DFI - Digital Forensics Intermediate

DFI - Digital Forensics Intermediate


This intermediate-level three (3) day course provides students an understanding of the many artifacts left behind on Windows based systems and digital media.  Operating systems analyzed include Windows XP, Windows Vista, Windows 7 / 8 / 10.

This course focuses on forensically interesting artifacts associated with normal operating system functions and user interactions.


This course is designed to advance the skills of forensic examiners by improving the understanding and examination of Windows based artifacts.

Completing this course will enable forensic examiners to:

  • Find and analyze OS and user interaction artifacts
  • Understand Master Boot Record and GUID Partitioning
  • Gain a solid understanding of the FAT and NTFS file systems
  • Explore and understand recycle bin function across various Windows operating systems
  • Gain an understanding of the forensic relevance of the Windows Registry
  • Gain an understanding of email containers and recovery of deleted emails
  • Form a foundation for internet artifact investigation


This course is structured for beginning level digital forensic investigators and eDiscovery examiners with a basic  basic understanding of Microsoft Windows operating systems function.

Students should meet or exceed the following:

  • Read and understand the English language
  • Have previously attended basic digital forensic training
  • Have familiarity with the Microsoft Windows environment and data recovery concepts


Course Outline

The course will follow adult learning principles through training aids such as presentations, diagrams, and instructor-led practical examples.  Each topic covered will be presented in either one or two 50 minute sessions followed by review questions.  Students have the opportunity throughout the course to ask questions and discuss topics covered.  Ample time will be allotted for hands-on exercises to reinforce the topics covered.

The course will be structured as follows:

Introduction and Forensic Tool Overview

  • Introductions by students and the course instructor
  • An overview of commercial products, such as EnCase and Forensic ToolKit, as well as tools that are free and in the public domain

MBR Partitioning

  • Explanation of the Master Boot Record (NBR) and its function
  • Explanation of the Master Partition table and its function
  • Primary and Extended partition structuring
  • Identification of deleted and hidden partitions

GUID Partitioning

  • Explanation of protected MBR
  • Explanatoin of the GUID partition structure

FAT File System

  • Describe the components of the FAT file system
  • Explanation of the format command and the results of its use
  • Identify the system and data areas on a formatted logical volume
  • Explanation of the changes to digital media when a file is created using the FAT file system
  • Explanation of RAM and residual file slack
  • Explanation of the changes to digital media when a file is deleted using the FAT file system
  • Understand the process for manual review and recovery of deleted files

NTFS File System

  • Describe the components of the NTFS file system
  • Describe the function of the $Metadata files
  • Describe the MFT entry atributes for files and folders
  • Explanation of the changes to digital media when a file is created using the NTFS file system
  • Explanation of orphan or lost files
  • Understand the process for manual review and recovery of deleted files

Recycle Bin Function Across Windows Systems

  • Examine Windows XP recycle bin function and structure of the recycle folder
  • Examine Windows Vista / 7 / 8 / 10 recycle bin implementation and the $R / $l file pairs

File Extensions and Headers

  • Explanation of the purpose of file extensions
  • Explanation of the purpose file headers
  • Explore the forensic concept of data carving


  • Identify the locations and purpose of Thumbs.db files
  • Identify the locations and purpose of the various Thumbscache files

Windows Registry

  • Explore the function of the Windows Registry
  • Identify the Windows system files in the Registry
  • Identify key structures and locations within Registry hives
  • Identify key investigative artifacts within the Registry

Link Files

  • Explanation of Windows shortcuts
  • Identify data of interest contained in a link file


  • Describe the use of container files by email applications
  • Describe the use of individual message files by email applications
  • Discuss the potential for deleted email file recovery
  • Explanation of a basic email header

Internet Artifacts

  • Describe the basic artifacts left behind by internet browsers
  • Discuss form data and password recovery from internet browser artifacts
  • Describe the basic artifacts left behind by Instant Messenger applications
  • Explore chat log and password recovery from Instate Messenger applications



No classes scheduled at this time.

Questions? Would you like to learn more?