• Classroom

This course introduces counterintelligence agents and digital media examiners to the basic concepts and practices of processing digital evidence in a CI-based scenario. Building on the Computer Incident Responders Course (CIRC), WFE-E-CI presents a comprehensive forensic examination process, including technical procedures, reporting and expert witness testimony. Students set up a forensic workstation, conduct an examination of a Windows system using the EnCase forensic tool and testify in a mock trial setting.

Learning Objectives

  • Conduct an examination of a forensic image of a Windows operating system in a lawful manner
  • Explain the basic forensic concepts, principles, fundamentals and processes of disk partitioning, data storage, common file systems and registry entries from a Windows operating system
  • Summarize hardware and software requirements for a forensic workstation with EnCase
  • Demonstrate the basic functions, configurations, outputs, tools and settings of EnCase
  • Examine a forensic image from a Windows computer using basic forensic processes and automated tools in EnCase
  • Use Password Recovery Toolkit (PRTK) to defeat protected files
  • Produce a lab report and examiner notes
  • Identify key concepts of a counterintelligence operation and/or investigation and explain how they may affect forensic examinations

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Digital Forensics

Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.