Digital Forensic - Training Materials

Introduction

An introduction to file-system post-mortem forensic analysis. This page links to the materials used during forensic trainings including slides and links to the disk images.

Training Materials: Edition May 2020

• Slide Deck: Digital Forensics 1.0.1 - Introduction: Post-mortem Digital Forensics
• Slide Deck: Digital Forensics 1.0.2 - Introduction: File System Forensics and Data Recovery
• Slide Deck: Digital Forensics 1.0.3 - Introduction: Windows-, Memory- and File Forensics
• Disk Image: Exercises SHA1:0dff633fded030dd7ac58c871a928afe93d260e9
• Commands: Command Line Cheat Sheet v0.1

Forensics Challenge ZIP

• Slides: Incident Response and Forensics

Use low level tools like ‘xxd’ and ‘dd’ to recover data out of broken ZIP archives.

cyberday.lu 2019

• Slides: Incident Response and Forensics
• USB device: Disk image SHA1:90dc3a44b25e138bc50bbdf358d13c53f8aa953f

Download and dump the image of the USB device over your own USB stick to replay the exercises. Please take care to not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

cyberday.lu 2020

• Slides: Curiosities in Computer Forensics
• My name is Legion - Polyglot Boot Record: Disk image SHA1:fcdcc68d1e6ca5ea9e8c59715dabd96ce4d08cf2
• Lost in Hyperspace - EBR Loop: Disk image before manipulation SHA1:e549d373352037e871fd15bed0393f7b6b5bd85e

To replay an exercise, download and flash the related USB disk image over your own USB stick. Please take care: Do not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

cyberday.lu 2022

• Slides: Recovering data from a wiped disk - A manual approach
• USB device: Disk image SHA1:2a70cb8c9fe22efb6041af8be34f3cb237640c74

With the image of the wiped disk, you should be able to replay the exercise.

Updates

• 15th June 2018 - New training in Luxembourg
• 16th April 2018 - Initial release of slides version 1.0
• 29th August 2018 - Slides updated: Digital Forensics 1.0.1 and 1.0.2
• 20th December 2018 - Slides updated: Digital Forensics 1.0.1: Winter 2018/2019 edition
• 20th March 2019 - Slides updated: Digital Forensics 1.0.1: Edition May 2019
• 21st March 2019 - Disk Image updated
• 22nd May 2019 - Slides updated, Command Line Cheat Sheet v0.1 added
• October 2019 - cyberday.lu 2019 slides added
• November 2019 - 1.0.1 slides updates, Forensics Challenge ZIP added
• May 2020 - Complete revamp of the training materials increase from 185 too 298 slides
• October 2020 - cyberday.lu 2020 materials added
• October 2022 - cyberday.lu 2022 materials added