Digital Forensics using Open Source Tools

On successful completion of this course, those attending should be able to:

• Compare and contrast the primary operating system platform choices from a forensic examination perspective
• Summarise and compare the range and capability of relevant tools available in the open source community
• Use and navigate a Linux system
• Apply standard Linux features, including the command shell and core utilities, to manage data and files in a forensic examination
• Securely and efficiently transfer data to and from a Linux system
• Apply core open-source forensic tools to forensic examinations
• Construct a complete forensic processing chain from open-source components, and assess its suitability for a forensic examination.

• Linux Kernels, distributions, graphical environments
• Unix platforms
• Licensing and support
• Installing and configuring Linux and Linux applications
• File system layout, system management and security concepts
• Accessing devices, partitions, and file systems
• Using a desktop (GUI) environment, and common desktop applications
• Using the shell and common command-line utilities
• Import, export, and cloning of disk images
• Working with split, compressed or encrypted images
• Advanced Forensic Format (AFF) – extensible open format for forensic image data
• Standard Unix features for data management and analysis
• Tools for basic process functions, such as viewing, converting, cryptographic hashing
• Identification and acquisition of disks and partitions
• Search concepts, including grep, find, and regular expressions
• NSRL known-good databases for file exclusion
• Analysis and carving tools
• Identifying and using open source tools
• Using scripting to automate processes and combine tools
• Forensic issues within the workflow, including repeatability and validity
• Managing and preserving evidence.