FOR308: Digital Forensics Essentials Course

What You Will Learn

More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.

This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.

IT'S NOT JUST ABOUT USING TOOLS AND PUSHING BUTTONS

FOR308: Digital Forensics Essentials Course will help you understand:

What digital forensics is
What digital evidence is and where to find it
How digital forensics can assist your organization or investigation
Digital forensics principles and processes
Incident response processes and procedures
How to build and maintain a digital forensics capacity
Some of the key challenges in digital forensics and incident response
Some of the core legal issues impacting on digital evidence

Digital forensics has evolved from methods and techniques that were used by detectives in the 1990's to get digital evidence from computers, into a complex and comprehensive discipline. The sheer volume of digital devices and data that we could use in investigative ways meant that digital forensics was no longer just being used by police detectives. It was now being used as a full forensic science. It was being used in civil legal processes. It was being used in the military and intelligence services to gather intelligence and actionable data. It was being used to identify how people use and mis-use devices. It was being used to identify how information systems and networks were being compromised and how to better protect them. And that is just some of the current uses of digital forensics.

However digital forensics and incident response are still largely misunderstood outside of a very small and niche community, despite their uses in the much broader commercial, information security, legal, military, intelligence and law enforcement communities.

Many digital forensics and incident response courses focus on the techniques and methods used in these fields, which often do not address the core principles: what digital forensics and incident response are and how to actually make use of digital investigations and digital evidence. This course provides that. It serves to educate the users and potential users of digital forensics and incident response teams, so that they better understand what these teams do and how their services can be better leveraged. Such users include executives, managers, regulators, legal practitioners, military and intelligence operators and investigators. In addition, not only does this course serve as a foundation for prospective digital forensics practitioners and incident responders, but it also fills in the gaps in fundamental understanding for existing digital forensics practitioners who are looking to take their capabilities to a whole new level.

FOR308: Digital Forensics Essentials Course will prepare you team to:

Effectively use digital forensics methodologies
Ask the right questions in relation to digital evidence
Understand how to conduct digital forensics engagements compliant with acceptable practice standards
Develop and maintain a digital forensics capacity
Understand incident response processes and procedures and when to call on the team
Describe potential data recovery options in relation to deleted data
Identify when digital forensics may be useful and understand how to escalate to an investigator
If required, use the results of your digital forensics in court

FOR308: Digital Forensics Fundamentals Course Topics

Introduction to digital investigation and evidence
Where to find digital evidence
Digital forensics principles
Digital forensics and incident response processes
Digital forensics acquisition
Digital forensics examination and analysis
Presenting your findings
Understanding digital forensic reports
Challenges in digital forensics
Building and developing digital forensics capacity
Legality of digital evidence
How to testify in court

What You Will Receive With This Course

SANS Windows SIFT Workstation

This course uses the SANS Windows DFIR Workstation to teach first responders and forensic analysts how to view, decode, acquire, and understand digital evidence.
DFIR Workstation that contains many free and open-source tools, which we will demonstrate in class and use with many of the hands-on class exercises
Windows 10
VMWare Appliance ready to tackle the fundamentals of digital forensics

Fully working license for 120 days:

SANS DFIR Exercise Workbook

Exercise book with detailed step-by-step instructions and examples to help you master digital forensic fundamentals

Syllabus (36 CPEs)

