Updated for 2019/20, the Certificate in Digital Forensics Fundamentals course (QAIDIGFOR) is designed to help commercial and government organisations collect, preserve and report on digital artefacts in a way which is suitable for use in investigations.
The course covers the broad topics essential to the digital forensics’ disciplines. It sets out a framework for investigations, covering the best practice as described by The National Police Chiefs' Council (NPCC) formally ACPO guidelines. Forensic fundamentals will be covered as well as the use of open source forensic tools. The data will be then analysed, and an example report produced.
Participants to this course learn about the methods to identify, preserve, analysis and report on digital artefacts. Using a mixed approach of fundamentals and open source software, delegates will be able to select suitable tools and report on their findings in an evidential way.
The Certificate in Digital Forensic Fundamentals course audience includes all teams across the IT, Security, Internal Audit, Law Enforcement and Government.
About the course author
I was a senior investigating officer working in law enforcement with over 31 years’ experience of working in the various government agencies including National Crime Agency. I have handled numerous cases involving drug trafficking, money laundering, endangered species, fraud, tackling child abuse online, extortion, hacking, and various other computer crimes. I am advanced mobile and digital Forensics practitioner. I have utilised my open source intelligence skills to locate and identify individuals and criminal organisations online. A founding member of the elite team called the National Hi-Tech Crime Unit, set up in 2001 to tackle with online threats. Mark worked in partnership with Europol and Interpol Mark was instrumental in dismantling a highly sophisticated international online paedophile organisation. I have also delivered training in Europol on child abuse online Open source intelligence.
Specialist Areas/Professional Qualifications
Open Source Intelligence, Digital Forensics (mobile and digital forensics), Legal (Law enforcement) & Cyber Security Fundamentals.
I have been a senior investigating officer working in law enforcement with over 15 years’ experience of working in the National Crime Agency, National crime Squad, HM Customs and Excise, UK Border Agency, Home Office and HM Revenue and Customs. I have handled numerous cases involving drug trafficking, money laundering, endangered species, fraud, tackling child abuse online, extortion, hacking, and various other computer crimes. I am Mobile and Digital Forensics practitioner for covert and overt use.
- Understand the purpose, benefits, and key terms of digital forensics
- Describe and adhere to the principles of the forensic framework
- Understand the importance of the chain of custody
- Demonstrate a basic knowledge of key locations in different operating systems
- Identify how different file systems represent files and how they deal with deletion etc.
- Understand where timestamps and other meta data comes from
- Have knowledge of the legal framework in which they operate, and the expected level of ethical behaviour expected
Module 1: Intro to Digital forensic
- What digital forensics is
- What is digital evidence?
- When and why is digital forensics used?
- Different Types of Digital Forensics – Standalone and e-discovery
- What skills should a computer forensic expert have?
- Introduction to the forensic framework
Module 2: The Legal Framework
- What legislation applies to investigations?
- ISO/IEC standards what does it cover?
- What does the legislation cover?
- What do authorising officers have to consider
- What does the legislation mean for investigators?
- The consequence of failing to adhere to the legislation which applies
- Computer Misuse Act and how it applies
Module 3: Collecting Digital Evidence
- The NPCC guidelines and how they apply to the collection of digital evidence
- The role of a First Responder
- Triaging – the new digital forensics approach
- What is ‘chain of custody’ concept and how critical it is to maintain
- Triaging – Digital Forensics
- What is the order of volatility
Module 4: Imaging Digital Evidence
- What imaging is and why we work on imaged data
- Write blocking hardware and software
- How do we forensically image a live device?
- How do we forensically image a switched off device?
- Physical and Logical Imaging
- Understand Hashing Algorithms and collisions and how it is used to verify acquisitions
- Creating Forensic Image using FTK Imager
Module 5: Hardware
- Why do we need to know about hardware?
- Live RAM capture and analysis (pagefile.sys and hiberfil.sys)
- Data storage – magnetic hard disks
- Understand how solid state drives and flash memory differ
- What is the BIOS and UEFI and what settings they hold
- Analysing the boot process
- Partitioning Disk analysis
- Volume and Master Boot Record
Module 6: Information Representation and File Systems
- How number systems work and how data is represented in binary and hexadecimal
- Difference between Big and Little Endian
- Character Encoding ASCII and Unicode
- Different File systems NTFS, FAT
- Analysis what happens when file is saved, deleted
- What is Slack Space and the different types of slack
- Access control lists and permissions
- What is the Master File Table used for?
- Recovering Data from Recycle bin
- Viewing Deleted data
- Analysis of Prefetch folder
- Differences between user profiles
Module 7: File Signatures & File Carving
- File Signatures Analysis
- Manual File carving
- File Carving Using Kali Linux
Module 8: Windows Artefacts, Metadata and hash tables
- What is Metadata?
- Understand about MAC times
- How to find meta-data inside documents
- How to use Fingerprinting Organizations with Collected Archives how to extract Meta-data
- EXIF Data and analysis
- Windows User Profile
- Identifying different Windows Artefacts and what information can be found
- Analysing Thumbnail Cache
- Viewing the Windows Registry and locating information
- Analysing Email Headers
- Forensic Analysis of HTTP data using Wireshark
- Analysing of web browser artefacts
- Understanding the different type of logs and what information they can provide as part of forensic analysis
- Analysing thumbnail cache databases
- How to analyse the windows registry and find evidence
- How to analyse email headers
Module 9: Mobile Phone Forensics
- Mobile Forensics Require a Different Approach
- What information a mobile device can provide
- Different methods for conducting mobile device examinations
- Mobile phone evidential values
Module 10: Reporting
- The difference between notes, examination logs and witness statements
- The issue with printing evidence and court requirements
Module 11: Forensic Tools
- Commercial Forensic
- Open Source Forensic Tools
Duration - 90 minutes. Questions - 70 Multiple choice (4 multiple choice answers only 1 of which is correct). Pass Mark - 50%
The exam is a Proctor-U APMG exam for the Certificate in Digital Forensics Fundamentals, which will be taken by delegates in their own time after the course.
Delegates will receive individual emails to access their AMPG candidate portal, typically available two weeks post exam.
If you experience any issues, please contact the APMG technical help desk on 01494 4520450.
Cyber Security learning paths
Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.
Frequently asked questionsSee all of our FAQs
How can I create an account on myQA.com?
There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.
If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".
If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.
Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.
How do QA’s virtual classroom courses work?
Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.
We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.
Learn more about our Virtual Classrooms.
How do QA’s online courses work?
QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.
All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.
Learn more about QA’s online courses.
When will I receive my joining instructions?
Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.
When will I receive my certificate?
Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.