Digital ForensicsTechnicianCore Competency Series

+44 (0)247 77 17780 info@intaforensics.com www.intaforensics.com/training

Core Series

Training

Introduction

IntaForensics are one of the UK’s leading Digital Forensic service providers operating from four state of the art facilitates, providing UK wide coverage. We hold certification in ISO 9001:2015 and hold accreditation in ISO/IEC 27001:2013 and ISO/IEC 17025:2005 standards. We design our services to provide an unparalleled forensic service in terms of both capacity and capability.

Our expert team is built from a wide variety of backgrounds including Police Forces, Counter-Terrorism Units, commercial service providers, the legal sector and academia. Throughout our ten years of operation, IntaForensics has established a robust and effective staff development program using bespoke internal training programs.

The ethos of our DF Technician Training is simple – to deliver confident and competent work-ready staff. This is achieved through blending technical and non-technical training aligned specifically to a role’s tasks and workflow. A proven training solution that IntaForensics are now offering to UK Law Enforcement and Government partners.With our exciting new expansions and the addition of a world-class training centre in Stafford, IntaForensics are now an authorised training partner and training centre to vendor-neutral certification bodies including CompTIA, EC-Council and IAPP.

Page 01

Page 02 Training

We understand that every laboratory has developed and operates differently. Drawing upon our detailed experience of working with most UK Police Forces,

Government bodies and private industry, our training delivery is designed to align with your ongoing operations and requirements. We have developed

our core training elements with Quality Management processes in mind. The skills attained in the DF Technician course will allow students to commence

their life in the digital forensic laboratory with not only hands on technical experience of forensic imaging and mobile device extraction, but also an

understanding of life in an environment, governed by ISO/IEC 17025:2005 standards.

As digital forensic practitioners ourselves, we have designed the learning objectives and course content around our own Standard Operating

Procedures and staff competencies.

The syllabus is carefully designed to provide a realistic technical overview so that students can be work ready quickly, efficiently and cost effectively.

IntaForensics have assembled a team of industry experts with decades of combined digital forensics, management and training experience. We

are proud to add Dr Chris Hargreaves, Dr David Day, John McAdam, Chris Jackson, Lee Major and Neil Richardson to our growing list of course tutors.

Why Learn With Us

Page 03 Training

Key Benefits

DF Technician is an entry-level course designed to reduce the time and cost of on-boarding staff in to Technician and Imaging roles within digital forensic laboratories. Through blending in-depth theory and practical hands on skills, our training will:

• Reduce the cost of staff on-boarding - reduce the number of separate courses an individual must take and reduce thementoring requirement of established staff;

• Reduce the time taken for staff to be operationally ready and working on live cases;• Improve the overall consistency of training - once tailored, your bespoke training package can be delivered to future staff

members and you can be assured that all staff have trained consistently;• Improve the competence of staff. We are certain that our training offers unparalleled depth and scope in the field of digital

forensics and will improve the ability of your staff to operate;• Hands-On Experience – our courses are based around utilising knowledge in real-world examples. From exhibit handling

to live data capture our practical classes are led by experienced practitioners who will guide and provide valuable insightof all processes;

• Staff Competency Accreditation – our courses are designed to complement ongoing professional development andsatisfy accreditation requirements. Progressive courses include:

• Digital Forensic – Examination and Investigation Core Skills (DF-EICS)• Digital Forensic – Laboratory Management Core Skills (DF-LMCS)

Page 04 Training

Course Content

DF Technician is a five-day classroom and laboratory based course that is hosted at our secure, state-of-art facility in Stafford. The course comprises of theory, demonstrations and hands-on practical exercises and assessments, with a bound work-book containing all the course material provided and access to our industry experts.

Page 05 Training

Unit 1 - Exhibit Handling

At the conclusion of this module, students will be able to:

• Understand the principles of how items are lawfully seized, examined and how forensic processes provide admissibility of evidence in court

• Explain the record keeping and chain of custody requirements for handling evidence

• Explain the forensic considerations of handling mobile devices including network isolation

• Demonstrate the recording, photographing and “pre-imaging” of computer and mobile phone exhibits

Page 06 Training

Unit 2 - Laboratory Procedures

At the conclusion of this module, students will be able to: • Understand why digital forensic laboratories were first established

and the various functions they now perform• Explain how a case progresses through each of the laboratories

functions and the importance of quality checking at each stage• Understand the role of quality management systems and the

principles and practical applications of ISO17025 on laboratory functions

Page 07 Training

Unit 3 - Mobile Device Acquisition

At the conclusion of this module, students will be able to: • Consider and evaluate the practical implications of conducting

acquisitions and analysis of mobile devices• Demonstrate an understanding of mobile device specific

terminology and technology• Handle mobile devices in a forensically acceptable manner and

preserve relevant information• Identify the correct acquisition method for common mobile

devices, perform acquisitions using various methodologies and understand the implications of their actions with an awareness of the limitations of the acquisition methods/software

• Demonstrate an awareness of the limitations associated with common mobile device acquisitions and identify when advanced techniques would be required to achieve defined acquisition objectives

Page 08 Training

Unit 4 - Forensic Imaging

At the conclusion of this module, students will be able to: • Describe the components of a computer system and its interfaces.