Download PDF

Overview
The volume of digital information in the world is growing at a scarily fast rate. In fact, 90 percent of the digital data that exists worldwide today was created within the last two years and it's not slowing down with, 2.5 quintillion bytes of new data created each and every day.
If you are investigating any matter, whether it is a crime, an administrative or civil issue, or trying to figure out how your network was compromised, you need evidence. If you are gathering intelligence you need information. The simple reality is that these days the vast majority of potential evidence or information that we can use, whether it is for investigations, court, or intelligence purposes, is digital in nature. To effectively conduct digital investigations, one needs to understand exactly what digital evidence is, where to find it, the issues affecting digital evidence, and the unique challenges facing digital evidence. This will allow one to understand the crucial role that digital forensics plays with regards to digital evidence.
Topics
MODULE 1.1: Understanding Digital Investigation
- Why we need to conduct investigations:
MODULE 1.2: Digital Forensics 101
- The history and evolution of digital forensics
- Defining digital forensics
- The purpose of digital forensics
  - Asking the right questions
- Knowledge, skills and attributes of digital forensics practitioners
- Digital Forensics vs Incident Response vs Threat Hunting
- Digital forensics tools
MODULE 1.3: Digital Evidence Overview
- What is digital evidence?
- The difference between data and metadata
- The nature of digital evidence
- Disk structures
- Data structures
- Data encoding
- The fragility of digital evidence
MODULE 1.4: Sources and Digital Evidence
- Computers and laptops
- Servers
- Virtual machines
- Tablets and mobile devices
- Removable storage media
- RAM
- Network devices and data
- Embedded/IoT devices
- Digital evidence in the Cloud
- ICS/SCADA
- Drones and vehicles
MODULE 1.5: Digital Evidence Challenges
- Device volumes
  - Number of devices per person is increasing
- Data volumes
- Constantly updated operating systems/apps/services
- Device support/locked down devices
  - Android and iOS uptake
- Data corruption and recovery
- IoT devices and acquisition
Overview
Digital forensics is the core set of principles and processes necessary to produce usable digital evidence and uncover critical intelligence
CSI and similar television shows has popularized forensics in the public consciousness and increased awareness of forensics. Digital forensics is the forensic discipline that deals with the preservation, examination and analysis of digital evidence. However, television and movies have created misunderstandings about exactly what digital forensics is and does. As a result, many people interested in forensics have no real understanding about what it entails.
These misperceptions have also seen lawyers that make use of digital evidence in court, investigators that need digital evidence to solve cases, information security practitioners responding to security incidents, and even people conducting digital forensics; making mistakes in relation to digital evidence, which can have negative consequences.
Digital forensics is crucial to ensure accurate and usable digital evidence, but it is important to understand exactly what it is, what it can do, and how it can be used. If you are a user of digital forensics and digital evidence, understanding exactly how digital forensics works will enable you to better make use of digital forensics and digital evidence. If you are a manager or supervisor of a digital forensic capacity, this will help you understand exactly how it should be functioning and how to build and maintain it. Finally, if you are a prospective digital forensics practitioner or an existing one, this will equip you with the fundamental knowledge and skills that form the core of the digital forensic profession.
Topics
MODULES 2.1: Digital Forensics Principles
- ACPO guidelines
- SWGDE guidelines
- Locard's Exchange Principle
- The Inman-Rudin Paradigm
- Classification/individualization
- Association
- Reconstruction
- The philosophy of science and the scientific method
MODULE 2.2: Documentation and Reporting
- Understanding the need for documentation
- Making contemporaneous notes
- Supporting your documentation with evidence
- Maintaining the integrity of your documentation
- Types of documentation
- Investigation authorization and mandates
- Case notes
- Quality assurance documentation
- Tool validation documentation
MODULE 2.3: Quality Assurance in Digital Forensics
- The digital forensics process
- ISO 27043
- The scientific method in digital forensics
- Forensic process in practice
- Validation processes
- Quality assurance
MODULE 2.4: Digital Forensics Challenges
- Rapidly changing technology
- Over reliance on forensic tools
- Commercial vs free and open source tools
- Competency & motivation of practitioners
- Mental health issues
- Ongoing education
- Anti-forensics
Overview
INCIDENT RESPONSE
Incident Response is the core set of principles and processes necessary to allow an organization to successfully respond, react and remediate against potential attack scenarios
Digital forensics deals with the preservation, examination and analysis of digital evidence. However, Incident Response is often the preceding activity that leads to the requirement to conduct a forensic investigation. If not executed properly, the Incident Response processes and team have the ability to inadvertently disrupt or damage subsequent forensic activities. It is therefore a vitally important aspect of an investigation.
