This course is ideal for those who are just entering the digital forensics field — whether you are brand new to the team or just new to the role. Forensic Fundamentals (AX100) will utilize Magnet Forensics tools to demonstrate the basics of forensics: how to preserve and collect evidence, as well as details around the types of technology — including smartphones and computers — you'll encounter in your investigations.
Forensic Fundamentals (AX100) is a beginner-level course, designed for participants who are unfamiliar with the principles of digital forensics. In this course, we will be using Magnet AXIOM to demonstrate the core concepts of processing and examining evidence. After completing the four-day training event, participants will have general knowledge and skills that will prepare them for our intermediate-level AXIOM Examinations (AX200) course and subsequent certification. Each module of instruction employs extensive instructor-led scenario-based exercises to reinforce the learning objectives and further enhance the participant's understanding of the forensic workflow.
Objectives of Forensic Fundamentals
- Gain an understanding of responsibilities and best practices when on a scene including:
- Safety consideration
- Preservation of evidence
- How to properly take down a suspect computer, acquire a forensic image, obtain the date and time and check the boot sequence
- Learn hard drive geometry and the difference between CHS and LBA
- Study the way data is stored and interpreted by computers, in the form of binary, hexadecimal, and ASCII
- Understand what happens when a computer is turned on and the boot process begins
- Learn how drive letter assignments are handled in computers running the Windows Operating System and how to track them to ensure the investigative process can link them back to the original drive
- Master the principles of data storage to know when there are changes in the Operating System, File System, and on a hard drive when a file is written and when a file is deleted from the hard drive
- Learn about the compound files that make up the registry of a Windows Operating System as well as the Global and User registry hives
- Introduce mobile phone forensics concentrating on iOS and Android devices — including concepts like acquisition, rooting, and jailbreaking.
Training Class Schedule
|Course||Location||Dates||Virtual Instructor-Led||Online||Jan 8-11||Classroom Instructor–Led||Herndon, VA||March 19-22|
Forensic Fundamentals Module Descriptions
Module 1: Course Introduction
In this introductory module, participants will be presented with the learning objectives and expected outcomes for the four-day training event, and all related course materials. The module will conclude with an overview of Magnet AXIOM, its associated programmatic components, AXIOM Process and AXIOM Examine.
Module 2: Preservation and Collection of Digital Evidence
This module covers the fundamentals of on-scene responsibilities, including considerations prior to arrival on scene, while on scene, safety considerations, equipment concerns, as well as what types of media they may encounter on scene. Students will also take part in a discussion around the on-scene responsibilities of what to do prior to pulling the plug or shutting down the computer. This discussion will include encryption and standard considerations to preserve evidence which may not have been written to the hard disk drive.
Module 3: Drive Geometry
Learn how to define and articulate the terms, sector, track, cylinder, and head pertaining to hard drives and similar media. Students will also be able to articulate the basic components of a modern hard drive, explain the differences between the CHS and LBA sector numbering schemes and calculate the capacity of a drive given CHS or LBA information.
Module 4: Data Storage Concepts (Bits, Bytes, and Hex)
Understand the differences in the binary, decimal and hexadecimal numbering systems, and convert a hexadecimal number to its binary equivalent, as well as the reverse. Students will also be able to use an ASCII chart to convert numerical values to alphabetic characters and will be able to explain the basic process of what happens to information from keystroke to saving on a disk.
Module 5: Partitioning, Formatting and File Systems
In this module, learn the major differences between the Master Boot Record (MBR) and GUID Partition Table (GPT) partitioning schemes as well as the associated structures created by the two partitioning processes. Locate the Master Boot Record and the signature for a GPT partitioned drive, learn the major differences between the File Allocation Table (FAT)-based file system and the New Technology File System (NTFS), and locate the main structures in a FAT-based file system such as Boot Record, FAT table, directory and data areas. List and locate the main structures in a NTFS file system such as the Master File Table and major metadata files and recognize other file systems encountered such as exFAT and HFS+ by the system files which are created.
Module 6: Boot Process and Drive Letter Assignments
Understand what happens when power is applied to a computer regarding the Boot Process and the Power on Self-Test (POST). Gain an understanding of the Boot Configuration Data file and how the boot process works on computers running the Windows Operating System and how drive letters are assigned to volumes and how an examiner can associate the drive letter assignment to a specific drive based on artifacts found within the image file.
Module 7: Principles of Data Storage
Learn what areas of the file systems are affected by operating system activities such as saving and deleting files in the FAT and NTFS-based file systems. Identify the affected areas when a file is moved into and removed from the Recycle Bin and learn how to view affected areas at the hex level as well as with forensic software and disk-viewing software. Areas to be identified include the File Allocation Table, directory entries, $LogFile, $MFT, $Bitmap and the directory index.
Module 8: The Windows Registry
A Windows registry can give detailed information about software installations; network connections; file access; USB connections; changes to user accounts; and system settings. In this module, learn how to identify the location of some of the more commonly-encountered artifacts from the Windows registry, and explain their importance to the overall digital forensics investigation.
Module 9: Imaging Computer Media and Mobile Devices
In this module, students will learn about imaging computer hard drives and removeable media, including the difference between hardware and software write-blockers and how each one is effective. We will use case scenarios to understand when to use each of the diverse types of write blockers and the types of images supported by Magnet AXIOM.
Module 10: Mobile Devices
Gain an understanding of the iPhone and Android Operating Systems. Learn different acquisition methods and when to apply each one based on the circumstances. Become familiar with rooting and the possible uses of rooting and jailbreaking to gain access to suspect mobile devices.