• Classroom
Course Description

Students will learn basic forensic science along with the concepts of phone and computer forensics.

Learning Objectives

Forensic science (The Scientific Method, Locards principle, how to write a report, etc.)
Legal Issues such as chain of custody and warrants
Basic computer science fundamentals (file systems, hard drives, etc.)
Mobile forensics
The various mobile operating systems
iOS
Android
Windows
Mobile networks
3g
4g
5g
Call phone concepts
SIM
IMEI
PUK
General Overview of JTAG and Chip Off
Windows forensics (Registry, logs, how data is stored)
File issues
Properties
Deleted vs Orphaned Files
Moving vs Copying
Create, Modified, Accessed
Windows Registry
General overview
Keys of interest
Windows Prefetch
Windows Event Codes
MFT
Windows User Assist
Shadow Copy
ShimCache
Basic Linux operating system
Basic network forensics
Basic Networking Knowledge
IP Addresses
MAC Addresses
Devices
Packets
Protocols
Packet Structure
Packet Tracing
Packet Analysis
Virtual Systems
VMs
Cloud
Email Forensics
Servers
Header analysis
Memory Forensics
Types of Analysis
Swap space analysis
Memory Analysis
Data acquisition as per RFC 3227
In-memory data
Current processes
Memory mapped files
Caches
Open Ports
Memory Architectural Issues
Data structures
Windows Objects
Processes
Handles
Pool-tag scanning
%SystemDrive%/hiberfil.sys
Page/Swap File
Tools used
Using volatility
Dumpit.exe
hibr2bin
Basic electronic discovery
Students will have hands on labs where they will learn to:
Image a drive with FTK imager and with OSForensics
Recover deleted files with OSForensics
Create an index and search an index with OSForensics
Recover data from Windows Registry with OSForensics
Prepare a forensics report
Recover data from a phone
Examine memory dumps with volatility

Framework Connections