The Incident Response team must be adept at recognizing incidents and responding appropriately to collect and preserve evidence, whilst identifying and containing the incident. This same team are also usually involved in Forensic Readiness planning, which defines what evidence may be useful in a number of attack scenarios and ensures that systems are configured to collect and retain this evidence. Evidence that is collected in advance of an investigation can provide vital clues to a digital forensic investigator and when used in addition to subsequently acquired data, can provide insights into what data may have changed during specified periods of time that may be pertinent to the case.
Digital Forensics and Incident Response therefore go hand-in-hand and are often referred to by the acronym DFIR. If you are a prospective or current digital forensics practitioner, understanding exactly how incident response works will enable you better leverage these teams before, during and after investigations to obtain the best and most useful evidence and improve reporting. If you do not plan to build a career in digital forensics, understanding how the Incident Response teams and processes work will demonstrate when and how to engage if you suspect an incident may have occurred and the types of actions on your part that may assist (or impair) any potential investigation, to provide you with the best possible outcome.
Topics
MODULE 3.1: Introduction to Incident Response
- Defining incident response
- Incident response processes and best practice
- Knowledge, skills and attributes of an incident response team
- Legal considerations
- Incident Response tools
MODULE 3.2: Incident Response Standards
- ISO27035 - Security Incident management
- NIST Incident Handling Guide
- Government guidelines
- Templates for policies and plans
MODULE 3.3: Incident Response Challenges
- Lack of suitable preparation
- Over reliance on tools
- Malware, antivirus and anti-forensics
- Sophisticated attacks
Overview
The acquisition of digital evidence is the most critical part of the digital forensics process and as such it must be done right
Acquiring digital evidence is a crucial component in any investigation. Digital forensics is about finding answers, and if we cannot get to the evidence that we need, which is often stored on devices, in memory, on the wire or wireless, or in the Cloud, then we will never be able to get the answers we seek. Getting the digital evidence and selecting the appropriate method to obtain it can mean the difference between success and failure in an investigation.
The acquisition of digital evidence has evolved over the years and the old way of doing it may not always be the best or most effective way of getting the evidence and may actually compromise an investigation. By understanding the various strategies and methods that we have available to us to acquire digital evidence means that informed decisions can be made as to the best method to use to acquire evidence in a given situation or environment.
Topics
MODULE 4.1: Forensic Acquisition Principles and Standards
- Preserving the integrity of digital data
- Minimizing the alteration of digital data
- Copying versus imaging
- Forensic imaging methods
- Write blocking
- Data verification and integrity preservation
  - Hashing
- The forensic acquisition processes
MODULE 4.2: Understanding Forensic Images
- Physical and logical images
- Forensic image formats
- Raw image versus forensic image
MODULE 4.3: Forensics Acquisition Processes
- General rules of acquisition
- Handling and controlling physical evidence
- Addressing encryption
- Acquisition types
MODULES 4.4: Acquisition Challenges
- Available space vs. drive size
- Speed of acquisition vs. available time
- Operating System security
- Encryption
- Acquiring data from the Cloud
- Damage devices
- Unsupported devices
- Legal authority
Overview
The only way to get answers is to ask questions, and the only way to get the right answers is to ask the right questions
The key purpose of digital forensics is to find answers, and it is through the analysis process that digital forensics transforms raw data into either evidence or intelligence that we can use to answer the questions that we need answered. The use of technology is so integral to our day to day activities that it allows us an unprecedented opportunity to reconstruct what has happened in the past, to learn what is happening in the present, and even predict what may happen in the future, all based on the data available to us.
By understanding digital forensic analysis, we can see how we can ask the right questions in our investigations and intelligence efforts, how we can critically examine and analyze the data at hand in a manner that can withstand scrutiny and finally, understand the types of answers we can get.
Topics
MODULE 5.1: What Can Forensic Analysis Prove
- What are the questions that forensic analysis can provide answers for
MODULE 5.2: Planning the Examination
- Understanding what you are investigating
- Identify what artefacts can answer your questions
  - Types and examples of artefacts and techniques
- Kitchen sink vs targeted approach (include triage)
- Documentation
MODULE 5.3: The Art and Science of Forensic Analysis
- Understanding and applying critical thinking in an investigation
- Applying the scientific method to forensic analysis
- Gather information and make observations
- Form a hypothesis to explain observations
