Digital Forensic Basics: Training for the Working Examiner

From our numerous years of firsthand field experience, we developed the Digital Forensic Basics Course with the working examiner in mind.

By: Matt McFadden, Director of Training

A “healthy” glow of light and the smell of “fresh” air emanating from the digital forensic lab where backlogs of evidence and analysis requests are pending our review. All for a great purpose, but these cases can be challenging. After 19 years in this field, I rarely recall a routine examination where the acquisition, authentication, analysis, and reporting stages flowed without difficulty. Each case held different obstacles serving to provide excellent learning opportunities while grinding painfully on patience. Updated operating systems, new file systems, and new hardware unsympathetically redefine all we have learned.

Despite these trials and tribulations, the truth must be discovered, and we are tasked as the seekers of it. We must be prepared in our skills and knowledge. Where do we focus our efforts to ensure thorough and efficient examinations? How do we keep up with the changes in digital evidence amidst the demanding case backlog?

Our team at BlackBag Technologies is here to help. Containing a wide range of practical forensic concepts, our new Digital Forensic Basics course will prepare analysts to return to work ready to conduct acquisitions and fundamental analyses. For a basics course, it teaches a breadth of information. It may surprise you with how many aspects are covered on digital forensic case investigations. Analysts will walk out prepared to apply their knowledge and ready for the next step of training.

In this course, students walk through a triage analysis using BlackLight’s intelligently designed interface. Actionable Intel, which contains numerous processed artifacts, is easily sorted, filtered and reviewed. Program execution artifacts are organized related to last execution, run count, program source, file source, related user, and many others. Information parsed from UserAssist, Jump Lists, Prefetch, and Superfetch information is easily displayed for review by separate tabbed working areas.

Additional parsed evidence consists of device connections, backups, file download, knowledge of files, and account usage. The source of these artifacts is crucial and is provided from this view for the examiner’s assessment.

The Digital Forensic Basics course continues with a focus on MacOS artifacts such as system logs, snapshots while addressing mobile phone acquisition and analysis. After a solid review of Mac evidence analysis, the lessons change bearing to head into the waters of analyzing Windows memory, volume shadow copies, and NTFS system and log files. BlackLight’s strong traction to traverse through digital evidence is test driven by with filtering, searching, hashing, data interpretation, and reporting along with other advanced processing techniques.

I first participated in this course at a local law enforcement agency on the East Coast. It was refreshing to be directly serving law enforcement who was present from North Carolina, South Carolina, Tennessee, Mississippi, and the Department of Homeland Security. I chose to work in this field after honorably retiring as a Police Sergeant so I could continue to serve law enforcement in their vital mission: to protect. My prior 17 years of law enforcement service and my family of 6 law enforcement officers binds me to this. It is in my blood, and it is all I have known. Those who know me know my furious passion for this field. My passion has found a home with BlackBag Technologies in aligning with their mission statement: Reveal the truth in data in order to create a safer world.

With evil in this world seeking to exploit technology to target our nations, our children, and even our well-being for victimization, it is up to law enforcement to hold the line through effective and efficient digital investigations. I worked child exploitation cases for 13 years. I can state with authority this evil is an ever-present danger we must be vigilant against. Professional digital forensic investigators also contribute to this vital endeavor to protect by conducting intelligence analysis, infrastructure compromise response, malware analysis, information discovery, human resource investigations, and through discovering criminal matters arising from their fields. Training is the best route toward preparedness. Preparedness facilitates proficient vigilance.

I strongly encourage you to visit our training page which will give you access to our training offerings, course calendar, certifications, and webinars.

Please contact us if we can help your case investigation needs in any way. We are here to help because we understand. It is our passion to serve you. Be thorough, be efficient, be useful, but overall, be safe in your investigations out there to make this world safer.

To find out more about advanced Mac and iOS forensic techniques and analysis, check out BlackBag’s Essential Forensic Techniques: Triage and Analysis of Digital Data course and Essential Forensic Techniques: In-Depth Digital Forensic Analysis course.

To learn more about BlackLight, get a quote or request a free trial, click here.

Have further questions? Email sales@blackbagtech.com.

Leave a Reply

Sorry, you must be logged in to post a comment.