Introductory Digital Forensics Course

The course is targeted at technical IT staff who are used to working with IT in roles such as administrator, auditor and whose normal duties do not include forensic analysis. Experienced digital forensic staff doing forensics on a regular basis are not the target group and will receive only limited benefit from attending.

The course is also open to forensics trainers such as lecturers and tutors whose duties include forensics training.

Learning Objectives

  • Provide an  introduction  to  digital  forensics investigation, explain related terminology, methodology, principles and steps to conduct digital forensic investigation,
  • Provide an overview about prospective digital evidence (assuming exclusively  Windows hosts),
  • Understand technical and procedural limitations while conducting digital forensic investigation,
  • Learn and practice digital forensic investigation techniques, focusing primarily on open source/free forensic software (no commercial solutions),
  • Conducting forensic investigation through a number of hands‐on sessions,
  • Prepare course students for more in‐depth forensics/reverse engineering training.

Target Audience

  • Technical IT Staff, working in the IT area in roles like administrator, auditor, etc., whose normal duties do NOT include forensic analysis, but who might be asked to support a forensic investigation. This course is introductory. Experienced digital forensic staff doing forensics on regular basis are not the target group and will receive only limited benefit from attending.
  • Administrators or IT Security staff who might be first responders to security incidents and want to secure evidence for later analysis, when no forensic staff is available.
  • IT staff who will acquire an initial skill set of how to conduct forensic investigation.

 Outline

  • Introduction to Digital Forensics.
  • Forensic process and workflow (theory):
    • Terminology, Methodology, Principles, Chain of Custody.
  • Evidence Acquisition block (theory and hands-on):
    • System description and verification.
    • Different types of evidence and locations.
    • Forensic software/hardware for evidence acquisition.
    • Acquisition process.
    • Evidence handling.
  • Analysis (theory and hands-on):
    • File system analysis,
    • Media analysis,
    • Windows OS analysis
    • Timeline analysis,
  • Data carving and application fingerprinting (theory and hands-on).
  • Internet activities focus (theory and hands-on):
    • Browser, Email, Instant Messaging Forensics.

 Added Value

  • IT staff without forensic knowledge will ‘understand’ digital forensic capabilities, raising awareness and improving possible future support.
  • Basic knowledge to ensure that evidence is not spoiled by the acquisition process and all available evidence is collected.
  • Security awareness training for staff to understand the traces left behind on a system which can lead to intelligence gathered by others.
  • Practising forensic methods on the basis of prepared, exemplary exercises.

Forensics Challenge

Course participants will have an opportunity to verify their knowledge and practice their “recently acquired” skills and techniques while solving technical challenges. For that reason, the portion of the last course day will be allocated only for the Forensics Challenge, either under instructors’ guidance or their individual work. The Forensics Challenge will require to implement vast majority of digital forensics techniques presented during the class and some additional advanced techniques which are out of the scope of the course.

Prerequisites

  • Good work/administration experience in the Linux and Windows environments, especially command line,
  • Comfortable with using virtual machines for training environment,
  • English language skill comparable to STANAG 6001, 2.2.2.2.

NB! This course will provide an overview and is not meant to provide an in-depth introduction of forensic methods or tools. One of the aims of this course is to help to prepare students for the more challenging reverse engineering training offered by the NATO CCD COE, the Botnet Mitigation Training.

 Pre-study e-Learning material

ADL 344 Digital Forensics and Digital Evidence (Pre-study material for Introductory Digital Forensics Course) on the NATO e-Learning website (JADL – https://jadl.act.nato.int/)

 Registration

Registration opens on 9th of March, 2020. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]