Overview
The competency to navigate through the world of digital forensics is in much demand now. With the swarm of resources available at the click of a button, how does one pick where to start? Here is a suggestion - Cybrary has released a new course titled "Everyday Digital Forensics."
Courses in digital forensics start with detailing facts about file systems and their implications on forensics. This teaches the student "how to think" from a forensics perspective. To be able to perform file system forensics, a person must first understand how file systems operate. This would help to identify suspicious behavior and recover valuable data. Understanding the intricate details of file systems challenges the intellectual capacity of an individual.
The course "Everyday Digital Forensics" does an excellent job of introducing students to file system forensics, all in a matter of four hours. Along with introducing file system forensics, the course also gets a student acquainted with mobile device forensics, particularly Android devices. The course has five modules. Here is a brief outline of each module.
Outline of the course
The first module introduces the main principles of digital forensics, such as:
- The Investigative Process
- Order of Volatility
- Acquisition of Forensic Images
- Forensic Image Formats
The second module introduces file systems, which is the logical organization of the physical storage area on the hard drive. Two major types of file systems are discussed. One is File Allocation Table (FAT) commonly found on USB drives and memory cards. The other is New Technology File System (NTFS), commonly found on drives with the Windows operating system installed. The course also offers an excellent resource for reading, titled, "A Forensic Comparison of NTFS and FAT32 File Systems".
The third module elaborates on forensic image acquisition. A forensic image is a bit-by-bit copy of a storage medium that helps the investigative team identify clues relevant to the case at hand. The open-source tool "dd" and commercial tool "FTK Imager" are demonstrated. Knowing how multiple tools operate is a required skill for a forensic investigator. One tool can corroborate the facts acquired by another tool. The acquisition of volatile memory is also discussed here. Data that disappears when a system is powered down is referred to as volatile data.
In the fourth module, the student is introduced to mobile forensics. With the proliferation of mobile device usage, investigators often find that one of the major vectors in a crime scene is mobile devices. Performing a forensic image of an Android device is demonstrated. That image is analyzed using the Santoku Linux operating system.
In the fifth and final module, the student is tasked with analyzing an acquired forensic image. The free tool Autopsy is demonstrated. Data is recovered from an image in Encase Image File Format (.E01). An autopsy has numerous features to organize the data obtained from a forensic image. Steganography is also introduced to the student, and the course concludes with the analysis of a malicious file.
Who is this course for?
This course is well-suited for people entering into the world of digital forensics. If someone is curious about this field and simply wants to find out what it is all about, then this course is a good place to start.
What are the requirements?
A Windows 7 machine, either a physical or virtual one, should work well. The student is expected to be comfortable working with hexadecimal and binary numbers. Familiarity with basic network and security concepts is expected. Basic programming experience is preferred. A positive attitude with a passion for learning is sure to equip a potential student with the right skills.
After completing the course, the student can rightly claim to possess the basic skills required to venture further into the world of Digital Forensics.