Reporting and 5x5x5 procedures.
Module 1: Intro to Digital forensic
- What digital forensics is
- What is digital evidence?
- When and Why is digital forensics used?
- Different Types of Digital Forensics – Standalone and e-discovery
- What skills should a computer forensic expert have?
- Introduction to the forensic framework
Module 2: The Legal Framework
- What legislation applies to investigations?
- ISO/IEC standards what does it cover?
- What does the legislation cover?
- What do authorising officers have to consider
- What does the legislation mean for investigators?
- The consequence of failing to adhere to the legislation which applies
Module 3: Collecting Digital Evidence
- The NPCC guidelines and how they apply to the collection of digital evidence
- The role of a First Responder
- Triaging – the new digital forensics approach
- What is ‘chain of custody’ concept and how critical it is to maintain
- What is the order of volatility
Module 4: Imaging Digital Evidence
- What imaging is and why we work on imaged data
- Write blocking hardware and software
- How do we forensically image a live device?
- How do we forensically image a switched off device?
- Physical and Logical Imaging
- Understand Hashing Algorithms and collisions and how it is used to verify acquisitions
- Creating Forensic Image using FTK Imager
Module 5: Hardware
Why do we need to know about hardware?
Live RAM capture and analysis
Data storage – magnetic hard disks
Understand how solid state drives differ
What is the BIOS and UEFI and what settings they hold
Analysing the boot process
Partitioning Disk analysis
Volume and Master Boot Record
Module 6: Information Representation and File Systems
How number systems work and how data is represented in binary and hexadecimal
Difference between Big and Little Endian
Character Encoding ASCII and Unicode
Different File systems NTFS, FAT
Analysis what happens when file is saved, deleted
What is Slack Space and the different types of slack
What is the Master File Table used for?
Recovering Data from Recycle bin
Viewing Deleted data
Module 7: File Signatures & File Carving
File Signatures Analysis
Manual File carving
File Carving Using Kali Linux
Module 8: Windows Artefacts, Metadata and Hash Libraries
What is Metadata?
EXIF Data and analysis
Windows User Profile
Identifying different Windows Artefacts and what information can be found
Analysing Thumbnail Cache
Viewing the Windows Registry and locating information
Analysing Email Headers
Forensic Analysis of HTTP data using Wireshark
Purpose of Hash Libraries
Module 9: Mobile Phone Forensics
Mobile Forensics Require a Different Approach
What information a mobile device can provide
Different methods for conducting mobile device examinations
Module 10: Digital Evidence Process Model
The difference between notes, examination logs and witness statements
Module 11: Forensic Tools
Open Forensic Tools
|Start date||Location / delivery|
|22 Jul 2019||Leeds||Book now|
|19 Aug 2019||London||Book now|
|19 Aug 2019||Online||Book now|
|21 Oct 2019||Leeds||Book now|
|18 Nov 2019||Manchester||Book now|
|18 Nov 2019||Online||Book now|
|16 Dec 2019||London||Book now|
|16 Dec 2019||Online||Book now|
|02 Mar 2020||London||Book now|
|02 Mar 2020||Online||Book now|
|13 Apr 2020||London||Book now|
|13 Apr 2020||Online||Book now|