RGI Cyber Security Institute

Forensic Computing Foundations

This module is designed as an introductory course in computer forensics. The module aims to provide the student with a basic understanding for the need for computer forensics. Thereafter the student will be demonstrated the various tools and techniques available to perform a full computer forensic investigation.

Outcomes

On successful completion of this module a student should be able to:

  • Construct an overall digital forensic workflow that satisfies the requirements of evidential admissibility
  • Construct, justify, and carry out a forensically sound process for disk imaging
  • Conduct detailed manual forensic reconstruction of stored data (e.g. disk partition, file system, operating system, and application structures) including artefacts that may be unreadable by standard forensic tools.
  • Demonstrate by given a set of instructions for a case, construct an examination strategy to recover admissible digital evidence, and given a disk image, carry out that strategy to locate and extract digital evidence.
  • Produce appropriate documentation to accompany a digital forensic examination, including notes, statements and reports.
  • Syllabus

  • Digital data storage, formats, structures, and interpretation
  • Computer architecture and boot process, including BIOS and UEFI
  • Hard disk structures and data retrieval process
  • Disk partitioning
  • File system analysis, FAT, NTFS and exFAT
  • Microsoft Windows forensic artefacts, e.g. Windows Registry, Link Files, Prefetch Files, Recycle Bin etc.
  • An introduction to Mac OS X and Linux operating systems
  • Digital investigation strategies and processes, e.g. keyword searching, file carving etc.
  • Writing notes and reports.
  • Copyright © RGI Cyber Security Institute