AI Basic (5 days)

This course introduces law enforcement professionals to the dual role of Artificial Intelligence (AI) and Large Language Models (LLMs) as both investigative tools and emerging threats. It gives a comprehensive introduction to the rapidly evolving landscape of AI within modern policing environments. Participants will gain a foundational understanding of how AI works and get into its wide-ranging applications in the field of criminal justice. They will also explore how AI can enhance investigative efficiency, automate analysis, and support decision-making. Simultaneously, the course addresses how criminals exploit AI for scams, deepfakes, and other digital offenses. The course showcases practical AI tools that assist with evidence examination, pattern recognition, predictive policing, and even routine administrative functions—enabling agencies to achieve greater operational efficiency. Legal, ethical, and forensic considerations are built into each section to ensure responsible and lawful application.

Course Objectives:

• Understand the foundations of artificial intelligence, including key concepts such as machine learning, deep learning, and natural language processing —without requiring technical expertise.
• Explore real-world applications of AI in law enforcement, from digital forensics and OSINT to surveillance and administrative workflows.
• Gain hands-on experience with AI tools like ChatGPT, Perplexity, Gemini, Claude and integrated AI features in existing digital forensics tools through simulated investigative exercises.
• Gain hands-on experience with AI assistants, local LLM systems, and Retrieval-Augmented Generation (RAG) systems designed for analyzing investigative datasets.
• Understand how AI agents can autonomously coordinate tasks, interact with software tools, and assist investigators in complex analytical workflows.
• Understand how AI is exploited for criminal purposes, including its use in scams, deepfakes, misinformation, and other emerging digital offenses.
• Critically assess the risks, failures, and societal impacts of AI misuse within policing contexts.
• Navigate legal and ethical considerations in AI deployment, with a focus on the practical application of the various AI compliance.
• Improve operational efficiency using AI-powered automation, low-code/no-code tools, and AI-driven document and report generation.
• Prepare for future trends in AI for law enforcement, including predictive policing, courtroom AI use, and autonomous technologies.

Learning outcomes:

Upon successful completion of this course, participants will be able to:

• Define key AI concepts relevant to modern policing, including distinctions between machine learning models, data types, and AI agents
• Explain how AI systems learn and make decisions, using real-life analogies and examples accessible to non-technical professionals.
• Identify and evaluate AI tools used in investigations, such as facial recognition, automated crime mapping, and video analysis platforms.
• Use AI tools effectively for tasks like evidence analysis, translation, summarization, OSINT gathering, and
  workflow automation.
• Apply basic prompting techniques to generate accurate and reliable outputs from LLM-based tools (e.g.,
  ChatGPT, Claude, DeepSeek).
• Recognize the ethical concerns and risks associated with AI in law enforcement, including algorithmic bias,
  privacy violations, and accountability gaps.
• Build and use simple RAG systems to analyze large investigative datasets such as case files, reports, and
  digital evidence collections.
• Understand the operation of AI agents capable of autonomous task planning, tool use, and multi-step
  reasoning in investigative environments.
• Interpret relevant sections of the EU AI Act and apply them to common investigative scenarios (e.g., lawful
  facial recognition use, surveillance restrictions).
• Assess the legality of AI applications in digital forensics and investigations through scenario-based learning
  and case study analysis.
• Utilize AI-powered office tools to automate documentation, enhance reporting, and support
  administrative duties efficiently.
• Collaborate on AI-assisted case resolution, demonstrating how AI can support real-time decision-making
  and teamwork in simulated investigations.

Prerequisites:

Participants should have experience in conducting investigations related to digital evidence and a good understanding of procedures, tools, and reporting practices. Familiarity with cybercrime cases and comfort using digital technologies is expected. While not mandatory, basic programming or scripting skills are beneficial for engaging with AI automation and workflow tools. No prior AI or mathematical knowledge is required, as all concepts are presented in an accessible, law enforcement-focused format.

Mobile Forensics Intermediate (5 days)

This hands-on intermediate course is designed for practitioners with foundational mobile forensic experience who
want to advance their analysis and validation skills on Android and iOS devices.

The course covers advanced OS internals, security models, encryption, and artifact storage across both platforms.
Participants work with full file system extractions, backups, and raw datasets to identify, parse, and validate key
artifacts, with emphasis on understanding data structures and changes across OS versions.

Analysis is performed using a combination of industry-standard tools and open-source tools such as ALEAPP and iLEAPP
and others. A core focus is validating tool output, identifying parsing limitations, and performing manual verification.

