Digital Forensics for Pentesters: Practical Investigations from Udemy

What's inside

Learning objectives

How to forensically image devices.
How to recover deleted data from various operating systems.
How to produce professional and legal digital forensic reports.

How to properly handle digital media before and during investigations.
How to utilize various forensic tools for digital forensic investigations.
Analyze and reverse engineer software and malware.

How to forensically image devices.
How to recover deleted data from various operating systems.
How to produce professional and legal digital forensic reports.
How to properly handle digital media before and during investigations.
How to utilize various forensic tools for digital forensic investigations.
Analyze and reverse engineer software and malware.

Syllabus

In this section, students will watch a quick video overview of the course.

A short overview of what to expect and what to bring to get the most from this course.

A short overview video of the expectations for this section.

In this short video, you will learn how to easily download ISO and OVA files used in the course.

In this first lab, you will learn how to access the Kali Linux Live Boot Menu and to start Kali Linux using the Forensic Mode feature.

In this short video and lab, you will learn how to create a full virtual install of Kali using VirtualBox.

Microsoft has made getting access to a copy of Windows 10 Pro quite a chore, especially if you have Windows 10 installed. In this video, I demonstrate how to spoof your browser to convince Microsoft you are using a MAC as your operating system.

The Metasploitable2 virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

In this hands-on lab, participants will learn how to create a forensic image of a directory using FTK Imager, a powerful and user-friendly digital forensics tool. The lab provides step-by-step guidance on imaging a directory, enabling forensic examiners to preserve digital evidence effectively for further analysis and investigation.

In this short lesson, participants will learn about the concept of browser spoofing and its potential implications for accessing otherwise hidden resources. Browser spoofing involves manipulating the user agent string of a web browser to mimic a different browser or device, often to bypass restrictions or access content not typically available.

If your desktop needs to reflect that you are someone with tech skills when a co-worker or casual user passes by and looks at your screen, you can deploy an activity generator to give the impression you are not to be trifled with.

This lab provided hands-on experience with a key cybersecurity tool, enhancing students' practical skills in digital reconnaissance and data analysis.

The OSForensics suite by PassMark Software is a comprehensive set of tools designed for digital forensics investigations. It allows users to search, recover, and analyze data from computers and storage devices. Key features include advanced file searching, email and file recovery, drive imaging, memory analysis, and system information gathering. OSForensics is used by law enforcement, corporate investigators, and cybersecurity professionals to uncover hidden or deleted files, analyze system activity, and gather evidence for legal or investigative purposes.

From time to time, Virtualbox will not have a network available for some network types. In this video, we see how this can be easily fixed.

When configuring two or more devices to use the same network type, you may encounter an issue with VirtualBox issuing the same IP address to both devices This is an easy fix.

This lab aims to guide participants through installing Autopsy 4.xx, a digital forensics tool, on a Windows 10 operating system.

In this lab, you will learn how to create a new case using Autopsy, an open-source digital forensics tool. This hands-on exercise will guide you through the steps of setting up a case, adding data sources, and organizing case details.

In this hands-on lab, participants will learn how to convert VirtualBox Disk Image (VDI) files into a format compatible with Autopsy, a popular open-source digital forensics platform. The lab provides step-by-step guidance on preparing VDI files for analysis within Autopsy, enabling forensic examiners to leverage the platform's powerful capabilities for digital investigation.

In this hands-on lab, participants will engage in practical exercises to conduct digital forensics analysis using Autopsy, an open-source platform renowned for its comprehensive forensic investigation capabilities. Through step-by-step demonstrations, participants will learn to navigate the Autopsy interface, analyze digital evidence, and extract valuable insights crucial for investigative purposes.

A Kali Linux Live image on a CD/DVD/USB/PXE can allow you to have access to a full bare metal Kali install without needing to alter an already-installed operating system. This allows for quick easy access to the Kali toolset with all the advantages of a bare metal install.

In this first lab, we address the first step that a forensic investigator takes after being brought into an investigation, acquiring evidence in a way that is forensically sound and can be used in a court of law.