- Evaluate the hypothesis
- Draw conclusions
- Hypothesis formulation
- Evaluating hypotheses
MODULE 5.4: Forensic Examination and Analysis Standards
- SWGDE standards
- ISO 27042 guidelines for the analysis and interpretation of digital evidence
MODULE 5.5: Forensic Examination and Analysis Challenges
- Breadth and depth of required knowledge
- Forensic artifact documentation challenges
- Tool capability variation
- Identifying data of interest
- Stakeholder expectations
- Analysis scoping and planning
- Ongoing documentation and notetaking
SECTION 6
DOCUMENTING AND REPORTING IN DIGITAL FORENSICS
It doesn't matter how good your technical skills are, if you are not able to effectively document what you have done and report on your findings in a manner that non-technical people understand, your investigation is on shaky ground
Digital forensics is at its core about getting answers to questions, whether as evidence or intelligence. So, it is important that we can get the answers that we find in our investigations to the right people so that they can make decisions and act on what is found in the digital forensics process.
It is crucial that we are able to effectively communicate these answers to those people who need them, in a manner that is useful to them, and to be able to effectively support our answers. Not only must we be able to effectively communicate, but it is important that the users of these answers understand what our various reports means and how they can use them effectively. Without effective communication and understanding of what is communicated, all effort expended in the digital forensic process is lost.
Topics
MODULE 6.1: Presenting Your Findings
- How to communicate technical concepts to non-technical audiences
- Educating your audience
- Telling the story
- Supporting your narrative with evidence
- Written reports
- Verbal presentations
MODULE 6.2: Legal Evidence
- What is evidence
- The legal requirements for court directed evidence
- Admissibility
- Legal processes to secure evidence
- Consent
- Organizational policy and contractual frameworks
- Reliability of the evidence
  - Integrity
- Relevance
MODULE 6.3: Testifying in Court
- Understanding the court process
- Technical versus expert witnesses
- The responsibility of a witness
- The testifying process
- How to be an effective witness
Overview
Good management of a digital forensic or incident response team is key in allowing an organization to successfully respond to potential attack scenarios and investigate digital evidence
Management of a DFIR team is crucial to the success or failure of investigations. This includes suitably preparing the team and environment, providing support throughout each case, escalating issues as required, as well as conducting reviews and providing regular feedback. If sufficient management support is not in place at any stage in the lifecycle of an investigation, it may not be possible to proceed, or insufficient analysis may be conducted. Understanding how to build, manage and prepare a DFIR capability is essential.
Digital Forensic Readiness is the key element in preparation to allow an organization to successfully respond to potential attack scenarios and investigate digital evidence. Digital forensic readiness acknowledges and defines the tools, processes and resources that must be in place to allow an organization to suitably deal with Digital Forensic investigations and Incident Response cases. If Readiness policies and processes are not defined properly, digital evidence may be unsuitable or may not be available when required, which can hinder or entirely prevent an investigation. It is therefore a vitally important aspect of pre-investigation planning.
MODULE 7.1: Introduction to Forensic Readiness
- Defining forensic readiness
- Differences between forensic readiness and incident response
MODULE 7.2: The need for Forensic Readiness
- Use of digital evidence in organizations
- Forensic readiness and ISO standards
- Legislation and regulation
- Benefits of forensic readiness
MODULE 7.3: Building and Managing a DFIR Capacity
- Building a business case for digital forensics and incident response
- DFIR service models
- Building a DFIR capacity
- Selecting team members
- Managing a DFIR capacity
DIGITAL FORENSICS CHALLENGE
Consolidation of the skills and knowledge learned throughout the course with a hands-on challenge
The best consolidation of new skills and knowledge is through practice. On day 6, you will have the option to undertake an individual hands-on challenge that makes use of the SANS virtual cyber range. Your digital forensics skills are put to the test with a variety of scenarios involving mounting evidence, identifying data and metadata, decoding data and decrypting data. Knowledge of digital forensics and incident response processes and standards will also be tested when answering scoring server questions, to compete for the FOR308 Challenge Coin. These challenged strengthen the studentâ€™s understanding of digital evidence, digital forensics, and incident response fundamentals, and provide a learning opportunity where more practice on specific skills may be useful.
Topics
- Data and metadata
- Converting data
- Decoding data
- Decrypting data
- Identifying file types
- Mounting evidence
- Hashing data
- Digital forensics and incident response processes
- Digital forensics and incident response standards
- Documentation and reporting
The students who score the highest on the digital forensics fundamentals challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!

