Computer Forensics Training
Scheduled classes in English for mixed
groups of attendees at this time:
For timing, pricing and other information about each event, |
You can find our Rates and Terms here.
More classes in North America, UK, and Asia and online will be added gradually over time. Classes in German: click here
List of previous classes and trained users Old lists (2005-2009)
To be notified of newly scheduled classes in English,
please enter your e-mail address and click OK:
We can occasionally offer the X-Ways Forensics course internationally also as on-site training to law enforcement agencies and corporate customers on request (in English or German, only for reasonably sized groups). If you are interested, please contact us by e-mail and let us know the number of prospective attendees and the address of your facilities.
X-Ways Forensics I, 4 full or 5 shorter days
This main training course is focused on the systematic and efficient examination of
computer media using our integrated computer forensics software X-Ways
Forensics. The approach is very tool-centered. After attending this course
and some self-study, you may start
the X-PERT certification
process (though taking the advanced course as well, see below, is
recommended). Complete and systematic coverage of most computer forensics features in
WinHex and X-Ways Forensics.
Hands-on exercises, simulating most aspects of the complete computer
forensics process. Attendees are encouraged to immediately try newly
gained insights as provided by the instructor, with sample image files.
Many topics are explained along with their theoretical background (slack
space, partially initialized space, how hash databases are
internally structured, how deleted partitions are found automatically,
with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics
are forensically sound disk imaging and cloning, data recovery, search
functions, dynamic filtering, report creation, ... You will receive complete
printed training material for later repetition. Prerequisite: basic
knowledge of computer forensics. The students will learn e.g. how to get the most thorough overview
conceivable of existing and deleted files on computer media, how to scan
for child pornography in the most efficient way, etc. There will be a
practical exam at the end of the course, which you can regard as just
another exercise for yourself or that you can take more seriously and
get scored by the instructor if you like. The exam recapitulates the
most important functions of the software and helps you to gauge your
proficiency. The results will not be recorded by us in any way. Note
that the instructor will present the answers to the test during the
final 20 minutes (in-person training only). Topics may include (not all
guaranteed, for example because of time constraints):
Basic setup of
the software It is the goal of our courses to familiarize users of
our software with the tool so much that they feel confident drawing sustainable conclusions from the data
and metadata stored on or seemingly deleted from media to answer to
specific problems while documenting the proceedings in a manner
acceptable in court. |
X-Ways Forensics II, 4 full or 5 shorter days Advanced training course for experienced users of X-Ways Forensics and previous attendees of the main course. Definitely not suitable as an introduction for new users of X-Ways Forensics. Topics may include (not all guaranteed because of time constraints, instructor availability or for other reasons):
.e01 evidence file format |
X-Ways Forensics II, 3 full or 4 shorter days Advanced training course for experienced users of X-Ways Forensics and previous attendees of the main course. Definitely not suitable as an introduction for new users of X-Ways Forensics. Topics may include (not all guaranteed because of time constraints, instructor availability or for other reasons):
.e01 evidence file format |
File Systems Revealed Variable combination of file system courses, with extensive introduction to file system basics (binary data storage concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4 (1/2 day). See below for file system courses that are available.
By fully
understanding the on-disk structures of the file system, you are able
to recover data manually in many severe data loss scenarios, where automated recovery software fails,
and to verify
the correct function of computer forensics software and to collect meta information beyond what is reported
automatically, which might yield clues for the given case. In general,
this also leads to a better understanding of the data presented by
forensic software, of how computer forensics software works and of its
limitations. Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. Explanation of the effects of file deletion and potentials for file recovery. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge). |
Basics, MBR, GPT, LVM2, 1/2 day Understanding raw data: Integers, date storage, Endianness |
FAT12, FAT16, FAT32, 1/2 day Structure of FAT file systems |
NTFS, 1 day Boot sector |
exFAT, 1/2 day Partition layout |
Ext2/Ext3/Ext4, 1/2 day File system basics |
XFS, 1 day Similarities and differences with other Linux file systems |
BtrFS, 1 day Generic layout of the file system |
NTFS+XWFS2, 1 day NTFS: see above |
ReiserFS, Reiser4, 1 day ReiserFS: Reiser4: |
Memory Forensics, 1 day
Essentials of virtual memory management (Intel, AMD; 32 Bit, 64 Bit) |
training trainings course courses class classes
seminar seminars education lecture exercise teaching computer forensic forensics
electronic evidence acquisition data recovery electronic digital examine examination IT
security analysis analyze software tool tools