Course Details

    This is not a "watered down" training course.  Not like other courses, we tell you in detail what we cover during the course and what our experience and expertise is.  We have a great training course, great material, experienced instructors and we truly want you to learn the material and to become good forensic examiners.  We want you to compare and decide what is best for you.    

    You will be provided well developed, detailed handouts of the course material.   The course contains a number of practical exercise problems in the form of specially prepared USB thumb drives, mobile phones and a hard disk drive that must be examined.  The practical exercises will reinforce the material and teach "hands-on" skills.   A case scenario will be used where a fictional private investigator brings you, the examiner, each USB, mobile phone or a hard disk drive for examination.  Each USB will build to the next exercise, until finally a hard disk drive is examined and the case is concluded.  Real life computer forensic issues will be covered by the practical exercises.   

    Clear, concise, accurate reports that draw appropriate conclusions are a very important factor in presenting the results of a forensic examination.  We require reports detailing each "practical exercise" examination.  We critically review your reports as if we were the "other side" and will help you develop excellent report writing skills.  Your final reports can be used as your "template" for real examinations.

    Our instructors are all Certified Forensic Computer Examiners or Certified Computer Examiners (CCE)® who are currently involved in computer forensic examinations.  They will coach and tutor you through the practical exercises, your reports and through the test questions for each module.  Our instructors are highly qualified, experienced and understand forensic examinations far beyond the material in this course.  Your interaction with your instructor will normally be via email, but direct assistance is sometimes available for setup issues.   We truly want you to learn the material and to become a good forensic examiner.

    The current Guided Self-Study course is broken up into eight modules.   The material is constantly being revised and is subject to change.  The current modules consist of:


    Module 1 – Introduction to Computer Forensics

    • Recommended Machine Configurations
    • What makes a good computer forensic examiner?
    • Computer Forensics vs. E Discovery
    • Dealing with clients or employers
      • Work Product
      • Client Contracts
      • Legal and privacy issues
    • Software Licensing
    • Ethical Conduct Issues
    • Cases that may include digital evidence 
    • Forensic Examination Procedures
    • Determining Scope of Examinations
    • Hardware and Imaging Issues
    • USB and Optical Media Examination
    • Limited Examinations
    • Forensically Sterile Examination Media
    • Examination Documentation and Reports
    • ASCII Table
    • General Overview of Boot Process and Operating Systems
    • BIOS History
    • Networked Computers
    • Media Acquisition
    • Acquisition Documentation
    • Chain of Custody


    Module 2 – Imaging

    • Imaging Theory and Process
    • Imaging Methods
    • Write Blocking
    • Imaging Flash Drives
    • Wiping, Hashing, Validation, Image Restoration, Cloning, Unallocated Space
    • Drive Partitioning
    • One (1) Student Lab Practical Exercise


    Module 3 – File Signatures, Data Formats & Unallocated Space

    • File Identification
    • File Headers
    • General File Types
    • File Viewers
    • Examination of Compressed Files
    • Data Carving
    • One (1) Student Lab Practical Exercise


    Module 4 – FAT File System

    • Logical structures of DOS and Windows Operating System
    • Master Boot Record
    • File Allocation Table
      • 16 Bit FAT
      • 32 Bit FAT
    • Directory Entries
    • Clusters
    • Unallocated Space
    • Sub-Directories
    • FORMAT
    • Six (6) Student Lab Practical Exercises


    Module 5 – NTFS

    • Introduction and Overview
    • Basic Terms
    • Basic Boot Record Information
    • Time Stamps
    • Root Directory
    • Recycle Bin
    • File Creation
    • File Deletion
    • Examining NTFS Drives
    • Two (2) Student Lab Practical Exercises


    Module 6 – Registry & Artifacts 

    • Creating an Examination Boot Disk
    • Data Recovery
    • Windows Swap and Page Files
    • Forensic Analysis of the Windows Registry
    • Internet Cache Files, Cookies and Internet Sites
    • Microsoft Outlook
    • MSMAIL
    • Logical Structures
    • Tracking User Specific Computer Use
    • Internet Explorer Cache Index
    • Basic Mail Issues
    • Basic Internet Issues
    • Common Situations Encountered during Examinations
    • Password Protection and Defeating Passwords
    • Compound Documents
    • Examining CDR Media
    • Three (3) Student Lab Practical Exercises


    Module 7 – Forensic Policy, Case Writing, Legal Process & Forensic Tool Kits 

    • Use of Policy and Checklists in Forensic Practice
    • Data Presentation to Client
    • Case Report Writing
    • Legal Process
    • Expert Admission
    • Going to Court
    • Use of Forensic Tools and Software
    • One (1) Student Lab Practical Exercise – Hard drive examination

    Module 8 – Introduction to Mobile Data Exploitation  

    • Mobile Phone Extraction Process
      • Collection
      • Isolation
      • Interrogation
      • Imaging
      • Analysis
    • Mobile Networks
    • International Mobile Subscriber Identity
    • Use of Forensic Tools and Software
    • One (1) Student Lab Practical Exercise

    We will provide a detailed manual for each module covered.  These manuals can be used later in your career for reference purposes.  Sample reports, additional practical exercises, Diskedit primer and other useful information and applications will also be provided. You will be subscribed to our listservers that provide both administrative and technical information.  Even after you complete the course, as material is updated, you will be able to download the new material from our web site.

    All Guided Self-Study CCE BOOTCAMP® students receive fully licensed copies of the following software upon enrollment:

  • Raptor - Linux Imaging Tool
  • WinHex Specialist - www.X-Ways.net
  • Passware Kit - www.LostPassword.com


    Please visit our Requirements page to view any hardware / software requirements for this course.


    Contact us