Practical exercises include SQLite database analysis, plist and application data parsing, artifact correlation across
sources, and recovery of deleted or partially available data. Participants will also explore cloud-related evidence,
including iCloud and Google account artifacts and synchronization behaviour.

The course concludes with in-depth examination of modern iOS full file system artifacts, including Health, Screen Time,
analytics, usage logs, and secure storage (Keychain), along with reporting and defensibility of findings.

Course Objectives

• Perform and understand advanced Android and iOS extraction techniques conceptually and practically (where legally applicable)
• Explain Android security features (FBE, Project Treble, Verified Boot) and iOS security (Secure Enclave, Lockdown Mode, USB Restricted Mode)
• Work directly with binary dumps, partitions, and file system structures
• Manually parse and validate SQLite databases, WAL, SHM, journal files
• Recover deleted SQLite records and interpret freelist pages
• Decode and analyze plist files (XML and binary)
• Analyse full iOS file system artifacts including:
  – Health data
  – Location history
  – Screen Time
  – Communication logs
  – Usage analytics
• Analyse Android system logs, account data, and app artifacts
• Conduct structured third-party app analysis
• Understand cloud artifacts and GDPR-based acquisition
• Evaluate damaged devices and hardware recovery feasibility

Prerequisites:

• Completion of Basic Mobile Forensics (or equivalent knowledge)
• Experience working with mobile extractions
• Understanding of Android and iOS file systems
• Basic command line familiarity (ADB, terminal navigation)
• Basic knowledge of SQLite
• Produce defensible, technically validated forensic reports

Advanced RAM Analysis and Forensics (5 days)

During this course, participants will learn how to deal with live computer data and how to analyze it. Differences
between regular “dead-box” investigations and investigations on live machines will be explained in detail, with focus
on RAM analysis. Main task during this class is to teach the participants different ways of how to acquire Random
Access Memory or RAM, of a live machine and how to analyze it with various tools. The class will show how much data
is actually stored in RAM, how to extract it and use is it in everyday digital forensic investigations. In comparison to the
other RAM related classes, this class is exclusively designed for digital forensic investigators and shows different ways
of how RAM data can aid them in their investigations. The participants will go through live forensics and incident
response procedures, imaging RAM, RAM analysis with various tools and approaches, restoring and analyzing various
Windows related artifacts through RAM forensics, advanced topics related on how RAM works in Widows OS
environments, password recovery and data decryption and in-depth approach to Volatility framework for RAM
analysis. The class in based on extensive hands-on exercise that take the participants through the forementioned
topics.

At the end of the course, the students will undergo a knowledge evaluation based on a real case scenario. After
successful completion of the evaluation, participants will receive an official certificate for attending and passing the
course.

Course Objectives:
After finishing this course, participants will:

• Be able to examine live machines
• Know what to look for – what is the most important data/information
• Be able to use various tool for examinations
• Be able to analyze collected data
• Know how to image RAM form various systems
• Know how RAM works and how data is stored in RAM
• How to extract and analyze data form RAM
• Use various tools for RAM analysis
• Get familiar with the challenges in live data forensics
• Be proficient in working with Volatility framework

Prerequisites:

To obtain the maximum benefits from this class, participants should have good knowledge of computer forensic investigations and acquisition procedures, be familiar with com

Open-Source Intelligence (5 days)

This course provides a comprehensive introduction to Open-Source Intelligence (OSINT) and its application in modern investigations and intelligence work. Participants learn the OSINT cycle, legal and ethical considerations, and how to build a secure technical environment for conducting online investigations. The training develops advanced skills in search techniques, web data collection and preservation, people and email investigations, social media analysis, and the use of specialized tools for identifying data breaches and exposed digital resources. It also covers document and metadata analysis, image and video verification, geolocation using maps and satellite imagery, and the growing role of artificial intelligence in OSINT workflows. The course concludes with guidance on safely exploring dark web environments and producing structured, professional investigation reports with well-documented findings and indexed evidence.