Prerequisites

None.

FOR308 is an introductory digital forensics course that addresses core digital forensics principles, processes and knowledge.

If you wish to become a digital forensics or incident response practitioner, we recommend that you follow up this course with one or more of the following SANS courses: FOR500, FOR508, FOR518, FOR585, or FOR572.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR308 SYSTEM HARDWARE REQUIREMENTS

CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
8GB of RAM or more is required.
200GB of free storage space or more is required.
Bring an additional USB drive of at least 4GB.
At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY FOR308 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Digital Forensics sounds like a really cool and exciting specialist field of expertise, and whilst many people choose to build up their knowledge and experience over many years to become specialists, it is also very much applicable to everyone who uses a computer, or a smartphone, or owns a home assistant. The vast majority of jobs in the developed world now involve the use of some form of computer. It is tremendously beneficial for users to understand how their data is being stored on those systems, the fact that deleted files may be recoverable and steps they can take to improve their odds of successful recovery, as well as how to recognize and respond to any incidents they may encounter on their systems and understand when to call in the experts.

Whether you're interested in getting into the field of Digital Forensics, or you'd just like to understand more about the systems you use on a daily basis, without any prerequisite knowledge required, FOR308 will introduce you to data, how to find it, acquire it, preserve it and most importantly, how to understand it" - Kathryn Hedley

"I have been teaching digital forensics around the world for several years for the SANS Institute, and not a single class went by where I was not being asked questions by my students about areas that I considered essential digital forensic topics, such as how to structure an investigation, how core digital forensics processes work, how to write a digital forensics report, how to testify in court, the legal issues that impact on digital evidence, and so many more topics. These have not been topics we have traditionally covered within the SANS DFIR faculty. I realized that to develop fully rounded digital forensic practitioners we would need to cover these essential areas, to fill in the gaps, so to speak. This was also an opportunity to provide an introduction to digital forensics and digital evidence, not only people embarking on a digital forensics career, but to lawyers and investigators dealing with digital evidence, to managers managing digital forensics capacity in their organizations, and anyone interested in the field of digital forensics.

You can't build a house without a foundation, and this course provides that essential foundation for a career in digital forensics" - Jason Jordaan

"Digital forensics is a specialist skill the requires a solid understanding of the technical working of devices, operating systems, file systems, and applications. Typically, these examinations are going to be one component within a greater overall investigation which is where FOR308 comes in. At SANS we have trained some of the best and brightest for decades. Specifically, in digital forensics we teach students every day how to be amazing forensicators; how to understand the underlying data to process, parse, and present digital information for technical audiences. This class however will bring you right back to basics, because the fundamentals are key. The skills and processes taught in this course are applicable across the rest of the DFIR curriculum; whether you're managing a DFIR capability, getting into the field, or just need to understand how it all fits together. This class will set you up with the tools that you need to understand the processes and procedures involved from start to finish" - Phill Moore

"Kathryn and Phil are great instructors and the material was clearly presented. All this made an enjoyable experience for me." - FOR308 student

Ways to Learn

OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

Who Should Attend FOR308?

Federal Agents and Law Enforcement Officers who want to learn the fundamentals of digital forensics, or who are starting out in digital forensics, or who are responsible for managing digital forensics units, or what to know how digital evidence can be used in investigations and other law enforcement operations.
Digital Forensic Analysts who want to consolidate and expand their understanding of the fundamentals of digital forensics as a discipline.
Information Security Professionals who want to understand the fundamentals of digital forensics and how to leverage this in their operational environments.
Legal Professionals who need to understand digital forensics, the role it can play in proving a matter in court, the various uses of digital evidence, and the relationship between digital forensics and digital evidence.
Military and Intelligence Operators who need to understand the role of digital investigation and intelligence gathering, and how digital forensics can enhance their missions.
HR Professionals that may have to rely on digital forensics and evidence in internal investigations of staff misconduct.
Managers and Executives who need to understand what digital forensics can do for their organizations and the critical role that it can play in securing their organization.
Anyone interested in digital forensics, whether or not they are considering a career in this field.

NICE Framework Work Roles:

Cyber Crime Investigator (OPM 221)
Cyber Defense Forensics Analyst (OPM 212)
Law Enforcement /CounterIntelligence Forensics Analyst (OPM 211)

"The course contains good theory mixed with real-life examples."

- Waldemar Blakely, DHS

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Reviews

Gives a wonderful overview of the digital forensics field - ideal for beginners!

Isabelle Rudolf

City Police Zurich

FOR308 is packed with technical information and covers aspects necessary for those taking their first steps in the digital forensics as well as those who think about leading teams in the field. An overall good balance of theory to practice, delivered in a very professional manner.

Wiktor Kardacki

6point5

FOR308 was valuable as it filled in many gaps in my experience and it set a good foundation of the basics to which I can build upon, I enjoyed the acquisition, and validation section.

