Introduction to digital forensics is designed to help commercial and government organizations collect, preserve and report on digital artefacts in a way which is suitable for use in investigations.
The course covers the broad topics essential to the digital forensics disciplines. It sets out a framework for investigations, covering the best practice as described by The National Police Chiefs' Council (NPCC) formally ACPO guidelines. Forensic fundamentals will be covered as well as the use of open source forensic tools. The data will be then analysed and an example report produced.
Participants to this course learn about the methods to identify, preserve, analysis and report on digital artefacts. Using a mixed approach of fundamentals and open source software, delegates will be able to select suitable tools and report on their findings in an evidential way.
The introduction to digital forensic course audience includes all teams across the IT, Security, Internal Audit, Law Enforcement and Government.
Continuous Professional Development (CPD)
CPD points can be claimed for GCT accredited courses at the rate of 1 point per hour of training for GCHQ accredited courses (up to a maximum of 15 points).
Delegates will learn how to
- The purpose, benefits, and key terms of digital forensics.
- Describe and adhere to the principles of the forensic framework
- Understand the importance of the chain of custody
- Demonstrate a basic knowledge of key locations in different operating systems
- Identify how different file systems represent files and how they deal with deletion etc.
- Understand where timestamps and other meta data comes from
- Have knowledge of the legal framework in which they operate, and the expected level of ethical behaviour expected.
- Reporting and 5x5x5 procedures.
Module 1: Intro to Digital forensic
- Describe what digital forensics is
- Identify which crimes use computer, cyber crime/ cyber enabled crime
- What skills should a computer forensic expert have?
- Introduce the forensic framework,
- Extended Framework: Collection authority and legislation for digital evidence
Module 2: Forensic fundamentals
- What is data and how is it represented in a computer?
- Create a .txt and examine in a hex editor
- Discuss number systems Binary and Hex
- Look at different files, compare a word document with the same text as the .txt file from a)
- What is a digital device and how do we collect its data?
- Memory capture -brief at this stage
- Look at Hard drives
- What does a hard drive look like? (inc flash)
- History CHS and LBA addressing
- Use of encryption on equipment and how that effects the investigation
Module 3: Famework: Collection
- Crime scene management
- Recording the scene and documenting your actions
- To switch off or not: discuss the issue and create a first responders flow chart
- Safe removal of hard drives
- Other media, 'pen' drives, optical media and other removables
- Cloud based data
- Mobile in brief on the air wiping
Module 4: Examination 1: Data acquisition and preserving evidence for court
- Write blocking and disk imaging
- Alternative methods of disk imaging
- Principles of hashing
Module 5: Examination 2: File system Analysis
- Demonstrate tools to mount the image
- Describe how to identify and examine the file system
- Look how different file system represent data on disk
- Overview of FAT and NTFS
- Look at the way deleted files are handled
- Describe how to identify Operating systems
- Look at default locations for user data
- Overview of the windows registry and useful locations for data
Module 6: Analysis
- Levels of persistence and what it means evidently e.g 'live'; 'deleted', 'over-written'
- Time lines
- Putting the suspect 'in front of the keyboard'
Module 7: Reporting forensic findings and digital intelligence
- Understanding the scope of the investigation
- Tone and style backing up the substance
- An understanding of 'true' and how information can be presented in a neutral way
- Overview of digital intelligence including open source
Module 8: Legal framework
- Identify what authority the investigation is being performed
Understand the bounds of the investigation as defined in the scope
Module 9: Mobile Forensics: introduction
- Handling of mobile devices to preserve data
- Physical and logical analysis of mobile devices
Module 10: E-discovery: introduction
What is E-discovery?
Review of E-discovery tools and techniques.
London - International House
1 St Katharines Way
International House is a premier training centre located close to Tower Bridge, between St Katharine Dock and the Tower of London.
The nearest car park is the NCP at Whitechapel High Street.
- London Fenchurch Street Rail – 12 minute walk
- London Cannon Rail – 20 minute walk
- London Bridge Rail – 25 minute walk
- Tower Gate Way - 8 minute walk
- Tower Hill – 10 minute walk
- Aldgate - 15 minutes walk
- Aldgate East – 17 minute walk
- Monument – 18 minute walk
- Bank - 22 minute walk
- London Bridge Underground – 25 Minute walk
Routes 42, 78 and RV1 use the Tower of London stop (TL) on St. Katharine’s Way, just outside International House.