Course

Course Summary
Credit Type:
Course
ACE ID:
DDCI-0024
Organization's ID:
WFE
Location:
Classroom-based
Length:
10 days (80 hours)
Dates Offered:
Credit Recommendation & Competencies
Level Credits (SH) Subject
Lower-Division Baccalaureate 3 Digital Forensics
Upper-Division Baccalaureate 3 Advanced Digital Forensics
Description

Objective:

The course objective is for students to conduct a forensic examination of an image of the Windows operating system in a forensically sound (repeatable, documented, and non-destructive) manner; choose the basic functions, configurations, outputs, tools, and settings that need to be adjusted when conducting a forensic examination of a Windows operating system; examine a forensic image from a Windows computer using basic forensic processes and automated tools; use tools and a repeatable, documented process to gain access to protected files; and produce documentation that completely and accurately summarizes all forensic actions taken on the machine.

Learning Outcomes:

  • Validate whether an air gap has been properly emplaced on the forensic workstation.
  • Configure the global settings on your forensic software to reflect the appropriate time setting.
  • Define the function of a partition in relation to forensic investigations.
  • Explain the importance of a clean partition to forensic investigations.
  • List the recommended configurations for a forensic workstation.
  • Recall the standards for best practices in forensic documentation.
  • Prepare documentation that outlines repeatable forensic actions and results in adherence to the Daubert Standard.
  • Recall the steps for preparing a forensic workstation.
  • Define the purpose of an airgap.
  • Explain the importance of time setting on a forensic machine.
  • Set up a clean partition on a forensic workstation.
  • Demonstrate the procedure for copying and validating evidence files to a forensic workstation.
  • Summarize the investigative implications of hardware, operating systems, and network technologies in a Windows system.
  • Define a Master Boot Record and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze the GPT artifacts in a forensically sound manner.
  • Outline standards relating to data carving tools and techniques.
  • Demonstrate how to navigate to and analyze file signature artifacts in a forensically sound manner.
  • Identify the default Windows directories and their standard contents and format.
  • Demonstrate how to navigate to and analyze artifacts from a default Windows directory in a forensically sound manner.
  • Identify whether or not a program was executed, when and what it may have done.
  • Demonstrate how to navigate to and analyze program execution artifacts in a forensically sound manner.
  • Define event logs and identify their relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze artifacts from event logs in a forensically sound manner.
  • Define pagefile and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze pagefile artifacts in a forensically sound manner.
  • Define hiberfil and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze hiberfil artifacts in a forensically sound manner.
  • Define alternate data streams and identify their relevance to cyber investigations.
  • Demonstrate how to identify and view alternate data streams in a forensically sound manner.
  • Define ActivityCache.db and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze ActivityCache.db artifacts in a forensically sound manner.
  • Demonstrate how to navigate to and analyze lnk artifacts in a forensically sound manner.
  • Demonstrate how to navigate to and analyze compound files artifacts in a forensically sound manner.
  • Demonstrate how to navigate to and analyze Windows’ sticky notes artifacts in a forensically sound manner.
  • Identify Microsoft Office applications and identify their relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze artifacts from Microsoft Office files in a forensically sound manner.
  • Identify the functions of chat applications and identify their relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze chat application artifacts in a forensically sound manner.
  • Label the different parts of an email and identify their relevance to cyber investigations.
  • Demonstrate how to recover and analyze internet history in a forensically sound manner on Microsoft Edge, Google Chrome, and Mozilla Firefox.
  • Demonstrate how to view and analyze EXIF data in a forensically sound manner.
  • Demonstrate how to navigate to and analyze thumbcache artifacts in a forensically sound manner.
  • Identify types of encryptions and identify their relevance to cyber investigations.
  • Identify the function of OneDrive and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze OneDrive artifacts in a forensically sound manner.
  • Define the term: forensic workstation.
  • Explain the importance of scanning the forensic workstation and acquired media for malicious code.
  • Recognize the value of a new installation of Windows prior to beginning an investigation.
  • Summarize the necessity of copying evidence files for a forensic investigation.
  • Demonstrate skill in using forensic tool suite (Magnet AXIOM) in case creation.
  • Identify the features of the New Technology File System [NTFS] pertinent to a cyber investigation on a Windows system.
  • Demonstrate how to navigate to and analyze the MBR artifacts in a forensically sound manner.
  • Define a GPT and identify its relevance to cyber investigations.
  • Define a Volume Boot Record and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze VBR artifacts in a forensically sound manner.
  • Define a Master File Table and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze MFT artifacts in a forensically sound manner.
  • Conduct data carving in a forensically sound manner.
  • Define hashes and identify its relevance to cyber investigations.
  • Demonstrate how to create and use hash sets in a forensically sound manner to assist in your investigation.
  • Outline standards relating to data carving tools and techniques.
  • Demonstrate how to navigate to and analyze artifacts from a Windows registry in a forensically sound manner.
  • Define swapfile and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze swapfile artifacts in a forensically sound manner.
  • Define Recycle Bin and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze Recycle Bin artifacts in a forensically sound manner.
  • Define lnk files and identify their relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze jumplists artifacts in a forensically sound manner.
  • Define compound files and identify their relevance to cyber investigations.
  • Define Windows’ sticky notes and identify their relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze email artifacts in a forensically sound manner.
  • Find internet history and identify its relevance to cyber investigations.
  • Demonstrate how to navigate to and analyze multimedia artifacts in a forensically sound manner.
  • Define thumbcache and identify its relevance to cyber investigations.
  • Outline relevant cybersecurity considerations when setting up a forensic workstation.
  • Conduct a scan for any malicious code on the forensic workstation and software.
  • Define file signatures and identify their relevance to cyber investigations.
  • Define jumplists and identify their relevance to cyber investigations.
  • Define EXIF data and identify their relevance to cyber investigations.
  • Identify pictures and videos on a Windows system and identify their relevance to cyber investigations.
  • Demonstrate how to defeat encryption in a forensically sound manner.
  • Identify the Windows registries and their standard contents and format.

General Topics:

  • Getting Started
  • Windows Boot
  • Windows Artifacts
  • Windows User Artifacts
  • CTF Mini Scenarios
  • Practical Exam
Instruction & Assessment

Instructional Strategies:

  • Case Studies
  • Classroom Exercise
  • Computer Based Training
  • Discussion
  • Laboratory
  • Lectures
  • Practical Exercises
  • Work-based Learning

Methods of Assessment:

  • Examinations

Minimum Passing Score:

70%
Supplemental Materials