• Classroom

WFE-FTK builds on the Computer Incident Responders Course (CIRC) and presents a comprehensive forensic examination process, including technical procedures, reporting and expert witness testimony. Using the FTK forensic tool, students learn to conduct thorough examinations of Windows systems against the backdrop of a law enforcement scenario. Students set up a forensic workstation, conduct an examination and testify in a mock trial setting.

Learning Objectives

  • Conduct an examination of a forensic image of a Windows operating system in a lawful manner
  • Explain the basic forensic concepts, principles, fundamentals and processes of disk partitioning, data storage, common file systems and registry entries from a Windows operating system
  • Summarize hardware and software requirements for a forensic workstation with FTK
  • Demonstrate the basic functions, configurations, outputs, tools and settings of FTK
  • Examine a forensic image from a Windows computer using basic forensic processes and automated tools in FTK
  • Use Password Recovery Toolkit (PRTK) to overcome protected files
  • Produce a quality lab report and examiner notes

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.