Learning Computer Forensics With Infinite Skills

Master the chain of custody as a complete, documented trail showing who handles evidence, when, and how, ensuring authenticity and protection from tampering.

Acquire evidence with safeguards to preserve authenticity, integrity, and accuracy, using right blockers and protected workflows. Use dd or dcf ltd for bitwise copies, generate hashes, document the process.

Discover Linux data validation for preserving evidence state, using diffs and cryptographic hashes (md5, sha1) to verify integrity, and tools like dd or DCF Ltd for copy‑and‑hash workflows.

Validate Windows data with file comparisons and cryptographic hashes, generating MD5 and SHA-1 checksums to preserve evidence integrity from collection to court presentation.

Demonstrate credibility, absence of bias, and memorability as a forensic expert witness, supported by deep knowledge, experience, clear explanation of evidence, and trustworthy integrity in court testimony.

Practice ethical conduct as an expert witness by remaining impartial, independent, and objective, and ensure fees are reasonable and not tied to case outcomes.

securely store digital evidence from the outset to preserve chain of custody, prevent alteration, and ensure court admissibility with hashing and read-only cd-rom.

Explore the federal rules of evidence, including authenticity, relevance, admissibility, and when hearsay and expert testimony apply, with a focus on digital artifacts in computer forensics.

Compare differences between legal investigations and corporate investigations, focusing on evidence handling, chain of custody, and the applicable rules of evidence.

Explore reasons for corporate investigations, from data theft to policy violations, and how organizations initiate forensic analysis, handle internal findings, and protect themselves from liability.

Define the scope of an investigation, determine evidence needs and authority, choose between live and static acquisitions, and secure and document hardware and digital evidence with chain-of-evidence and hash validation.

Discover how to build a dedicated forensic workstation, decide on hardware interfaces and operating systems, and use key tools like dd, dcfldd, md5, sha1, sleuth kit, autopsy, and in case.

Explore EnCase for forensic analysis, evidence acquisition and storage, learn how to create a case, inspect file metadata, and manage references and bookmarks through an evaluation version.

Explore evidence with the forensic toolkit (ftk) from AccessData through a graphical interface, inspecting partitions, the master file table (mft), and slack space, while searching and performing data carving.

Explore the coroner's toolkit, an early open-source forensics suite from 1999, featuring grave robber, file access patterns, and deleted file and cryptographic key recovery, plus live memory dumps.

Use ProDiscover basic to perform initial forensic analysis by capturing disk images, exploring NTFS metadata and the master file table, inspecting alternate data streams, and generating reports.

Explore Windows and Unix auditing, configure Local Security Policy audit settings for log on events and object access, and build a forensic-ready audit trail for investigators.

Explore reporting and blogging across unix-like systems, focusing on syslog configurations, facilities, and log levels; learn log file structure, log rotation, and Windows event viewer essentials.

Discover built-in unix-like tools for forensics, such as dd for disk imaging, md5 sums for integrity, strings for analysis, grep for searching, and examine partition tables.

This lecture demonstrates using Sleuth Kit on Linux to analyze a raw disk image via command-line tools, examining the partition table, NTFS file system, and MFT with 59 offset.

DEFT Linux, a free live CD focused on computer forensics and incident response, provides imaging, hashing, data carving, mobile forensics, database tools, and network analysis.

Explore Windows forensics by examining the C drive, Windows and System32, hidden and protected files, user directories, application data, browser cookies, and memory artifacts like hibernation and page files.

Explore Mac OS X fundamentals, including the Finder structure, Terminal access, and system directories, to locate application data, cookies, keychain passwords, logs, and login items for forensics.

Explore the Linux operating system and its Unix-like lineage, from Unix history to modern Linux, including root, /home, /var, logs, and the command line.

Explore other types of operating systems by examining BSD flavors—OpenBSD, FreeBSD, and NetBSD—Unix-like systems with distinct kernels, a security focus, and varied desktop and hardware support.

Learn how boot processes start a system, from the master boot record and bios to loading the kernel, startup services, and runlevels in Windows and Unix-like systems, with efi.

