Digital Forensics for Pentesters: Practical Investigations

A short overview video of the expectations for this section.

In this first lab, you will learn how to access the Kali Linux Live Boot Menu and to start Kali Linux using the Forensic Mode feature.

In this short video and lab, you will learn how to create a full virtual install of Kali using VirtualBox.

In this lesson, you’ll learn how to build a fully automated Windows 10 installation from the ground up using deployment scripts, answer files, and post-install automation techniques. Instead of manually clicking through every setup screen, you’ll create a streamlined process that installs Windows 10 with minimal user interaction.

This walkthrough covers preparing the installation media, configuring unattended setup files, automating user creation, applying system settings, installing drivers, and deploying software automatically after installation. You’ll also see how automation is used in real-world IT environments, cybersecurity labs, virtual machine deployments, and enterprise imaging workflows.

By the end of this lesson, you’ll have a repeatable Windows 10 deployment process that saves time, reduces errors, and can be reused for labs, testing environments, training systems, or production-ready workstation setups.

In this lesson, you will learn how to transfer the PowerShell-Lab folder from your host computer to the Windows 10 target VM. The PowerShell-Lab folder contains the scripts used throughout the course to configure, validate, and prepare the target machine for cybersecurity and DFIR exercises. By the end of this lesson, the folder will be successfully copied to the Windows 10 desktop and ready for use in future labs.

In this lesson, you will learn how to transform your clean Windows 10 lab machine into a vulnerable target using the PowerShell-Lab scripts. These scripts apply a series of controlled security misconfigurations that will be used throughout the course for vulnerability assessments, digital forensics investigations, and cybersecurity exercises. By the end of this lesson, your Windows 10 VM will be ready for the hands-on labs that follow.

The Metasploitable2 virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

In this hands-on lab, participants will learn how to create a forensic image of a directory using FTK Imager, a powerful and user-friendly digital forensics tool. The lab provides step-by-step guidance on imaging a directory, enabling forensic examiners to preserve digital evidence effectively for further analysis and investigation.

In this short lesson, participants will learn about the concept of browser spoofing and its potential implications for accessing otherwise hidden resources. Browser spoofing involves manipulating the user agent string of a web browser to mimic a different browser or device, often to bypass restrictions or access content not typically available.

If your desktop needs to reflect that you are someone with tech skills when a co-worker or casual user passes by and looks at your screen, you can deploy an activity generator to give the impression you are not to be trifled with.

This lab provided hands-on experience with a key cybersecurity tool, enhancing students' practical skills in digital reconnaissance and data analysis.

The OSForensics suite by PassMark Software is a comprehensive set of tools designed for digital forensics investigations. It allows users to search, recover, and analyze data from computers and storage devices. Key features include advanced file searching, email and file recovery, drive imaging, memory analysis, and system information gathering. OSForensics is used by law enforcement, corporate investigators, and cybersecurity professionals to uncover hidden or deleted files, analyze system activity, and gather evidence for legal or investigative purposes.

From time to time, Virtualbox will not have a network available for some network types. In this video, we see how this can be easily fixed.

When configuring two or more devices to use the same network type, you may encounter an issue with VirtualBox issuing the same IP address to both devices This is an easy fix.

This lab aims to guide participants through installing Autopsy 4.xx, a digital forensics tool, on a Windows 10 operating system.

In this lab, you will learn how to create a new case using Autopsy, an open-source digital forensics tool. This hands-on exercise will guide you through the steps of setting up a case, adding data sources, and organizing case details.

In this hands-on lab, participants will learn how to convert VirtualBox Disk Image (VDI) files into a format compatible with Autopsy, a popular open-source digital forensics platform. The lab provides step-by-step guidance on preparing VDI files for analysis within Autopsy, enabling forensic examiners to leverage the platform's powerful capabilities for digital investigation.

In this hands-on lab, participants will engage in practical exercises to conduct digital forensics analysis using Autopsy, an open-source platform renowned for its comprehensive forensic investigation capabilities. Through step-by-step demonstrations, participants will learn to navigate the Autopsy interface, analyze digital evidence, and extract valuable insights crucial for investigative purposes.

A Kali Linux Live image on a CD/DVD/USB/PXE can allow you to have access to a full bare metal Kali install without needing to alter an already-installed operating system. This allows for quick easy access to the Kali toolset with all the advantages of a bare metal install.

In this first lab, we address the first step that a forensic investigator takes after being brought into an investigation, acquiring evidence in a way that is forensically sound and can be used in a court of law.

You can copy and paste the following URL into your web browser to access the VDI disk image used in this lab.

https://www.dropbox.com/s/c731ygsjqyy3e3y/lecture.vdi?dl=0

In the short video presentation, you will learn how to use Autopsy to examine a forensic disk image.

In this lesson, students will learn how to use Undercover Mode in Kali Linux, a feature that allows the user interface to mimic a Windows environment. This mode is useful for discreetly working in public spaces or where a Linux interface might attract unwanted attention. The lesson will cover enabling and disabling Undercover Mode, customizing the desktop, and practical scenarios for its use in cybersecurity and penetration testing.

In this lab, you will learn how to install CSI Linux. CSI Linux was developed by Computer Forensics, Incident Response, and Competitive Intelligence professionals to meet the current needs of their clients, government agencies, and the industry.

In this first lab, you are introduced to two complementary forensic tools; both built into  Kali  Linux.  
These are Brian Carrier's tools Autopsy and  Sleuth  Kit. In this first lab, you will acquire a forensics image for analysis to help investigate a case using the forensics case management tool, Autopsy.

The CSI Linux Gateway is now an integral part of CSI. It no longer requires a separate server and client.

In this lab, you will learn how to use the WebMap Nmap Dashboard application to generate a PDF report of your Nmap scan results.

In this short video and lab, you will learn how to use two OSINT tools available within the CSI Linux Analyst. 

Since the video was produced, CSI Linux has had a major upgrade. Strangely enough, little brother is now only designed to carry out information gathering on a French, Swiss, Luxembourgish, or Belgian person. There are no US or any other modules.

In this lesson, you will learn how to find someone's social media accounts using the OSINT tool, sherlock.

In this short video, you will be given an overview of some of the features inside the OSINT Framework and see why this might be a great tool for OSINT.

In this short video and lab presentation, you will learn how to prepare and use the CSI Linux Analyst and CSI Gateway for secure anonymous access while using the Shodan search engine.

In this short video and lab, you will learn how to find vulnerable devices on the Internet using the Shodan search engine.

In this short video and lab, you will learn how to use Shodan for finding vulnerable databases.