You can copy and paste the following URL into your web browser to access the VDI disk image used in this lab.

https://www.dropbox.com/s/c731ygsjqyy3e3y/lecture.vdi?dl=0

In the short video presentation, you will learn how to use Autopsy to examine a forensic disk image.

In this lesson, students will learn how to use Undercover Mode in Kali Linux, a feature that allows the user interface to mimic a Windows environment. This mode is useful for discreetly working in public spaces or where a Linux interface might attract unwanted attention. The lesson will cover enabling and disabling Undercover Mode, customizing the desktop, and practical scenarios for its use in cybersecurity and penetration testing.

In this lab, you will learn how to install CSI Linux. CSI Linux was developed by Computer Forensics, Incident Response, and Competitive Intelligence professionals to meet the current needs of their clients, government agencies, and the industry.

In this first lab, you are introduced to two complementary forensic tools; both built into Kali Linux.
These are Brian Carrier's tools Autopsy and Sleuth Kit. In this first lab, you will acquire a forensics image for analysis to help investigate a case using the forensics case management tool, Autopsy.

The CSI Linux Gateway is now an integral part of CSI. It no longer requires a separate server and client.

In this lab, you will learn how to use the WebMap Nmap Dashboard application to generate a PDF report of your Nmap scan results.

In this short video and lab, you will learn how to use two OSINT tools available within the CSI Linux Analyst.

Since the video was produced, CSI Linux has had a major upgrade. Strangely enough, little brother is now only designed to carry out information gathering on a French, Swiss, Luxembourgish, or Belgian person. There are no US or any other modules.

In this lesson, you will learn how to find someone's social media accounts using the OSINT tool, sherlock.

In this short video, you will be given an overview of some of the features inside the OSINT Framework and see why this might be a great tool for OSINT.

In this short video and lab presentation, you will learn how to prepare and use the CSI Linux Analyst and CSI Gateway for secure anonymous access while using the Shodan search engine.

In this short video and lab, you will learn how to find vulnerable devices on the Internet using the Shodan search engine.

In this short video and lab, you will learn how to use Shodan for finding vulnerable databases.

In this video, students will see how easy it is to attach an external USB device attached to their host machine to Kali.

In this lab, you will learn how to create a forensic copy of the Windows registry.

In this lab, you will learn how to perform a forensics analysis of the Windows registry for finding forensic information relevant to a criminal investigation.

In this lesson, you will learn how to dump the credentials for any Wi-Fi network a suspect or target machine may have authenticated with in the past.

In this lecture, you will learn the fundamentals of analyzing the contents of an email header.

In this lab, you will learn how to retrieve information on archived items, even after the folders have been deleted or the external drive has been disconnected from a suspect’s machine.

Starting with Windows 7, Microsoft Windows provides the ability for the operating system to track user window viewing preferences specific to Windows Explorer. This information, called “ShellBag” information, is stored in several locations within the Windows Registry in the Windows Operating System.

In this lesson, you will learn how to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files starting with Windows 7. Thumbnail cache files have been used by law enforcement agencies to prove that a file of interest was stored on a Windows systems hard drive even if deleted. When a user deletes a file, its thumbnail remains in the cached file.

In this lesson, you will learn how to perform a forensic analysis of a Windows memory acquisition.

Live-Forensicator is a PowerShell script that will aid Forensic Investigators and Incidence responders in carrying out a quick live forensic investigation. It achieves this by gathering different system information for further review for anomalous behavior or unexpected data entry.

Ghidra is present in CSI Linux but needs Java installed to run. Since CSI Linux is built using Ubuntu and Ubuntu does not come with Java, we will need to install it.

In this lesson, you will be introduced to some of the higher-level features of Ghidra. Ghidra is a software reverse engineering (SRE) framework developed by NSA’s Research Directorate for NSA’s cybersecurity mission. Ghidra helps analyze malicious code and malware and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.

In our previous lesson, we learned about some of the high-level features in Ghidra. We will continue where our previous lab left off by reverse engineering a simple executable, crackme0x00.exe.

In the short lesson, we will continue with learning reverse engineering by decompiling a simple executable labeled crackme0x05.exe.