Course Objectives:
After finishing this course, participants will be able to:

• Cultivate the right mindset for ethical and effective investigations
• Understand the principles, methodology, and legal considerations of Open-Source Intelligence (OSINT) and its role in investigations
• Set up and maintain a secure technical environment for conducting OSINT investigations
• Apply advanced search techniques and investigative frameworks to locate and analyse publicly available information
• Collect, preserve, and process web-based data while ensuring evidentiary integrity
• Identify and analyse data breaches, exposed systems, and publicly accessible digital resources
• Conduct social media intelligence (SOCMINT) and investigate digital identities, including email analysis and account compromise risks
• Extract and analyse metadata from documents, images, and videos, and apply reverse search and AI-detection techniques
• Use maps, satellite imagery, and geolocation methods to support investigative analysis
• Safely access and investigate information within dark web environments and underground communication platforms
• Produce structured, reproducible OSINT reports with clearly documented methodology and indexed evidence

Prerequisites:

Students should have a basic understanding of open-source intelligence data gathering and be comfortable with different types of online researching.

Advanced Windows 11 Forensic Exploitation (AWFE)  

The Advanced Windows® Forensic Exploitation course offers expert-level training over the span of 5 days, tailored for digital examiners already well-versed in the fundamentals of digital forensics. This intensive program delves into advanced forensic techniques using an array of third-party tools, specifically honing in on the latest features of Microsoft’s operating system.

Throughout the course, participants will master the utilization of various applications and utilities crucial for the identification, processing, comprehension, and documentation of the latest Windows® 11 artifacts essential for comprehensive digital investigations. Topics covered include navigating the intricacies of chromium-based browsers, decrypting BitLocker encryption, analyzing newly-introduced Helium based apps, dissecting obscured application data, leveraging the Windows Subsystem for Linux and Sandbox environments, and scrutinizing other Windows® 11 specific artifacts. Additionally, students will explore methodologies for reviewing data distributed across multiple locations.

This comprehensive curriculum extends beyond surface-level understanding, offering deep insights into Windows 11 virtualized security measures, alongside comprehensive exploration of new Registry file functionalities and transaction logging. Core Windows artifacts will undergo thorough examination and analysis. The course culminates with an extensive exploration of OneDrive offline storage and synchronization processes across authenticated devices, shedding light on critical aspects of data management.

Of particular importance is the emphasis on SQLite forensics, which is pivotal in data analysis. Students will acquire proficiency in scripting and data exploitation, enhancing their investigative capabilities. By the end of the course, participants will have acquired advanced skills and a nuanced understanding of Windows® 11 forensic exploitation, empowering them to tackle complex digital investigations with confidence and precision.

Students will use a variety of open source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.

Windows® Operating Systems Overview

This module introduces students to the key changes and enhancements found in modern Microsoft operating systems, with a primary focus on Windows 11. Students will examine newly introduced features, default security mechanisms, and system behaviors that directly impact incident response and forensic examinations. Through a guided walkthrough of Windows 11 from an end-user perspective, the module highlights updates to Windows Explorer, visual and interface changes, and how these differences affect evidence discovery and system navigation. Special attention is given to first responder considerations, including operating system access methods, shutdown behaviors, and the handling of mounted encrypted volumes such as BitLocker-protected drives and OneDrive Personal Vault data. By the end of the module, students will be better prepared to safely interact with live Windows 11 systems while preserving evidentiary integrity.

Handing BitLocker Encryption

This module provides an in-depth examination of Microsoft BitLocker encryption as implemented on both system partitions and removable media. Students will learn how BitLocker operates at a technical level, including its integration with modern Windows security features and its impact on data accessibility during forensic examinations.

The module guides students through identifying and interpreting BitLocker metadata stored within encrypted volumes, with a dedicated focus on BitLocker To Go and its use on removable storage devices. Recovery mechanisms are reviewed in scenarios where BitLocker protection has failed or access credentials are unavailable. The module concludes with structured workflows for the forensic analysis of BitLocker-protected volumes, emphasizing best practices, decision points, and evidence-handling considerations to support defensible and repeatable analysis.

Windows 11 sub-system Analysis

This module examines modern Microsoft sub-systems and their role within contemporary Windows operating systems, with a focus on features that introduce additional execution environments and associated forensic artifacts. Students will explore what is new in Microsoft sub-system technologies and how these components extend system functionality while simultaneously increasing investigative complexity.

Specific emphasis is placed on Windows Sandbox and Windows Subsystem for Linux (WSL). Students will examine how Sandbox environments are deployed, used, and destroyed, along with the artifacts they may leave behind on the host system. The module also explores the practical and adversarial uses of Linux sub-systems on Windows operating systems and guides students through the identification and analysis of host-based WSL artifacts, enabling investigators to recognize and interpret sub-system activity during forensic examinations.

