Course objectives
After completing this course, students will be able to:
- Preserve Evidence: Execute a collection plan that maintains the Chain of Custody and evidence integrity.
- Analyze Windows Artifacts: Identify evidence of execution, user activity, and system changes using the Registry, Prefetch, and ShellBags.
- Perform Network Forensics: Reconstruct network attacks by analyzing PCAP files and identifying suspicious C2 traffic or data exfiltration.
- Execute Data Acquisition: Master the "Order of Volatility" and create forensically sound images of physical and logical drives.
- Correlate Logs & Timelines: Synthesize data from various sources into a coherent chronological narrative.
- Utilize Industry Tools: Gain proficiency in tools like FTK Imager, Wireshark, Autopsy, HxD, and RegRipper.
Course outlines
- Phase 1: Introduction & Acquisition
- Digital Forensics Fundamentals: The scientific method and the 5 W's (Who, What, When, Where, Why).
- Data Acquisition: Live vs. Dead acquisition, write blockers, and hashing for data validation.
- Evidence Life Cycle: Acquisition $\rightarrow$ Analysis $\rightarrow$ Presentation.
- Phase 2: File & Disk Analysis
- Data Representation: Mastering Hexadecimal, Bits, Bytes, and ASCII.
- Storage Fundamentals: MBR vs. GPT partitioning, Volumes, and Slack Space.
- File Systems: In-depth analysis of FAT and NTFS structures.
- Phase 3: System & Network Forensics
- Windows Forensics: Investigation of the Registry, LNK files, Jump Lists, and browser history.
- Network Analysis: Protocol analysis (HTTP, DNS, SMTP) and flow analysis to detect malicious patterns.
- Email Forensics: Analyzing headers and metadata to trace phishing or spoofing.
- Phase 4: Logs, Timelines & Reporting
- Log Correlation: Using Linux tools to parse and filter massive log files.
- Timeline Analysis: Identifying temporal proximity of events to prove intent or impact.
- Forensic Reporting: Writing professional, clear, and legally defensible reports.