Digital Forensics

Enrol

This course currently has no scheduled dates. To express interest in this course or to discuss bespoke options for yourself or your organisation, please submit an expression of interest or contact the Professional Education Team on +61 2 5114 5573 or profedcourses@adfa.edu.au

Duration

5 days

Delivery mode

Face-to-face

Location

Canberra

Standard price

$4,750.00

Defence price

$4,250.00

  • Accelerate your career, learn new skills, and expand your knowledge.

  • First in Australia for research excellence and impact.

  • Top 50 in the world. 2020 QS World University Rankings.

Overview

This course introduces participants to digital forensic analysis, investigation first principles and theoretical concepts including the digital forensic method, intent and its application. The course also covers introductory Microsoft Windows-centric technical topics such as file system, memory and operating system artefact analysis using contemporary open source tools, techniques and procedures. Students are expected to demonstrate their theoretical and technical understanding through the completion of practical exercises in a simulated operational environment.

Course content

Day 1: Disk Forensics

This session gives an overview of the history of disk forensics. Basics such as file structures, metadata, file systems concepts, windows file systems and disk partitioning are covered leading to a practical investigative scenario.

Topics

File system features, FAT, exFAT, NTFS, File slack, Volume shadow copies, Master boot record partition table, GUID partition table, Partition slack.

Day 2: Registry Forensics

This session focuses on the analysis of low level configuration settings located within the Microsoft Windows registry. You'll gain an understanding of the Windows registry as a hierarchical database which will culminate in a practical exercise of detecting malware within the registry utilising Python.

Topics

Configuration analysis, Registry keys and values, Registry root keys, Hives, Deleted registry keys.

Day 3: Network Forensics

This session looks at how network investigations deal with volatile and dynamic information, focusing on the analysis and monitoring of computer network traffic for the purposes of information gathering, legal evidence and intrusion detection.

Topics

The internet protocol, Packet structures, Addressing methods, Application layer protocols, Netflow.

Day 4: Memory Forensics

This session covers the history of memory forensics and modern computer architecture. We'll then cover several memory management techniques and look at how these can be leveraged in forensic processes.

Topics

Process concept, Memory layout, Process management, Windows environment block, Thread concept, Thread management, Virtual memory, Page concept, Memory protections, Virtual Address Descriptor (VAD), Kernel interface, Hibernation.

Day 5: The Forensic Method

This session covers various digital forensic analysis techniques from multiple viewpoints in order to derive meaning and intelligence from gathered evidence. We'll look at what it's like to be in an offensive position and how this can provide analysts with a significant tactical advantage.

Topics

Locard’s Exchange Principle, Offensive Operations, Forensic Investigation Requirements, Digital Forensic Life Cycle.

Please download the Digital Forensics course PDF.

Learning outcomes

Skills/competencies/knowledge that would be gained through this course:
  • understand basic digital forensic theory, including purpose and intent
  • understand how to professionally approach a digital forensic investigation, determining its scope and duration
  • demonstrate they can utilise contemporary open source tools, techniques and procedures to conduct analysis
  • demonstrate they can achieve an acceptable level of intelligence outcomes within a defined period of time
  • perform a basic forensic examination, producing an actionable intelligence product.

Who should attend

This course is for students who have no previous experience or exposure to the field of digital forensics. As a result, students should expect the course material to be introductory and all-inclusive, with no digital forensic pre-reading required.

Cancellation policy

Courses will be held subject to sufficient registrations. UNSW Canberra reserves the right to cancel a course up to five working days prior to commencement of the course. If a course is cancelled, you will have the opportunity to transfer your registration or be issued a full refund. If registrant cancels within 10 days of course commencement, a 50% registration fee will apply. UNSW Canberra is a registered ACT provider under ESOS Act 2000-CRICOS provider Code 00098G.