Digital Forensics Basics
Learn digital forensics basics by working with the kinds of artifacts investigators rely on after a compromise. When a system is wiped, altered, or partially destroyed, the investigation depends on preserving evidence correctly and extracting useful data from what remains. This course teaches you how to image storage, recover deleted material, analyze metadata, and build an evidence-driven timeline from compromised files.
Why It Matters
Forensics is not just about finding interesting files. It is about preserving evidence integrity, recovering data without contaminating the source, and extracting enough context to explain what happened. Those habits matter in incident response, legal review, and post-breach analysis.
This course focuses on foundational disk forensics workflows. You will create bit-level images, recover deleted content from raw data, inspect file metadata, and use those techniques together in a realistic investigation scenario.
What You Will Learn
- Create and verify forensic images without altering original evidence.
- Recover deleted or hidden files from raw storage data.
- Extract metadata from documents and images to support timeline analysis.
- Understand how file artifacts contribute to incident reconstruction.
- Investigate compromised storage evidence with a more disciplined forensic process.
Course Roadmap
- Forensic Imaging with dd: Create trusted raw copies of evidence and verify integrity with hashes.
- File Carving and Recovery: Recover deleted material from disk images using carving techniques.
- Analyzing File Metadata: Extract hidden contextual clues from recovered files with tools such as
ExifTool. - The Forensic Investigator Challenge: Apply imaging, recovery, and metadata analysis in a compromised system investigation.
Who This Course Is For
- Learners entering digital forensics and incident response workflows.
- Security analysts who need stronger evidence-handling fundamentals.
- Defenders who want a practical introduction to disk artifact recovery and timeline building.
Outcomes
By the end of this course, you will be able to preserve disk evidence correctly, recover useful forensic artifacts, and use metadata and recovered files to build a clearer picture of attacker activity.