Carla Dawn

FOR308 student

Display times in

Africa/Abidjan

Africa/Accra

Africa/Addis Ababa

Africa/Algiers

Africa/Asmara

Africa/Asmera

Africa/Bamako

Africa/Bangui

Africa/Banjul

Africa/Bissau

Africa/Blantyre

Africa/Brazzaville

Africa/Bujumbura

Africa/Cairo

Africa/Casablanca

Africa/Ceuta

Africa/Conakry

Africa/Dakar

Africa/Dar es Salaam

Africa/Djibouti

Africa/Douala

Africa/El Aaiun

Africa/Freetown

Africa/Gaborone

Africa/Harare

Africa/Johannesburg

Africa/Juba

Africa/Kampala

Africa/Khartoum

Africa/Kigali

Africa/Kinshasa

Africa/Lagos

Africa/Libreville

Africa/Lome

Africa/Luanda

Africa/Lubumbashi

Africa/Lusaka

Africa/Malabo

Africa/Maputo

Africa/Maseru

Africa/Mbabane

Africa/Mogadishu

Africa/Monrovia

Africa/Nairobi

Africa/Ndjamena

Africa/Niamey

Africa/Nouakchott

Africa/Ouagadougou

Africa/Porto-Novo

Africa/Sao Tome

Africa/Timbuktu

Africa/Tripoli

Africa/Tunis

Africa/Windhoek

America/Adak

America/Anchorage

America/Anguilla

America/Antigua

America/Araguaina

America/Argentina/Buenos Aires

America/Argentina/Catamarca

America/Argentina/ComodRivadavia

America/Argentina/Cordoba

America/Argentina/Jujuy

America/Argentina/La Rioja

America/Argentina/Mendoza

America/Argentina/Rio Gallegos

America/Argentina/Salta

America/Argentina/San Juan

America/Argentina/San Luis

America/Argentina/Tucuman

America/Argentina/Ushuaia

America/Aruba

America/Asuncion

America/Atikokan

America/Atka

America/Bahia

America/Bahia Banderas

America/Barbados

America/Belem

America/Belize

America/Blanc-Sablon

America/Boa Vista

America/Bogota

America/Boise

America/Buenos Aires

America/Cambridge Bay

America/Campo Grande

America/Cancun

America/Caracas

America/Catamarca

America/Cayenne

America/Cayman

America/Chicago

America/Chihuahua

America/Coral Harbour

America/Cordoba

America/Costa Rica

America/Creston

America/Cuiaba

America/Curacao

America/Danmarkshavn

America/Dawson

America/Dawson Creek

America/Denver

America/Detroit

America/Dominica

America/Edmonton

America/Eirunepe

America/El Salvador

America/Ensenada

America/Fort Nelson

America/Fort Wayne

America/Fortaleza

America/Glace Bay

America/Godthab

America/Goose Bay

America/Grand Turk

America/Grenada

America/Guadeloupe

America/Guatemala

America/Guayaquil

America/Guyana

America/Halifax

America/Havana

America/Hermosillo

America/Indiana/Indianapolis

America/Indiana/Knox

America/Indiana/Marengo

America/Indiana/Petersburg

America/Indiana/Tell City

America/Indiana/Vevay

America/Indiana/Vincennes

America/Indiana/Winamac

America/Indianapolis

America/Inuvik

America/Iqaluit

America/Jamaica

America/Jujuy

America/Juneau

America/Kentucky/Louisville

America/Kentucky/Monticello

America/Knox IN

America/Kralendijk

America/La Paz

America/Lima

America/Los Angeles

America/Louisville

America/Lower Princes

America/Maceio

America/Managua

America/Manaus

America/Marigot

America/Martinique

America/Matamoros

America/Mazatlan

America/Mendoza

America/Menominee

America/Merida

America/Metlakatla

America/Mexico City

America/Miquelon

America/Moncton

America/Monterrey

America/Montevideo

America/Montreal

America/Montserrat

America/Nassau

America/New York

America/Nipigon

America/Nome

America/Noronha

America/North Dakota/Beulah

America/North Dakota/Center

America/North Dakota/New Salem

America/Nuuk

America/Ojinaga

America/Panama

America/Pangnirtung

America/Paramaribo

America/Phoenix