In this lesson, we will reverse engineer the WannaCry Ransomware to examine the killswitch discovered by Marcus Hutchins, aka MalwareTech. Marcus reverse Engineered WannaCry and found the program checks a particular URL that was not registered and inactive. If the domain remained inactive, the ransomware would install. Once Marcus registered the domain, it shut down the ransomware.

Windows Sysinternal Tools is a suite of more than 70 freeware utilities that was initially developed by Mark Russinovich and Bryce Cogswell that is used to monitor, manage and troubleshoot the Windows operating system, and which Microsoft now owns and hosts on its TechNet site.

Process Explorer is a free task manager and system monitor software for the Windows operating systems. Process Explorer is a more powerful version of Task Manager, a program usually used to get information about computer performance and resource usage. However, process Explorer offers many features not present in Task Manager – it will show you the detailed information about each process, provide you the CPU usage tracking for processes, figure out which process has loaded a DLL file, enable you to kill or suspend a process, interactively set the priority of a process, and much more.

Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory, or Registry key, or to view the list of processes that have a DLL loaded.

In this short video and lab, you will learn how to use Steghide to hide an image inside another image and then extract that same hidden image.

In this lab, you will learn how to examine and manipulate the EXIF metadata hidden in an image file.

In this lesson, you will be presented with an overview of Wireshark.

In this lesson, you will learn about the different capture options available in Wireshark.

In this short video presentation, you will be introduced to the tollbar icons in Wireshark.

In this short lab, you will learn how to install a wireless adapter in Kali Linux.

In this lab, you will learn how to audit a wireless network for weak authentication.

In this short video presentation, you will learn how to configure Wireshark for capturing wireless traffic.

In this short video, you will learn how to capture and examine a three-way TCP handshake using Wireshark.

In this lab, you will learn how to build your lab environment for this Capture the Flag exercise.

In this lab, you will learn what tools you can learn to capture the first flag of the CTF.

In this lab, you will learn what tools you can learn to capture flag #2 for this CTF.

This is the lab and video on how to capture the third flag for this CTF. This is a long one with lots to learn so take your time.

In this last video for this CTF, you will learn how to capture the fourth and final flag for this exercise.

Traffic lights

Read about what's good

what should give you pause

and possible dealbreakers

Provides hands-on experience with tools like FTK Imager, Autopsy, and Wireshark, which are essential for digital forensics investigations and incident response

Covers techniques for analyzing Windows, Linux, and macOS file systems, which is crucial for comprehensive digital investigations across different platforms

Includes labs on reverse engineering malware, which is a critical skill for understanding and mitigating security threats in digital forensics

Prepares learners for industry-recognized certifications like GCFA, CHFI, and EnCE, enhancing their career prospects in cybersecurity and digital forensics

Features labs using Metasploitable2, an intentionally vulnerable virtual machine, which allows learners to practice penetration testing and vulnerability assessment in a safe environment

Uses VirtualBox for creating a forensic lab, which may require learners to have a computer with sufficient resources to run virtual machines effectively

Reviews summary

Practical digital forensics for pentesters

According to learners, this course offers a strong practical foundation in digital forensics tailored for cybersecurity professionals and pentesters. Many reviewers highlight the hands-on labs as particularly valuable, finding them directly applicable to real-world scenarios. Students appreciate the coverage of various essential tools used in the field, such as Autopsy, Ghidra, and Wireshark. While the course structure and content are generally well-received, a few reviews mention that some sections could benefit from further depth or updated material.

Introduces a wide range of relevant tools.

"The course covers a great selection of forensic tools that are commonly used in the industry."

"Learning to use Autopsy, Ghidra, and Wireshark with practical examples was incredibly useful."

"I found the sections on Sysinternals and Steghide particularly helpful for expanding my toolkit."

Skills are applicable to professional roles.

"As a pentester, this course gave me the specific forensic skills needed for incident response and deeper investigations."

"The techniques taught here are definitely industry-relevant and applicable in my cybersecurity role."

"I learned practical strategies that I can immediately apply to analyze digital evidence."

Provides practical experience with key tools.

