Course Outline

The course will follow adult learning principles through training aids, presentations, diagrams, and instructor led practical exercises.  Each topic covered will be presented in either one or two 50 minute sessions followed by review questions.  Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in more detail.  Ample time will be allotted for hands on exercises to reinforce the topics covered.

The course is structured as follows:

Introductions and Digital Forensics / eDiscovery / Digital Archive Overview

• Introductions by the students and course instructor
• Identify the typical components of a digital forensic investigation
  
• Identify the typical components of an eDiscovery examination
• Foundation of digital duplication/archiving
  

Hardware Recognition

• Identify common digital hardware components
• Discuss digital forensic items of interest in a typical forensic examination

Seizure and Transportation

• Identify proper methods for dealing with live (running) computer systems at crime scenes
• Discuss RAM capture from a live machine
• Discuss proper packaging techniques for transporting digital media

Drive Interfaces

• Identify drive interfaces / technology likely to be found
• Explain the purpose and use of drive jumpers
• Explain the purchase and use of drive adapters

BIOS and CMOS

• Explain the purpose / use / forensic relevance of system BIOS
• Explain the purpose / use / forensic relevance of system CMOS
• Discuss methods to circumvent / disable passwords associated with the CMOS

Physical and Logical Characteristics

• Explain physical components of digital media
• Define the terms sector, track, cylinder, page, block and LBA
• Explain logical structures of digital media
• Differentiate physical media with sold state drive media
  

Computer Data

• Explain how data storage on various digital media
• Discuss the components of the ASCII / ANSI chart and define Unicode
• Explain the binary, decimal, and hexadecimal numbering schemes
• Identify various locations of interest where data will be found in various formats

Operating and File Systems

• Provide a detailed overview of Operating System function and purpose
• Identify the most common Operating Systems
• Provide a detailed overview of a File System
• Identify the most common File Systems

Partitioning

• Discuss the MBR partitioning scheme
  
• Discuss the GPT partitioning scheme
  
• Identify deleted partitions and recovery methods
  

FAT & NTFS File Systems

• Describe the components of the FAT file system
• Explain the "format" command and results of its use
• Discuss how file creation and deletion effects digital data
  

Forensic Triage and Duplication

• Describe the processes used to triage electronic data
  
• Create physical/logical duplicates using various forensic tools
  
• Create custom content forensic images with various forensic tools
• Discuss typical challenges facing forensic duplication such as encryption, integrated storage and RAID data