WFE-FTK builds on the Computer Incident Responders Course (CIRC) and presents a comprehensive forensic examination process, including technical procedures, reporting and expert witness testimony. Using the FTK forensic tool, students learn to conduct thorough examinations of Windows systems against the backdrop of a law enforcement scenario. Students set up a forensic workstation, conduct an examination and testify in a mock trial setting.
Learning Objectives
- Conduct an examination of a forensic image of a Windows operating system in a lawful manner
- Explain the basic forensic concepts, principles, fundamentals and processes of disk partitioning, data storage, common file systems and registry entries from a Windows operating system
- Summarize hardware and software requirements for a forensic workstation with FTK
- Demonstrate the basic functions, configurations, outputs, tools and settings of FTK
- Examine a forensic image from a Windows computer using basic forensic processes and automated tools in FTK
- Use Password Recovery Toolkit (PRTK) to overcome protected files
- Produce a quality lab report and examiner notes
Framework Connections
Specialty Areas
- Digital Forensics
Feedback
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.