"The hands-on labs were the highlight for me. They were practical and directly relevant to forensic investigations."

"I appreciated the step-by-step guidance in the labs, especially for tools like Autopsy and FTK Imager."

"Working through the real-world forensic scenarios in the simulated environments really solidified my understanding."

A few sections may need updating.

"Some parts felt slightly outdated, especially regarding specific tool versions or operating system steps."

"I encountered minor issues with lab setups that seemed related to changes in software versions since the videos were recorded."

"The mention of older CSI Linux versions was a bit confusing initially."

Some topics lack sufficient detail.

"While the breadth is good, I felt some topics could use more in-depth coverage for intermediate learners."

"I wished some of the more complex analysis techniques were explored in greater detail."

"For certain tools, the introduction was great, but I needed to seek external resources for advanced usage."

Activities

Be better prepared before your course. Deepen your understanding during and after it. Supplement your coursework and achieve mastery of the topics covered in Digital Forensics for Pentesters: Practical Investigations with these activities:

Review Networking Fundamentals

Show steps

Solidify your understanding of networking concepts to better analyze network traffic and identify anomalies during forensic investigations.

Browse courses on TCP/IP

Show steps

Review the OSI model and TCP/IP stack.
Practice subnetting exercises.
Research common network protocols.

Practice Disk Imaging with FTK Imager

Show steps

Reinforce your skills in creating forensic disk images using FTK Imager to ensure proper evidence collection.

Show steps

Create images of different storage devices.
Verify image integrity using hash values.
Experiment with different imaging options.

Read 'The Art of Memory Forensics'

Show steps

Deepen your understanding of memory analysis techniques for identifying malware and suspicious activities.

View The Art of Memory Forensics: Detecting Malware... on Amazon

Show steps

Read the chapters on Windows memory analysis.
Practice using Volatility framework on memory dumps.
Research advanced memory forensics techniques.

Four other activities

Expand to see all activities and additional details

Show all seven activities

Read 'Practical Malware Analysis'

Show steps

Enhance your malware analysis skills by learning practical techniques for dissecting malicious software.

View Practical Malware Analysis: The Hands-On Guide... on Amazon

Show steps

Follow the examples for static and dynamic analysis.
Practice analyzing different types of malware samples.
Research advanced malware analysis techniques.

Write a Blog Post on File System Forensics

Show steps

Solidify your knowledge of file system structures and forensic analysis techniques by writing a blog post explaining key concepts.

Show steps

Research different file systems (NTFS, ext4, APFS).
Explain how file metadata can be used in investigations.
Provide examples of file system analysis techniques.

Build a Forensics Toolkit

Show steps

Create a customized digital forensics toolkit to streamline investigations and enhance efficiency.

Show steps

Identify essential tools for different forensic tasks.
Automate common tasks using scripting.
Document the toolkit's functionality and usage.

Create a Forensic Report Template

Show steps

Develop a professional forensic report template to effectively communicate findings and comply with legal standards.

Show steps

Research industry standards for forensic reports.
Design a template with clear sections and formatting.
Include sections for evidence documentation and analysis.

Career center

Learners who complete Digital Forensics for Pentesters: Practical Investigations will develop knowledge and skills that may be useful to these careers:

Digital Forensics Analyst

A Digital Forensics Analyst investigates cybercrimes and digital incidents to uncover evidence and determine the scope and impact of the breach. This course directly aligns with the responsibilities of a Digital Forensics Analyst by providing hands-on training in digital forensics fundamentals, incident response, and forensic imaging and evidence collection. Through this course, one can learn to investigate Windows, Linux, and macOS file systems as well as analyze network traffic for anomalies. This course may also help the Digital Forensics Analyst learn to utilize reverse engineering techniques to analyze malware and uncover security threats. The Digital Forensics Analyst role may allow one to apply the investigative and analytical skills learned in this course to real-world scenarios.