America/Port-au-Prince

America/Port of Spain

America/Porto Acre

America/Porto Velho

America/Puerto Rico

America/Punta Arenas

America/Rainy River

America/Rankin Inlet

America/Recife

America/Regina

America/Resolute

America/Rio Branco

America/Rosario

America/Santa Isabel

America/Santarem

America/Santiago

America/Santo Domingo

America/Sao Paulo

America/Scoresbysund

America/Shiprock

America/Sitka

America/St Barthelemy

America/St Johns

America/St Kitts

America/St Lucia

America/St Thomas

America/St Vincent

America/Swift Current

America/Tegucigalpa

America/Thule

America/Thunder Bay

America/Tijuana

America/Toronto

America/Tortola

America/Vancouver

America/Virgin

America/Whitehorse

America/Winnipeg

America/Yakutat

America/Yellowknife

Antarctica/Casey

Antarctica/Davis

Antarctica/DumontDUrville

Antarctica/Macquarie

Antarctica/Mawson

Antarctica/McMurdo

Antarctica/Palmer

Antarctica/Rothera

Antarctica/South Pole

Antarctica/Syowa

Antarctica/Troll

Antarctica/Vostok

Arctic/Longyearbyen

Asia/Aden

Asia/Almaty

Asia/Amman

Asia/Anadyr

Asia/Aqtau

Asia/Aqtobe

Asia/Ashgabat

Asia/Ashkhabad

Asia/Atyrau

Asia/Baghdad

Asia/Bahrain

Asia/Baku

Asia/Bangkok

Asia/Barnaul

Asia/Beirut

Asia/Bishkek

Asia/Brunei

Asia/Calcutta

Asia/Chita

Asia/Choibalsan

Asia/Chongqing

Asia/Chungking

Asia/Colombo

Asia/Dacca

Asia/Damascus

Asia/Dhaka

Asia/Dili

Asia/Dubai

Asia/Dushanbe

Asia/Famagusta

Asia/Gaza

Asia/Harbin

Asia/Hebron

Asia/Ho Chi Minh

Asia/Hong Kong

Asia/Hovd

Asia/Irkutsk

Asia/Istanbul

Asia/Jakarta

Asia/Jayapura

Asia/Jerusalem

Asia/Kabul

Asia/Kamchatka

Asia/Karachi

Asia/Kashgar

Asia/Kathmandu

Asia/Katmandu

Asia/Khandyga

Asia/Kolkata

Asia/Krasnoyarsk

Asia/Kuala Lumpur

Asia/Kuching

Asia/Kuwait

Asia/Macao

Asia/Macau

Asia/Magadan

Asia/Makassar

Asia/Manila

Asia/Muscat

Asia/Nicosia

Asia/Novokuznetsk

Asia/Novosibirsk

Asia/Omsk

Asia/Oral

Asia/Phnom Penh

Asia/Pontianak

Asia/Pyongyang

Asia/Qatar

Asia/Qostanay

Asia/Qyzylorda

Asia/Rangoon

Asia/Riyadh

Asia/Saigon

Asia/Sakhalin

Asia/Samarkand

Asia/Seoul

Asia/Shanghai

Asia/Singapore

Asia/Srednekolymsk

Asia/Taipei

Asia/Tashkent

Asia/Tbilisi

Asia/Tehran

Asia/Tel Aviv

Asia/Thimbu

Asia/Thimphu

Asia/Tokyo

Asia/Tomsk

Asia/Ujung Pandang

Asia/Ulaanbaatar

Asia/Ulan Bator

Asia/Urumqi

Asia/Ust-Nera

Asia/Vientiane

Asia/Vladivostok

Asia/Yakutsk

Asia/Yangon

Asia/Yekaterinburg

Asia/Yerevan

Atlantic/Azores

Atlantic/Bermuda

Atlantic/Canary

Atlantic/Cape Verde

Atlantic/Faeroe

Atlantic/Faroe

Atlantic/Jan Mayen

Atlantic/Madeira

Atlantic/Reykjavik

Atlantic/South Georgia

Atlantic/St Helena

Atlantic/Stanley

Australia/ACT

Australia/Adelaide

Australia/Brisbane

Australia/Broken Hill

Australia/Canberra

Australia/Currie

Australia/Darwin

Australia/Eucla

Australia/Hobart

Australia/LHI

Australia/Lindeman

Australia/Lord Howe

Australia/Melbourne

Australia/NSW

Australia/North

Australia/Perth

Australia/Queensland

Australia/South

Australia/Sydney

Australia/Tasmania

Australia/Victoria

Australia/West

Australia/Yancowinna

Brazil/Acre

Brazil/DeNoronha

Brazil/East

Brazil/West

CET

CST6CDT

Canada/Atlantic

Canada/Central

Canada/Eastern

Canada/Mountain

Canada/Newfoundland

Canada/Pacific

Canada/Saskatchewan

Canada/Yukon

Chile/Continental

Chile/EasterIsland

Cuba

EET

EST

EST5EDT

Egypt

Eire

Etc/GMT

Etc/GMT+0

Etc/GMT+1

Etc/GMT+10

Etc/GMT+11

Etc/GMT+12

Etc/GMT+2

Etc/GMT+3

