All Training Courses

GT-205

Introduction to Computer Forensics: Hands-On

This three-day intensive course introduces participants to the essential principles and practices of computer forensics.

Description

This three-day intensive course introduces participants to the essential principles and practices of computer forensics. Participants learn how to preserve, analyze, and document digital evidence from Windows, macOS, and Unix systems. The course covers core forensic processes—chain of custody, evidence capture, documentation, and incident handling—alongside practical skills using industry-recognized forensic toolkits and hardware write-blockers. Students will also examine common vulnerabilities and hardening strategies for Windows, macOS, and Unix environments, with an emphasis on real-world investigative scenarios and defensible forensic procedures.

Objectives

By the end of this course, participants will be able to:

  • Identify common vulnerabilities and hardening measures in Windows, macOS, and Unix systems.
  • Properly seize, isolate, and preserve evidence using Faraday bags, write blockers, and chain-of-custody forms.
  • Apply the order of volatility to determine proper evidence collection priorities.
  • Capture, image, and verify evidence from drives and RAM using forensically sound methods.
  • Understand forensic toolkit categories and how to select tools for disk, file system, and memory analysis.

Key Takeaways

  • Foundational skills in lawful digital evidence collection and preservation
  • Working familiarity with forensic imaging tools, RAM analysis utilities, and chain-of-custody documentation
  • Understanding of vulnerabilities and hardening techniques across Windows, macOS, and Unix systems
  • Ability to plan and execute an incident response with proper documentation and communication
  • Templates and playbooks for repeatable, auditable forensic and incident-handling procedures

Who Is This For

This course is ideal for entry-level cybersecurity professionals and students, personnel who manage evidence handling or chain-of-custody documentation, and anyone preparing for certifications such as CHFI, CompTIA Security+, or CYSA+.

Certificate of Completion

  • Certificate of Completion issued after successful completion of all chapters, hands-on exercises, and course evaluation.
  • Certificate is downloadable from the Ghost Team Academy Education Portal.

Training Outline

Module 1: Welcome

  • Topics:
    • Introductions and expectations
    • Course overview

Module 2: Fundamentals of Computer Forensics

  • Topics:
    • What digital forensics is: objectives, principles, and standards (NIST, ISO 27037)
    • Legal and ethical considerations: authorization, consent, and admissibility
    • Chain of custody: what it is, why it matters, and how to document it
    • Roles and responsibilities: evidence handler, examiner, reviewer
    • Background checks and integrity of forensic personnel

Module 3: Operating System Vulnerabilities & Hardening

  • Topics:
    • Windows vulnerabilities: registry weaknesses, file permissions, SMB, RDP, persistence mechanisms
    • macOS vulnerabilities: Gatekeeper bypasses, Time Machine artifacts, root privileges
    • Unix vulnerabilities: SSH keys, sudo misconfigurations, log manipulation
    • Hardening practices across all three platforms (patching, least privilege, secure configs, firewall tuning)
  • Labs/Exercises: Baseline scan and vulnerability assessment of Windows, macOS, and Unix lab VMs

Module 4: Evidence Preservation and Handling

  • Topics:
    • Physical security: evidence seizure, labeling, Faraday bag use
    • Write blockers: hardware and software principles
    • Order of volatility: capturing volatile data before shutdown (RAM, network connections, processes)
    • RAM capture and analysis overview (using authorized test images and tools)
  • Labs/Exercises: Capture RAM from a Windows VM using a RAM reader tool; Calculate hashes and verify integrity

Module 5: Forensic Imaging and Toolkits

  • Topics:
    • Imaging principles: bit-for-bit copies, hashing (MD5, SHA-256), verification
    • Overview of forensic tool categories (open-source and commercial): disk imaging, file carving, memory forensics, log parsing, OS artifact analysis
    • Using forensic workstations and virtual machines
  • Labs/Exercises: Acquire and verify a forensic image using a provided toolkit; Create chain-of-custody documentation

Module 6: Evidence Analysis & Reporting

  • Topics:
    • File systems and metadata interpretation (NTFS, HFS+, APFS, ext4)
    • Artifact analysis: browser history, registry hives, system logs, timestamps
    • Timeline reconstruction and correlation of evidence across OS platforms
  • Labs/Exercises: Examine provided forensic image and reconstruct user activity timeline

Module 7: Incident Handling & Playbook Development

  • Topics:
    • Structure of an incident handling plan (NIST 800-61 framework)
    • Integrating forensics into IR workflow (identify → contain → eradicate → recover → lessons learned)
    • Designing a playbook: notification flow, decision points, documentation standards
    • Role of the evidence handler and coordination with legal/corporate stakeholders
  • Labs/Exercises: Simulated incident response — team-based exercise collecting and documenting digital evidence, applying order of volatility, and producing a short incident report

Module 8: Conclusion

  • Topics:
    • Course summary
    • Key takeaways

Ghost Team Certified Badge
Quick Info
  • Type: Hands-On
  • Delivery: In Person, Virtual, Hybrid
  • Level: Intermediate
  • Duration: 3 days (8 hours per day)
  • CEU Hours: 24
Go to All Trainings