See salaries and explore the career path for Digital Forensics Analyst

Law Enforcement Officer

Law Enforcement Officers investigate crimes and enforce laws, often requiring them to handle digital evidence. This course may give Law Enforcement Officers a firm grasp of digital forensics principles, tools, and methodologies. The course teaches one how to handle digital media properly before and during investigations. It may also help them learn how to utilize forensic tools for digital forensic investigations. One of the most important skills that a police officer can possess is the ability to recover deleted data from various operating systems. This course may help the officer with this skill.

See salaries and explore the career path for Law Enforcement Officer

Incident Responder

The Incident Responder is responsible for detecting, analyzing, and responding to cybersecurity incidents to minimize damage and restore normal operations. This course is directly relevant to the Incident Responder role because it covers digital forensics fundamentals and incident response and analysis. This course may help an Incident Responder learn how to effectively detect, analyze, and respond to security incidents. Learning about forensic imaging and evidence collection may help the Incident Responder to learn proper evidence handling procedures. With the skills gained from this course, the Incident Responder can more effectively mitigate the impact of security breaches.

See salaries and explore the career path for Incident Responder

Penetration Tester

A Penetration Tester, sometimes called an ethical hacker, assesses the security of systems and networks by simulating attacks to identify vulnerabilities. Since this course is titled "Digital Forensics for Pentesters," it will likely be quite helpful. A Penetration Tester may use digital forensics techniques to enhance their understanding of system weaknesses uncovered during testing. The course teaches digital forensics fundamentals, incident response, file system, and network forensics, and reverse engineering for forensics. A Penetration Tester armed with these skills can provide more comprehensive security assessments and recommendations.

See salaries and explore the career path for Penetration Tester

Cybersecurity Consultant

A Cybersecurity Consultant advises organizations on how to improve their security posture and protect against cyber threats. This course can help a Cybersecurity Consultant gain a deeper understanding of digital forensics techniques and incident response methodologies. The consultant can leverage this knowledge to provide informed recommendations on security best practices and incident handling procedures. Furthermore, the course's emphasis on practical, hands-on labs may help the Cybersecurity Consultant develop expertise that can be applied to real-world scenarios. The more the Cybersecurity Consultant knows about forensics, the more they may be able to improve their clients' security.

See salaries and explore the career path for Cybersecurity Consultant

Malware Analyst

Malware Analysts examine malicious software to understand its functionality, origin, and potential impact. This course may be useful to Malware Analysts due to its coverage of reverse engineering techniques for forensics. The course helps one leverage reverse engineering to analyze malware and uncover security threats. A Malware Analyst can use the skills learned in the course to dissect malware samples, identify their capabilities, and develop effective mitigation strategies. The knowledge gained from this course can help a Malware Analyst enhance their ability to protect systems from malicious attacks.

See salaries and explore the career path for Malware Analyst

Intelligence Analyst

An Intelligence Analyst gathers, analyzes, and interprets information to identify potential threats and provide insights to decision-makers. This course may help them by developing their understanding of digital forensics techniques and how to uncover hidden digital evidence. This course can help an Intelligence Analyst learn how to analyze network traffic for anomalies. The knowledge gained from this course may help the Intelligence Analyst enhance their investigative skills and contribute to intelligence gathering efforts.

See salaries and explore the career path for Intelligence Analyst

Data Security Analyst

The Data Security Analyst is responsible for implementing security measures to protect sensitive data and prevent unauthorized access. This course may help enhance the Data Security Analyst's skillset by providing a solid grounding in digital forensics techniques, incident response, and security investigations. Learning about reverse engineering for forensics may help the Data Security Analyst analyze malware and uncover security threats. This course may also help the Data Security Analyst better understand the tools and methodologies used in forensic investigations.

See salaries and explore the career path for Data Security Analyst

eDiscovery Specialist

An eDiscovery Specialist manages the process of identifying, collecting, and producing electronic data for legal or regulatory purposes. This course may help the eDiscovery Specialist gain valuable insights into digital forensics techniques and tools. The course teaches one how to recover deleted data from various operating systems. It also teaches proper handling of digital media before and during investigations. This may help the eDiscovery Specialist to improve their ability to identify and preserve relevant electronic evidence.

