Digital Forensics CFIS Forensic Investigation Specialist (CFIS)

Provided by

About the course

Digital Forensics
Certified Forensic Investigation Specialist (CFIS)

Specialist - level course
This specialist-level course is for professionals whose role requires them to capture and analyse data from ‘live’ systems. It introduces the latest guidelines and artefacts on current Windows operating systems, and teaches essential skills for conducting an efficient and comprehensive investigation.

How will I benefit?
This course will enable you to:

  • Develop your forensic investigation skills to an advanced level
  • Practise new techniques suitable for evidence identification, capture and analysis in a ‘live’ environment
  • Acquire an industry-recognised qualification to support your career progress

“The course was brilliant. I really enjoyed it. It helped me to improve and develop my knowledge. I look forward to using the skills I have gained at work.”

CFIS Delegate

Computer Sciences Corporation

"The course was really useful, after a number of years in forensics I thought I knew a fair amount but I really learnt a lot more about the artefacts and file systems that I did not know."

Digital Forensic Analyst
​Law Enforcement

What will I learn?

  • You will learn to capture volatile and stored data from a system in a ‘live’ and ‘booted’ state and from remote and virtualised systems, and to capture mailboxes from a Microsoft Exchange Server and webmail accounts.


  • You will practice your new skills using a realistic data/IP theft scenario employing a range of forensic tools, scripts and techniques. You will identify data from the Windows domain controller, network file shares and FTP logs before moving to more conventional analysis of a forensic image of a workstation

Who should attend?
Experienced forensic investigators and digital security practitioners who have computer forensic experience who want to dig deeper and develop their skills. This course is a natural progression from the 7Safe CFIP course.

For more information on this course, please email the Education team or contact us on +44(0)1763 285285.


Investigators need to be capable of collecting and analysing data from
a constantly evolving range of disk technologies, file and operating systems. The course is continually updated,  based on our experiences, knowledge and client requirements to provide delegates with answers to the ‘How can I collect that data or find evidence of that activity?’

This five-day course provides theory and scenario-based practical exercises and expanding data collection to include ‘live’ and volatile data.
Delegates will investigate artefacts buried in common file systems and
‘recorded’ by Windows of both system and user activity.

Using practical scenarios based primarily on Windows environments and artefacts, you will:

  • Understand the digital investigation process and best practice
  • Build a bootable USB data collection device
  • Collect data from Live, Remote and Virtual systems
  • Understand the underlying structures associated with NTFS, FAT32 and ExFAT file systems
  • Collect and process volatile data
  • Capture a mailbox from a live
  • Microsoft exchange server
  • Investigate a Windows domain controller to identify systems and users
  • Understand RAID storage and rebuild data
  • Test data ‘wiping’ software
  • Understand types of ‘User’ account
  • Investigate Windows Event Logs and USB device activity
  • Examine user activity for program execution, file activity and system navigation
  • Investigate log files
  • Query Chrome web-browser SQLite databases and extract stored passwords
  • Explore and extract data from Volume Shadow Copies
  • Parse and interpret the USN/ Change Log

This course will enable you to:

  • Develop your forensic investigation skills to an advanced level
  • Practice new techniques suitable for evidence identification, capture and analysis in a ‘live’ environment
  • Acquire an industry-recognised qualification to support your career progress

Primarily aimed at practising digital forensic investigators and cyber security practitioners who have computer forensic experience and wish to dig deeper and broaden their skills.

A natural progression from the 7Safe CFIP course.


  • Principles and general guidelines surrounding forensic investigations
  • Experience of carrying out forensic investigations
  • A basic computer forensic course, e.g. 7Safe’s CFIP course

Those delegates successfully passing the exam at the end
of the course will be awarded 7Safe’s Certified Forensic
Investigation Specialist (CFIS) qualification.

1.Digital Forensic InvestigationsA review of the investigation process, best practice and equipment

 2. Data Theft
• How can data be stolen, investigated and possibly mitigated?

3. Data Acquisition
• Images and Clones; Static, Booted and Live; Physical and selective
• Solid State devices
• Considerations and associated problems

4. Windows Domains
• Gathering information from
Domain Controllers
• Capturing File Shares and
inaccessible systems

5. RAID’s and Virtualisation
• Identifying and rebuilding RAID’s
• Capturing and examining
virtualised systems

6. Volatile Data
• Memory capture and volatile data
collection from ‘live’ systems
• Investigating memory using volatility

7. Data Collection – Other Sources
• Exchange servers and web-mail
• Facebook, Websites, Linux and Macs

8. File Systems Revisited
• Understanding FAT32, NTFS and ExFAT data structures from a
forensic perspective

9. Data Deletion and Wiping
• Windows Recycle Bins
• Testing wiping software

10. Tracing System Activity
• Investigating the Windows
Registry, User Accounts, Event
Logs and USB connected devices

11. Tracing User Activity
• Identifying Program execution,
Files opened and Folder
• Windows Object ID’s and file

12. Log File Analysis
• Web and FTP logs
• Examination using Cygwin

13. Databases
• SQLite and Chrome browser artefacts
14. Volume Shadow Copies
and File History
• Approaches to extracting data
from VSC’s
• Windows File History

15. NTFS Journals
• Understand the value of the
NTFS journal in investigations

Related article

It’s safe to say that CAPSLOCK is making waves in the cyber security industry with their reskilling bootcamps: