This 3-day Digital Forensics Fundamentals course is designed to provide a solid and practical coverage of the principles of identifying, preserving and analysing digital evidence, such as computers, mobile phones, and online sources.
The course is presented by Dr Bradley Schatz, one of Australia’s leading authorities on Digital Forensics. Dr Schatz is the Director of the independent digital forensics consultancy Schatz Forensic, and an Adjunct Associate Professor at the Queensland University of Technology. Since the completion of a PhD in Digital Forensics in 2007, his principal role has been as a practitioner of digital forensics in private practice, where he has served primarily legal clients in both civil and criminal matters. His evidence has been accepted as expert opinion in a range of courts within Australia.
Bradley is regularly invited to present and deliver training internationally on the subject, and has remained an active researcher advancing the field. He has published 15 peer reviewed academic papers and two book chapters, all in the area of digital forensics.
Learning outcomes
By the end of the course participants will understand:
- Industry best practice when conducting forensic analysis of electronic devices
- End-to-end process and legal requirements for chain of evidence and chain of custody
- Recognising potential sources of digital evidence
- Requirement for identification of evidence
- Introductory techniques for examining evidence
- How to correctly handle and preserve evidence in a forensically sound manner
- Commonly relied on evidence artefacts
- Gain experience with several tools for forensic analysis
- Report structure and format on the analysis of evidence
Who should attend
The course is targeted at:
- Investigators
- Would-be digital evidence examiners
- Law-enforcement personnel
- Information security professionals
- Anyone wanting to get started with handling and investigating digital evidence
Course contents
Day 1: Digital Forensics Introduction
- Digital forensic process
- Identification of evidence
- Evidence handling principles
- Order of volatility
- Evidence preservation
- Imaging basics
- Analysis basics with Autopsy and X-Ways
Exercises:
- Imaging using a write blocker, live CD, forensic duplicator
- Mounting disk images
- Examination with Autopsy
Day 2: Windows Disk Analysis
- Introduction to file system forensics
- Techniques for filtering and searching
- Mapping of investigative questions to artefacts
- Carving deleted content
- Email activity
- Web browsing historical activity
- Chat rooms and activity
- Evidence of access and execution
- Tracking USB storage and file movement
Exercises:
- Carving of deleted content
- Tracking web browser history
- Identifying files accessed
Day 3: Mobile Devices and Advanced Preservation
- Volatile memory acquisition
- Gleaning evidence from pagefiles and Random Access Memory (RAM)
- Identifying and dealing with encryption
- Identifying and preserving cloud services
- Managing the case lifecycle
Exercises:
- Acquisition and analysis of a phone
- Acquisition and analysis of volatile memory
- Extraction of chat and other artefacts from volatile memory