Explore windows file systems: from fat and fat32 limitations to ntfs features like permissions, encryption, compression, indexing, journaling, and hard links, plus quotas and mount points.

Explore Linux file systems, including ext4, inode-based storage, and the Unix directory hierarchy with user, group, and world permissions; learn about journaling, ownership, and large-file performance.

Explore Mac OS file systems for forensics, from HFS to HFS Plus, including journaling and encryption for reliability. See Unix-like permissions, B-trees, and resource forks that organize application data.

Learn about cd-rom file systems, including iso 9660 and Joliet extensions, with 8.3 filenames, path tables, and directory records, plus boot sectors and error-correction data on cds.

Explore how to set up raid arrays using Windows disk management and Linux mdadm, including raid 0 striping, raid 1 mirroring, and parity schemes for forensic investigations.

Explore how autostarting works across Unix and Windows by examining startup scripts, runlevels, and services. Learn to identify, manage, and disable boot-time programs and registry-based startup items.

discover the windows portable executable format, its entry point, text and data sections, the stack, and base addresses, including the dot net extension with an intermediate language.

Explore Unix-based executable types from a.out to coff and elf, and learn to inspect program headers, text segments, and maps via readelf and /proc.

Learn how disk partitions divide a hard drive into primary and extended sections. Explore Linux and FAT32 partitions and use disk part and Disk Management to view and manage them.

Explore image formats used in forensics, including the advanced forensics format with metadata and raw images, storing bit-for-bit copies of drives or partitions, with boot sectors, MBR, and partition tables.

Learn image acquisition under Linux by creating bit-for-bit copies of a partition or entire drive with dd, then generate an md5 hash to verify the data against the source.

Perform image acquisition under Windows to create bit-for-bit raw image of a USB stick or hard drive, capturing slack space and deleted data, and verify integrity with a hash value.

Capture volatile information from a live system before shutdown, including log on sessions, processes, memory data, and network activity, using Windows internals tools like Process Explorer and V.M. map.

Explore data recovery techniques for forensic examiners, including restoring data from damaged drives, deleted files, destroyed partitions, and using Disk Warrior and data carving to recover evidence.

Explore how hard drives evolved from spinning platters to solid-state (nonvolatile) storage, covering ide, parallel, sata, scsi, and usb interfaces, and how to query smart status and run self-tests.

Examine the OSI reference model and IP model, and see how layer concepts map to Ethernet, switches, and routers to explain network communications.

Explore tcp/ip fundamentals, including three-way handshake, sequence and acknowledgement numbers, and the roles of IP addresses and ports. Compare UDP and TCP for real-time use and ARP and Ethernet context.

Explore common network attacks, including denial of service floods, protocol violations, and brute-force logon attempts, with tools like net flood and hydra targeting ssh, vnc, pop3, and imap.

Explore reasons for network acquisitions, using Wireshark and packet captures to detect suspicious DNS queries, botnet communications, and malware like rootkits and Zeus.

Examine man in the middle attacks, including ARP poisoning with Cap, ICMP redirect, port stealing, and DHC spoofing, and observe traffic with Wireshark.

Learn to capture network traffic from compromised systems, including botnets, by using port spans, Wireshark, and tcpdump, analyze frames, ARP requests, and MAC addresses.

Learn how Network miner captures traffic, categorizes hosts and frames for forensic investigators, and compares its data parsing to Wireshark and TCAP dump.

Explore essential network tools for a forensic examiner, including ipconfig /all, netstat, nslookup, dig, and ifconfig, to identify interfaces, addresses, routes, and active connections.

Explore wireless networking basics, Wi‑Fi encryption types like WPA and WEP, and how SSIDs, hidden networks, and open Wi‑Fi influence security and risk.

Explore wireless tools like aircrack-ng suite, set monitor mode with airmon-ng, capture and analyze beacon frames with wireshark, and use airodump-ng and aircrack-ng to crack wireless encryption and inspect traffic.

