Introduction to Digital Forensics

7 Lessons

This module on digital forensics will familiarize you with forensics terminology and approaches, along with hands-on experience with a variety of forensic tools used by investigators to conduct incident response, find evidence of criminal behavior, and examine the effects of malware infection. The module will focus on Windows forensics and will use a Linux-based forensic workstation for hands-on analysis. Tools for conducting forensic examinations using a Windows system will also be introduced. You should leave this workshop with a good understanding of the tools and techniques used to conduct forensic examinations of digital systems.

Learning Objectives
  • Understand what digital forensics is and how it can be used to solve computer crimes, identify improper use of computer systems, identify sources and methods of system intrusion, and troubleshoot systems
  • Describe what types of evidence can be collected and what types of digital artifact can be extracted from a target system
  • Apply basic legal concepts related to digital forensics and evidence collection
  • Describe a basic forensics process and methodology
  • List the tools and processes used to create bitwise images of hard drives for forensic analysis
  • Demonstrate the ability to use forensics tools and analyzing artifacts such as Windows filesystems, the Windows registry, memory images, Windows logs, and (optionally) network packet captures.
Faculty Instructions

This module can be used over several lessons or can be used as a 1.5 to 2 day Intro to Digital Forensics workshop. To squeeze it in to one day, you can drop the Network Forensics lesson and the Capstone Exercise and let students complete those tasks on their own.

The Network Forensics lesson is stand-alone with its own resources and is not included in the capstone event, so it can be safely dropped from this module in the interest of reducing the length. That would bring the total lesson count down as low as 5, as follows.

  1. Introduction to Forensics
  2. Windows Filesystem and Browser Forensics
  3. Windows Registry Forensics
  4. Memory Forensics
  5. Windows Logs and Log Analysis

Options for providing resources for hands-on exercises:

1. Virginia Cyber Range

The easiest and most reliable way to make the hands-on environment for this module available to students is using the Virginia Cyber Range. If you don’t already have an instructor account on the range, request an account here. Details on the virtual environment for “Introduction to Digital Forensics” authored by David Raymond are described on the LABORATORY ENVIRONMENT: INTRODUCTION TO FORENSICS page.

2. Local virtualization

This module uses the SANS SIFT Forensics Workstation, a Linux workstation provided for free by the SANS Institute. It is available as a VMWare image from this link:, or you can install over a fresh Ubuntu 14.04 system using these instructions.

  1. Download Ubuntu 14.04 ISO file and install Ubuntu 14.04 on any system. ->
  2. Once installed, open a terminal and run "wget --quiet -O - | sudo bash -s -- -i -s -y"
  3. Congrats -- you now have a SIFT workstation!!

If you would rather create your own virtual machine instead of using the SIFT workstation, the tools used in this module follow.

  • Firefox web browser with SQLite add-on.
  • RegRipper ( – Windows registry analysis
  • bless hex editor
  • Volatility Framework ( – memory image analysis
  • Rekall Framework (rekal) – memory image analysis
  • evtinfo/evtxinfo – Windows event log analysis
  • evtexport/evtxexport – convert log files to readable format
  • tcpdump/Wireshark – network packet analysis
  • ngrep – search for strings in packet capture files

All artifacts required for completion of the hands-on portions of these lessons are available in the courseware repository.  Required files/artifacts can be downloaded using a web browser and clicking on each link below:

These files can be downloaded using a web browser as follows:


  • For example:

On a linux system you can use wget or curl to download these files.

Introduction to Digital Forensics Module Description

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0001: * Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0117: Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
  • K0118: Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
  • K0122: Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
  • K0123: Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
  • K0125: Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  • K0128: Knowledge of types and collection of persistent data.
  • K0129: Knowledge of Unix command line (e.g., mkdir, mv, ls, passwd, grep).
  • K0133: Knowledge of types of digital forensics data and how to recognize them.
  • K0134: Knowledge of deployable forensics.
  • K0185: Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
  • K0573: Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.
  • S0065: Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
  • S0202: Skill in data mining techniques (e.g., searching file systems) and analysis.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Digital Forensics
  • Host Forensics
  • Media Forensics
  • Network Forensics

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit: