Introduction to Digital Forensics

This introductory course on Digital Forensics addresses technical IT staff who mostly work as administrators and auditors without routine duties related to forensic analysis. The course is also open to forensics trainers such as lecturers and tutors whose duties include forensics training. Experienced digital forensic staff may benefit from a more advanced course.

Learning Objectives

  • Provide an  introduction  into  the  field  of  digital  forensics,  touching  upon  terminology, methodology, chain of custody and authority of investigation
  • Introduce the  main  sources  to  search  for  evidence  (assuming  exclusively  Windows hosts)
  • Introduce and use primarily open source/free software (No Encase, limited FTK) Linux‐ and Windows‐based tools to show the students an example tool‐set for conducting digital investigations
  • Provide exemplary experience in conducting forensic investigation through a number of hands‐on sessions using a limited number of tools
  • Provide introduction to incident response
  • Prepare participants for more in‐depth forensics/reverse engineering training

Target Audience

  • Technical IT staff, working in roles like administrator or auditor whose normal duties do not include forensic analysis, but who might be asked to support a forensic investigation. This is an introductory course. Experienced digital forensic staff doing forensics on regular basis are not the target group and will receive only limited benefit from attending.
  • Administrators or IT security staff who might be first responders to security incidents and want to secure evidence for later analysis, when no forensic staff is available.
  • IT staff who need to acquire basic skills to conduct forensic investigation.


  • Introduction to Digital Forensics
  • Forensic process and workflow (theory):
    • Terminology, methodology, mindset, note taking, authority
  • Evidence acquisition (theory and hands-on):
    • System description and verification
    • Different types of evidence and locations
    • Forensic software/hardware for evidence acquisition
    • Evidence handling
    • Acquisition process
  • Analysis and legal issues (theory and hands-on):
    • Media analysis (file systems, listing, string/byte search, timeline, data recovery, carving, hashing, etc.)
  • Windows registry and other artefacts (theory and hands-on)
  • Data carving and application fingerprinting (theory and hands-on)
  • Internet activities focus (theory and hands-on):
    • Browser, email, instant messaging forensics
  • Real-Case Study presentation by external DF Expert (working at Estonian Forensic Science Institute, EFSI).

Added Value

  • Familiarizing IT staff without forensic knowledge with digital forensics, raising awareness and generating possible future support
  • Basic knowledge to ensure that evidence is not spoiled by the acquisition process and all available evidence is collected
  • Security awareness training for staff to understand the traces left behind on a system which can lead to intelligence gathered by others
  • Practising forensic methods on the basis of real-life model exercises

Forensics Challenge

Course participants will have an opportunity to verify their knowledge and practice their recently acquired skills and techniques to tackle technical challenges. The last day will be fully devoted to Forensics Challenge, either under instructors’ guidance or working independently. The Forensics Challenge will require putting into practice the digital forensics techniques learned during the course with possible additional advanced techniques which are out of the scope of this course. Forensic Challenge´s shorter version may be scheduled for the 5th day, or if agreed by participants, for additional 6th day of the course.


  • Good work/administration experience in the Linux and Windows environments, especially command line
  • Comfortable with using virtual machines for training environment (Virtual Box or similar)
  • English language skill comparable to STANAG 6001,

NB! This course will provide an overview and is not meant to provide an in-depth study of forensic methods or tools. One of the aims of this course is to help to prepare students for the more challenging reverse engineering training offered by the NATO CCD COE, the Botnet Mitigation Training.

Pre-study e-Learning material

ADL 344 Digital Forensics and Digital Evidence (Pre-study material for Introductory Digital Forensics Course) on the NATO e-Learning website


Registration opens on 1 April 2019. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]