See salaries and explore the career path for eDiscovery Specialist

Security Engineer

The Security Engineer is responsible for designing, implementing, and managing security systems and infrastructure to protect an organization's assets. This course may benefit a Security Engineer by providing a solid foundation in digital forensics and incident response. The practical, hands-on labs in the course may help the Security Engineer gain experience in investigating security incidents. Learning about forensic imaging, evidence collection, and file system analysis, may help the Security Engineer make informed decisions about security architecture. Security Engineers work to proactively protect systems from threats.

See salaries and explore the career path for Security Engineer

Security Architect

Security Architects design and implement an organization's computer and network security infrastructure. They are responsible for creating complex security structures, ensuring data is protected, and that the business operates without the threat of a data breach. A course like this one may help the Security Architect build a strong understanding of the latest digital forensics tools and techniques. They may use this understanding to inform their architectural decisions. Understanding incident response may help the Security Architect create systems optimized for quick recovery, disaster recovery, and business continuity.

See salaries and explore the career path for Security Architect

IT Auditor

An IT Auditor evaluates an organization's information technology infrastructure, policies, and procedures to ensure they are secure, compliant, and efficient. This course may help an IT Auditor understand the digital forensics process and how it relates to security audits. They may use this understanding to assess the effectiveness of an organization's incident response plan and security controls. The skills learned in the course, such as forensic imaging and file system analysis, may enable the IT Auditor to conduct more thorough security assessments. It may also help them to identify vulnerabilities.

See salaries and explore the career path for IT Auditor

Compliance Officer

Compliance Officers ensure that an organization adheres to laws, regulations, and internal policies. A Compliance Officer may find this course useful because it teaches digital forensics fundamentals and incident response. Compliance Officers deal with rules and regulations at all times, and this course may help Compliance Officers learn how to effectively detect, analyze, and respond to security incidents. This can help them ensure that an organization's security practices align with compliance requirements. The more a Compliance Officer understands forensics, the more they can make sure regulations are being followed.

See salaries and explore the career path for Compliance Officer

IT Risk Manager

An IT Risk Manager identifies, assesses, and mitigates risks related to information technology. This course may help them to understand the potential impact of security incidents and how digital forensics can be used to investigate and respond to those incidents. The IT Risk Manager may utilize the knowledge gained from this course to develop risk mitigation strategies and improve an organization's overall security posture. The IT Risk Manager can better understand the risks by understanding forensics.

See salaries and explore the career path for IT Risk Manager

Privacy Officer

A Privacy Officer is responsible for ensuring an organization's compliance with privacy laws and regulations, such as GDPR or CCPA. While this course focuses on digital forensics and incident response, it may also be useful for a Privacy Officer. This is because understanding how data breaches occur and how they are investigated may help the Privacy Officer develop effective data protection strategies. The more a Privacy Officer knows about investigating breaches, the more they can help protect people's information.

See salaries and explore the career path for Privacy Officer

Reading list

We've selected two books that we think will supplement your learning. Use these to develop background knowledge, enrich your coursework, and gain a deeper understanding of the topics covered in Digital Forensics for Pentesters: Practical Investigations.

The Art of Memory Forensics

Save

Delves into the intricacies of memory forensics, providing in-depth knowledge of how to analyze memory dumps for malware and other security threats. Given the course's focus on incident response and forensic analysis, this book valuable resource for advanced techniques. It is particularly useful for understanding how to extract valuable information from volatile memory.

The Art of Memory Forensics: Detecting Malware and...

Paperback

$$$

Practical Malware Analysis

Save

Offers a practical, hands-on approach to malware analysis, covering static and dynamic analysis techniques. It is highly relevant to the course's module on reverse engineering and malware analysis. This book great resource for learning how to dissect malicious software and understand its behavior, which is essential for digital forensics investigations.

Practical Malware Analysis: The Hands-On Guide to...

Paperback

Practical Malware Analysis: The Hands-On Guide to...

Kindle Edition

Digital Forensics for Pentesters

Practical Investigations

What's inside

Learning objectives

Syllabus

Traffic lights

Save this course

Reviews summary

Practical digital forensics for pentesters

Activities

Career center

Reading list

Share

Similar courses