Etc/GMT+4

Etc/GMT+5

Etc/GMT+6

Etc/GMT+7

Etc/GMT+8

Etc/GMT+9

Etc/GMT-0

Etc/GMT-1

Etc/GMT-10

Etc/GMT-11

Etc/GMT-12

Etc/GMT-13

Etc/GMT-14

Etc/GMT-2

Etc/GMT-3

Etc/GMT-4

Etc/GMT-5

Etc/GMT-6

Etc/GMT-7

Etc/GMT-8

Etc/GMT-9

Etc/GMT0

Etc/Greenwich

Etc/UCT

Etc/UTC

Etc/Universal

Etc/Zulu

Europe/Amsterdam

Europe/Andorra

Europe/Astrakhan

Europe/Athens

Europe/Belfast

Europe/Belgrade

Europe/Berlin

Europe/Bratislava

Europe/Brussels

Europe/Bucharest

Europe/Budapest

Europe/Busingen

Europe/Chisinau

Europe/Copenhagen

Europe/Dublin

Europe/Gibraltar

Europe/Guernsey

Europe/Helsinki

Europe/Isle of Man

Europe/Istanbul

Europe/Jersey

Europe/Kaliningrad

Europe/Kiev

Europe/Kirov

Europe/Lisbon

Europe/Ljubljana

Europe/London

Europe/Luxembourg

Europe/Madrid

Europe/Malta

Europe/Mariehamn

Europe/Minsk

Europe/Monaco

Europe/Moscow

Europe/Nicosia

Europe/Oslo

Europe/Paris

Europe/Podgorica

Europe/Prague

Europe/Riga

Europe/Rome

Europe/Samara

Europe/San Marino

Europe/Sarajevo

Europe/Saratov

Europe/Simferopol

Europe/Skopje

Europe/Sofia

Europe/Stockholm

Europe/Tallinn

Europe/Tirane

Europe/Tiraspol

Europe/Ulyanovsk

Europe/Uzhgorod

Europe/Vaduz

Europe/Vatican

Europe/Vienna

Europe/Vilnius

Europe/Volgograd

Europe/Warsaw

Europe/Zagreb

Europe/Zaporozhye

Europe/Zurich

GB-Eire

GMT

GMT+0

GMT-0

GMT0

Greenwich

HST

Hongkong

Iceland

Indian/Antananarivo

Indian/Chagos

Indian/Christmas

Indian/Cocos

Indian/Comoro

Indian/Kerguelen

Indian/Mahe

Indian/Maldives

Indian/Mauritius

Indian/Mayotte

Indian/Reunion

Iran

Israel

Jamaica

Japan

Kwajalein

Libya

MET

MST

MST7MDT

Mexico/BajaNorte

Mexico/BajaSur

Mexico/General

NZ-CHAT

Navajo

PRC

PST8PDT

Pacific/Apia

Pacific/Auckland

Pacific/Bougainville

Pacific/Chatham

Pacific/Chuuk

Pacific/Easter

Pacific/Efate

Pacific/Enderbury

Pacific/Fakaofo

Pacific/Fiji

Pacific/Funafuti

Pacific/Galapagos

Pacific/Gambier

Pacific/Guadalcanal

Pacific/Guam

Pacific/Honolulu

Pacific/Johnston

Pacific/Kiritimati

Pacific/Kosrae

Pacific/Kwajalein

Pacific/Majuro

Pacific/Marquesas

Pacific/Midway

Pacific/Nauru

Pacific/Niue

Pacific/Norfolk

Pacific/Noumea

Pacific/Pago Pago

Pacific/Palau

Pacific/Pitcairn

Pacific/Pohnpei

Pacific/Ponape

Pacific/Port Moresby

Pacific/Rarotonga

Pacific/Saipan

Pacific/Samoa

Pacific/Tahiti

Pacific/Tarawa

Pacific/Tongatapu

Pacific/Truk

Pacific/Wake

Pacific/Wallis

Pacific/Yap

Poland

Portugal

ROC

ROK

Singapore

Turkey

UCT

US/Alaska

US/Aleutian

US/Arizona

US/Central

US/East-Indiana

US/Eastern

US/Hawaii

US/Indiana-Starke

US/Michigan

US/Mountain

US/Pacific

US/Samoa

UTC

Universal

W-SU

WET

Zulu

Train and Certify

Manage Your Team

Security Awareness

Resources

Get Involved

About

FOR308: Digital Forensics Essentials

Course Authors:

Kathryn Hedley

Jason Jordaan

Phill Moore

What You Will Learn

Syllabus (36 CPEs)

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR308?

Need to justify a training request to your manager?

Reviews

Filters:

Register for FOR308

Loading...

FOR308: Digital Forensics Essentials

Course Authors:

Kathryn Hedley

Jason Jordaan

Phill Moore

What You Will Learn

Syllabus (36 CPEs)

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Overview

Topics

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR308?

Need to justify a training request to your manager?

Related Programs

Reviews

Filters:

Register for FOR308

Loading...