Introductory File System Forensics
Every device has a type of file system to store its data, so the vast majority of forensically relevant information about a cybercrime comes from device collection and analysis. This course introduces the process of imaging and forensically analyzing disks, including finding artifacts such as deleted files. While these techniques traditionally apply to law enforcement forensics cases, they are equally useful for the discovery of potential wrongdoing, internal enterprise compliance checks, recovery of accidentally deleted data, and digital archive preservation. The key is preserving the sanctity of the evidence so the artifact can be submitted. By the end of the course, you will possess a deeper understanding of how to extract evidence from a hard drive.
- Lab 1: Create a Forensic Disk Image
- Lab 2: Perform Basic Analysis Using the Sleuth Kit
- Lab 3: Explore a Forensics Image with Autopsy
- Lab 4: Recover Deleted Images and Videos
- Lab 5: Generate an Autopsy Report
Who Should Take This Course:
Experienced cyber, information, software and infrastructure security professionals who want to better understand the process of imaging and forensically analyzing disks, including finding artifacts such as deleted files.
About This Course:
This course works with what is considered to be a more traditional "dead-box" type of forensics. The course content takes place within a Windows 10 64bit virtual machine with a Virtual Machine installed. Before each lab topic, watch the instructional video to guide you through the content, and review background information to complete the lab assignment. There is no time restriction, but this lab will take approximately two hours to complete. At the end of the course you will be asked to take a final assessment and must score 70% or higher prior to receiving a certificate of completion and earning continuing professional education (CPE) credits.