Laboratory Exercise: Introduction to Forensics Capstone Exercise Updated!

This exercise provides hands-on experience applying all concepts learned during the Introduction to Digital Forensics Module.  Students will use tools on the SANS SIFT Workstation Linux distribution to examine various artifacts as part of a capstone exercise.

Faculty Instructions

Resources required

This lab exercise requires a virtual machine running the SANS SIFT Linux distribution (or another Linux system with similar tools).  This exercise may be completed using Virginia Cyber Range resources or a standalone computer.

Virginia Cyber Range Instructions

If you are using the Virginia Cyber Range Linux VM, this lab exercise requires an account on The Range.  To sign up for an account on The Range, please visit our Sign-Up page.  Your students will also require an account on the Virginia Cyber Range; this will be explained in the setup of your course.

The following filesystem image is provided in the Range for this exercise and other exercises in this module:

  • Win7_Laptop.tar.gz
  • Vista_WS.tar.gz

Virtual Environment: This exercise uses an Ubuntu virtual machine that has been configured as a SANS Investigate Forensic Toolkit (SIFT) workstation (https://digital-forensics.sans.org/community/downloads), as well as partial Windows filesystem images and a memory image needed to complete the capstone exercise tasks.

Standalone Computer Instructions

If you are not using the Virginia Cyber Range virtual machine created for this module, the above files can be downloaded from the Virginia Cyber Range at the following URL.




Documentation for the SANS SIFT workstation and installed tools can be found in the document: https://media.readthedocs.org/pdf/sift/latest/sift.pdf

Introduction to Forensics Capstone Exercise

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0001: * Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0117: Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
  • K0118: Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
  • K0122: Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
  • K0123: Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
  • K0125: Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  • K0128: Knowledge of types and collection of persistent data.
  • K0129: Knowledge of Unix command line (e.g., mkdir, mv, ls, passwd, grep).
  • K0133: Knowledge of types of digital forensics data and how to recognize them.
  • K0134: Knowledge of deployable forensics.
  • K0185: Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
  • K0573: Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence.
  • S0065: Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
  • S0202: Skill in data mining techniques (e.g., searching file systems) and analysis.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Digital Forensics (DFS)
  • Host Forensics (HOF)
  • Media Forensics (MEF)
  • Network Forensics (NWF)

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf