Introductory Digital Forensics Course (October 2025)

Course Aim

The course is targeted at technical IT staff who are used to working with IT in roles such as administrator, auditor and whose normal duties do not include forensic analysis. Experienced digital forensic staff doing forensics on a regular basis are not the target group and will receive only limited benefit from attending.

The course is also open to forensics trainers such as lecturers and tutors whose duties include forensics training.

Non-technical personnel are also welcome to the course; however, the pace of the course might be too fast without prior preparation.

In any case, please refer to the course prerequisites.

Learning Objectives

• Provide an introduction to digital forensics investigation, explain related terminology, methodology, principles, and steps to conduct digital forensic investigation,
• Provide an overview about prospective digital evidence (assuming exclusively Windows hosts),
• Understand technical and procedural limitations while conducting digital forensic investigation,
• Learn and practice digital forensic investigation techniques, focusing primarily on open source/free forensic software (a few commercial solutions are mentioned as well),
• Conducting forensic investigation through several hands‐on sessions,
• Prepare course students for more in‐depth forensics/reverse engineering training.

Target Audience

• The course is targeted at technical IT staff who are used to working with IT in roles such as administrator, auditor and whose normal duties do not include forensic analysis. It is in introductory training solution.The course is also open to forensics trainers such as lecturers and tutors whose duties include forensics training.

Outline

• Introduction to Digital Forensics.
• Forensic process and workflow (theory):
  • Terminology, Methodology, Principles, Chain of Custody.
• Evidence Acquisition (theory and hands-on):
  • System description and verification.
  • Different types of evidence and locations.
  • Forensic software/hardware for evidence acquisition.
  • Acquisition process.
  • Evidence handling.
• Evidence Analysis (theory and hands-on):
  • File system analysis.
  • Media analysis.
  • Windows OS analysis:
    • Registries,
    • Event logs,
    • Prefetch,
    • Other Windows OS artifacts.
• Data carving and application fingerprinting (theory and hands-on).
• Internet activities focus (theory and hands-on):
  • Browser, Email, Instant Messaging Forensics.
• Memory analysis (theory and hands-on):
  • Terminology, tools, acquisition, analysis.
• Timeline analysis (theory and hands-on):
  • Timeline creation, filtering, analysis.
• Network analysis (theory and hands-on):
  • Capturing network traffic, tools, analysis.

 Prerequisites

• Good work/administration experience in the Linux and Windows environments, especially command line,
• Comfortable with using virtual machines for training environment (VirtualBox and VMWare), SIFT workstation is one of the primary investigation tools used,
• English language skill comparable to STANAG 6001, 2.2.2.2.
• For non-technical personnel (but others are welcome as well), we strongly advise to get familiar with:
  • Linux command line: https://ubuntu.com/tutorials/command-line-for-beginners#1-overview
  • And introduction to Windows PowerShell can be useful reading as well: https://www.tutorialspoint.com/powershell/index.htm
  • Basics of how virtualization and related tools work (VirtualBox: https://www.youtube.com/watch?v=VZJ6KZUc25M, VMWare: https://www.youtube.com/watch?v=7m3f-P-WWbg)
  • Overview how Linux environment looks in general, since SIFT workstation is built upon Ubuntu: https://www.youtube.com/watch?v=D4WyNjt_hbQ
  • And lastly, Autopsy tool is presented throughout the course as well: https://www.youtube.com/watch?v=fEqx0MeCCHg
• The course has a mandatory e-learning module (ADL 344 “Digital Forensics and Digital Evidence”, see the details in the “e-Learning courses” chapter) that can be accessed through the NATO e-Learning Joint Advanced Distributed Learning portal and will be available to all users of the portal. Once registered, users may access the course by navigating to the ‘Centres of Excellence’ -> ‘COE Cyber Defence’ -> ADL 344 “Digital Forensics and Digital Evidence” course listing.

NB! This course will provide an overview and is not meant to provide an in-depth introduction of forensic methods or tools.

Registration

Please register for the course by visiting the NATO CCDCOE website and completing the provided registration form before the deadline. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. Should you have any questions, please contact: [email protected]

Module certificate of the ADL 344: It is necessary when applying for the residential part of the course and you can download it once you successfully finish the final test of the e-Learning module. When you register for the residential part of the course please email it to: [email protected]