Digital Forensics

Contact information

For further information or to request a quotation, please contact the Professional Education Courses Unit on:

Enquiries Phone: 02 5114 5573

Enquiries Email:

In-house delivery

UNSW Canberra Professional Education Courses may be available for in-house delivery at your organisation's premises. In-house courses allow maximum attendance without the additional travel costs. Courses can be developed to suit the specific staff development and training needs of your organisation. Recommended for groups of 10 or more.

This course will introduce participants to digital forensic analysis and investigation first principles. Students will be introduced to theoretical concepts including the digital forensic method, intent and its application. The course will also cover introductory Microsoft Windows centric technical topics such as file system, memory and operating system artefact analysis using contemporary open source tools, techniques and procedures. Students will be expected to demonstrate both their theoretical and technical understanding through the completion of practical exercises in a simulated operational environment.

This is an introductory course covering:

  • Basic forensic theory and practical exercises targeting the Microsoft Windows Operating platform.
  • Disk forensic theory and practical exercises targeting the NTFS filesystem.
  • Configuration forensic theory and practical exercises targeting the Microsoft Windows Registry.
  • Memory forensic theory and practical exercises targeting (mostly) the Microsoft Windows operating platform.
  • Basic network forensic theory and practical exercises.

Learning outcomes

On completion of this course, participants should be able to:

  • Understand basic digital forensic theory, including purpose and intent.
  • Understand how to professionally approach a digital forensic investigation, determining both its scope and duration.
  • Demonstrate they can utilise contemporary open source tools, techniques and procedures to conduct analysis.
  • Demonstrate they can achieve an acceptable level of intelligence outcomes within a defined period of time.
  • Perform a basic forensic examination, producing an actionable intelligence product.

Course Information

Day 1

Disk Forensics

Day 1 gives an overview of the history of disk forensics. Basics such as file structures, metadata, file systems concepts, windows file systems and disk partitioning are covered leading to a practical investigative scenario.


File system features, FAT, exFAT, NTFS, File slack, Volume shadow copies, Master boot record partition table, GUID partition table, Partition slack.

Day 2

Registry Forensics

This session will focus on the analysis of low level configuration settings located within the Microsoft Windows registry. You will gain a better understanding of the Windows registry as a hierarchical database which will culminate in a practical exercise of detecting malware within the registry utilising Python.


Configuration analysis, Registry keys & values, Registry root keys, Hives, Deleted registry keys.

Day 3

Network Forensics

Day 3 will look at how network investigations deal with volatile and dynamic information, focusing on the analysis and monitoring of computer network traffic for the purposes of information gathering, legal evidence and intrusion detection.


The internet protocol, Packet structures, Addressing methods, Application layer protocols, Netflow.

Day 4

Memory Forensics

The first part of the day will cover the history of memory forensics and modern computer architecture. We will then cover several memory management techniques and look at how these can be leveraged in forensic processes.


Process concept, Memory layout, Process management, Windows environment block, Thread concept, Thread management, Virtual memory, Page concept, Memory protections, Virtual Address Descriptor (VAD), Kernel interface, Hibernation.

Day 5

The Forensic Method

Day 5 will cover various digital forensic analysis techniques from multiple viewpoints in order to derive meaning and intelligence from gathered evidence. We will look at what it is like to be in an offensive position and how this can provide analysts with a significant tactical advantage.


Locard’s Exchange Principle, Offensive Operations, Forensic Investigation Requirements, Digital Forensic Life Cycle.

Digital Forensics

This course maps to the following NICE Framework KSAs (Knowledge, Skills & Abilities):

K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.

K0017: Knowledge of concepts and practices of processing digital forensic data.

K0122: Knowledge of investigative implications of hardware, Operating Systems, and network technologies.

K0132: Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.

K0133: Knowledge of types of digital forensics data and how to recognise them.

K0134: Knowledge of deployable forensics.

K0187: Knowledge of file type abuse by adversaries for anomalous behaviour.

K0301: Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

K0304: Knowledge of concepts and practices of processing digital forensic data.

S0046: Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0062: Skill in analysing memory dumps to extract information.

S0065: Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

S0067: Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

S0071: Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

S0073: Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).

A0043: Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.

A0175: Ability to examine digital media on multiple operating system platforms.

What is the NICE Framework?

The National Initiative for Cybersecurity Education (NICE) Cyber Security Workforce Framework developed by the National Institute of Standards and Technology (NIST) establishes a taxonomy and common lexicon that describes cyber security work and job roles.

To find out more about the NICE Framework, go to:

Courses will be held subject to sufficient registrations. UNSW Canberra reserves the right to cancel a course up to five working days prior to commencement of the course. If a course is cancelled, you will have the opportunity to transfer your registration or be issued a full refund. If registrant cancels within 10 days of course commencement, a 50% registration fee will apply. UNSW Canberra is a registered ACT provider under ESOS Act 2000-CRICOS provider Code 00098G.

UNSW Institute for Cyber Security is a unique, cutting-edge, interdisciplinary research and teaching centre, working to develop the next generation of cyber security experts and leaders.

The centre is based in Canberra at the Australian Defence Force Academy and provides professional, undergraduate and post graduate education in cyber security. Our air-gapped, state of the art cyber range offers a secure environment where we deliver a number of technical and highly specialised learning opportunities.

Our courses are designed to give the next generation of cyber security professionals the skill sets needed to thrive in the industry. We can also create bespoke professional education programs tailored to your organisation's needs.

Contact us at to discuss how.