Identify storage media and select the most appropriate method to acquire data from it

• Understand the principles of hard disk partitioning and file-systems and non-addressable areas

• Explain the structure of a forensic image file and give examples of different types and verification methods

• Demonstrate the forensic imaging of a storage device using the selection of acquisition software and write-blocking methods

• Understand to implications of encryption and common failure causes including optical media and faulty devices

Page 09 Training

Unit 5 - Advanced Forensic Imaging

At the conclusion of this module, students will be able to: • Explain how differing hardware and software technologies impact

on forensic imaging including when and how logical imaging and data collections can be used

• Demonstrate the acquisition of data from live systems, RAIDs, gaming consoles, Apple Macs and the use of Linux-based forensic operating systems

Page 10 Training

Course TimetableDay 1 Day 2 Day 3 Day 4 Day 5

Module A: Exhibit Handling

Unit A1 - Evidence and Exhibits

1. What is an exhibit (Law)?

2. Authorisation

3. Disclosure and Protected Materials

Unit A2- Handling Exhibits

1. Documenting and Recording Exhibits

2. Isolating Mobile Devices

3. Exhibit Photography

4. Researching Exhibits

5. Health and Safety

Unit A3 - Computer – Pre-imaging

1. Pre-Imaging Outline & Strategy

2. Computer Pre-Imaging

Unit A4 - Mobile Device Pre-Imaging

1. Pre-Imaging Outline & Strategy

2. Mobile Device Pre-Imaging

Unit A5 -Post Imaging Procedure

1. Exhibit reassembly

2. Exhibit Re-Seal and Packaging

Module B: Laboratory Procedures

Unit B1 - Digital Forensic

3. Laboratory Overview

4. History Digital Forensics Units and Labora-tories

5. Overview of Digital Forensics Units and Laboratories

6. Digital Forensic Laboratory Management Systems

7. Overview of Digital Forensics Laboratory Functions

8. Quality Checking

9. Security

Module: Laboratory Procedures (cont.)

· Unit B2 - Quality Management Systems

1. History & Overview of QMS History of 9001 & 17025

2. Practical Applications of QMS and 17025 in the laboratory

3. Auditing

4. Calibration & Validation

5. Traceability

Module C: Mobile Phone Acquisition

1. Unit C1 - Principles of Mobile Device Technologies

2. Critical Acronyms

3. Communication Service Providers

4. Device identification

5. Overview of different Mobile Device Operating Systems

6. Overview of relevant legislation

7. Device Identification and Resolving IEMI Numbers

· Unit C2 - Handling of Mobile Devices

1. Network isolation

2. Powering on

3. ESD and PPE considerations

4. Basic disassembly techniques

5. Recording device information and photo-graphing

6. Passcodes/PIN Codes/Pattern Locks

Module C: Mobile Phone Acquisition (cont.)

Unit C3 - Mobile Phone Forensic Acquisitions and Tools

1. Overview of available tools and differences between tools

2. Logical, Advanced Logical, File System & Physical Acquisitions

3. Dual tool methodology

4. App Storage & Parsing SQLITE databases

5. Mobile Device operating systems

6. Device interfaces and connections

7. Common output reports and reader files

Unit C4 - Mobile Device Extraction Practical

1. Practical - Extract and analyse data from feature phones using forensic tools in a forensic lab.

2. Practical - Extract and analyse data from smartphones using forensic tools in a forensic lab.

3. Practical - Extract and analyse data from tab-lets using forensic tools in a forensic lab.

Unit C5 - Overview of Advanced Mobile Forensics

1. NAND/ eMMC storage

2. Encryption.

3. Chip Off, JTAG, ISP.

4. of Chip-off Demonstration

Module D: Forensic Imaging

Unit D1 - Computer System Components and Digital Storage Media

1. Core PC components

2. Storage media

3. How data is stored

4. Convert binary to hex to ASCII

Unit D2 - Drive Geometry, Partitions and File Systems

1. Drive geometry

2. Hidden Disk Areas

3. Disk Partitioning schemes

4. File Systems

5. Operating system shutdowns

Unit D3 - Write Blocking Techniques

1. Hardware Write Blocking

2. Software Write Blocking

Unit D5 - Forensic Image File Formats

1. Verification techniques

2. Expert Witness Format

3. Raw images

Unit D6 - Forensic Acquisition Tools

1. FTK Imager

2. Guymager

3. Acquiring Optical Discs

Unit D7 Troubleshooting & Encryption

1. Types of Encryption

2. Previewing data

3. Acquisition of encrypted data

4. Password cracking

5. Degraded Hard Disks

6. Faulty Drive Electronics

7. ddrescue (Demo)

Module E: Advanced Forensic Imaging

Unit E1 - Technologies Impacting Forensic Imaging

1. Solid State Drives / M2 / NVME

2. RAID

3. Network Attached Storage Devices

4. Games Consoles

5. Cloud Based User Data

6. Cloud Devices (Inc. Chromebooks)

7. Virtual Machines

Unit E2 -Logical Data Acquisition

1. Logical vs Physical Acquisition

2. Preserving metadata

3. Verification of Logically Acquired Data

4. Methods of Acquiring Data Logically

5. Logically Acquiring Data from RAID/NAS (Demo)

6. Logically Acquiring Data from Cloud Storage (Demo)

Unit E3 - Acquiring Data from a Running System

1. Tools and Methods

2. RAM Acquisition

3. Running System with Mounted Encrypted Drives (Demo)

Unit E4 - Live Forensic Operating Systems

1. Live CDs and Forensic OSs

2. Linux Based Forensic Oss

3. Linux Based Imaging Methods

4. WinBuilder & Windows FE

Unit E5 - Apple Macs

1. FileVault

2. Live Boot Method (Demo)

3. hdiutil Method (Demo)

+44 (0)247 77 17780

info@intaforensics.com

www.intaforensics.com/training