Examine how firewalls block or manipulate traffic and support logging. Learn iptables on Linux, review input/forward/output chains, log ICMP echo requests, and use logs for forensic analysis and alerts.

Leverage intrusion detection to gather evidence during forensic investigations by monitoring network and host activity with tools like Snort, examining rules, and using the management console.

explore alternate data streams attached to a primary data stream for storing resources like icons, and learn how to create, view, and detect alternate data streams with streams and notepad.

Discover how deleted files may remain on the hard drive, moved to the recycle bin rather than permanently erased, and learn recovery tools like undelete plus and debugfs.

Learn how hidden partitions are created and detected with disk management, diskpart, and fdisk across Windows, Linux, and Mac, and how drive letters affect forensic access.

Learn how slack space and allocated clusters can store unused data on a disk, and how to examine alternate data streams, hibernation and page files for artifacts.

Explore the Windows registry and regedit to examine user and system hives, run keys, and how registry data aids forensic analysis.

Explore virtual memory concepts by examining how the page file extends RAM, stores swapped pages, and how memory maps reveal a process's memory segments and privileges.

Learn to roll back Windows to a known good state using system restore points and the graphical restore interface, selecting points before or after installations or updates.

Explore Windows local security policy audit settings and Linux auditd to log account logon, directory service access, object access, policy changes, privilege use, and process tracking.

Learn to identify graphics files by header data rather than extensions, exploring JPEG, PNG, BMP, TIFF, and how hex editors reveal metadata and image creation details.

Explore the history and storage of e-mail, compare Windows Live Mail and Outlook database storage, and assess evidence integrity with hash checks and raw file access.

Explore how cache and cookies from Internet Explorer and other browsers are stored on disk across platforms, examine history data, and understand forensic implications for extracting sensitive web data.

Explore metadata as data about data, including file type, size, and timestamps, and examine mp3 tags, image EXIF, GPS coordinates, steganography, and Word document metadata for investigations.

Explore log files from Apache web servers and proxies on Windows and Linux to generate evidence, track IP addresses and requests, and identify errors and attacks.

Explore steganography, the greek origin of hiding information, from hidden writing to modern techniques that conceal data in images, audio files, metadata, and documents.

Explore steganography techniques for images and media files, encoding and decoding hidden messages within carriers using tools like silent eye and heider man to store data.

Explore steganography techniques for hiding data in audio files and Word documents, encoding data into mp3/wave files and metadata, then decoding with passphrases and hex editing.

Learn steg analysis to detect hidden data in files by examining size, using a hex editor and histogram, and applying steg spy with CDN signatures from the Heider man program.

Explore how compression stores information compactly with zip archives, encryption, and passwords, and how forensic investigators must break or crack protections to access data.

Explore the fundamentals of virtual machines, hardware virtualization, and VM configuration using Parallels, ISO files, and host-only networking to run multiple operating systems on one host.

Learn how checkpoints, or snapshots, capture a virtual machine's disk and memory state to enable rollback after testing or malware analysis.

Explore data formats for virtual machine storage, including raw disk images, Parallels and VMware formats, and XML configuration files, with notes on conversion utilities.

Explore hypervisors as software that virtualizes hardware access. Compare type 1, running on hardware, with type 2, running on an OS, and review Esx, Hyper-V, Parallels, VirtualBox.

Learn iOS forensics by examining iPhone backups and data with desktop tools, exploring phone directories, and extracting information from backups stored on a computer, even if device is passcode locked.

Learn Android forensics by examining internal storage and app folders to recover images, downloads, and media, while noting that contacts and call logs require access to system data.

Explore Symbian forensics and learn how to extract contacts and call logs from Symbian OS powered mobile devices, and understand the validation challenges.

Extract data from iPhone backups with the backup extractor, exploring apps, logs, and media, and review sequel lite databases to reveal call history and address book information.

Explore memory considerations on mobile devices, distinguishing internal storage from system RAM, and learn how via extract enables forensic imaging and recovery of call logs, contacts, browser history, and messages.

Explore how sim cards store a subscriber identity and how form factors from full size to nano affect forensics, including owner identification and stored contacts.