• Classroom

WFE-FTK builds on the Computer Incident Responders Course (CIRC) and presents a comprehensive forensic examination process, including technical procedures, reporting and expert witness testimony. Using the FTK forensic tool, students learn to conduct thorough examinations of Windows systems against the backdrop of a law enforcement scenario. Students set up a forensic workstation, conduct an examination and testify in a mock trial setting.

Learning Objectives

  • Conduct an examination of a forensic image of a Windows operating system in a lawful manner
  • Explain the basic forensic concepts, principles, fundamentals and processes of disk partitioning, data storage, common file systems and registry entries from a Windows operating system
  • Summarize hardware and software requirements for a forensic workstation with FTK
  • Demonstrate the basic functions, configurations, outputs, tools and settings of FTK
  • Examine a forensic image from a Windows computer using basic forensic processes and automated tools in FTK
  • Use Password Recovery Toolkit (PRTK) to overcome protected files
  • Produce a quality lab report and examiner notes

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Digital Forensics

Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.