Explore Registry analysis on a Windows 11 systems

This module provides a foundational and investigative-focused overview of the Windows Registry and its significance in forensic examinations. Students will define the structure and purpose of the Windows Registry and examine the many forensic benefits it provides as a centralized repository of system and user activity. The module explores Windows 11 account types and recent updates that affect authentication, authorization, and user profiling. Students will learn how to track removable hardware usage across a Windows® 11 system using Registry-based artifacts and correlate these findings with other system data. The module concludes by examining Registry evidence of user interactions with the operating system, enabling investigators to reconstruct system usage patterns and support timeline-based analysis.

User Activity Analysis

This module focuses on Windows Shell artifacts that record user interaction with files, applications, and search functionality, with an emphasis on changes introduced in Windows 11. Students will review the structure and forensic value of Windows Shell Links (LNK files) and examine the updated Jump List functionality used by modern applications.

The module provides a detailed comparison of Automatic and Custom Jump Lists, including how cloud-based and synchronized files are referenced and tracked within Jump List artifacts. Students will conduct an in-depth analysis of Jump List databases, exploring backend storage formats and techniques for reconstructing timelines of user activity. The module also examines the Windows 11 Search function, including the extraction and interpretation of data from the new SQLite-based search databases. The module concludes with an introduction to Microsoft Copilot interactions and emerging considerations for forensic analysis of AI-assisted user activity.

Handing Helium Based Immersive Applications

This module examines helium-based applications introduced in modern Windows operating systems and the forensic artifacts they generate as a result of user interaction. Students will review the function and purpose of helium-based applications and how they differ architecturally from traditional Windows applications.

The module explores backend folder structures and newly introduced Registry files that store user activity and application state information. Particular attention is given to the new tab functionality and the associated backend binary files used to persist session data. Students will also explore the extensive use of SQLite databases within helium-based applications, with a focused examination of SQLite tables of forensic interest associated with the Windows Photos app. The module concludes with practical techniques for exploiting stored data using SQLite scripts and complementary analysis methods to support timeline reconstruction and user behavior analysis.

OneDrive Forensic Analysis

This module provides a comprehensive examination of the Microsoft OneDrive solution with a focus on forensic analysis of synchronized and cloud-resident data. Students will begin with an overview of the OneDrive architecture and review the various implementation options available across modern Windows operating systems, including personal, business, and device-based configurations.

The module examines the OneDrive encrypted Vault and the implications it presents during live response and post-acquisition analysis. Students will learn how to process offline files at the file system level and identify artifacts associated with file hydration and availability states. Additional topics include locating and interpreting synchronization log files, reviewing account owner and client configuration settings, and analyzing stored settings files. The module concludes with techniques for exploiting SQLite databases to identify and reconstruct recent file interactions and user activity within OneDrive.

Working with Chromium Based Browser Artifacts

This module focuses on the forensic examination of modern Chromium-based browser applications and associated communication artifacts within Windows operating systems. Students will review the architecture and behavior of Chromium-based browsers and examine how user activity is recorded across multiple backend data stores.

The module guides students through the extraction and analysis of browsing artifacts contained within various SQLite databases and JSON-encoded files, including history, downloads, cookies, and session data. Special attention is given to tab recovery and session restore data files, enabling reconstruction of browser usage following crashes or system shutdowns. The module also introduces LevelDB storage formats and basic analysis techniques commonly encountered in modern browser implementations. The module concludes with a review of Windows Mail artifacts and examination techniques, allowing students to correlate browser activity with email usage and communication timelines.

The course will follow adult learning principles through training aids such as presentations, diagrams, and practical instructor lead examples. Each artifact covered will be presented in either one or two 50-minute sessions followed by review questions. Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in more detail. Throughout each day students will have practical exercises to work on in order to reinforce the topics.

PREREQUISITES

To get the most out of this class, you should:

• Have 12 months experience in forensic examinations
• Attended Spyder Forensics Foundations training or similar program
• Be familiar with Windows Operating systems.

CLASS MATERIALS AND SOFTWARE

You will receive a student manual, lab exercises and other class-related material.

The course will adhere to adult learning principles, employing training aids such as presentations, diagrams, and practical instructor-led examples. Each covered artifact will be presented in either one or two 50-minute sessions, followed by review questions. Students will have opportunities throughout the course to ask questions and delve into covered objectives in greater detail. Practical exercises will be assigned each day to reinforce the topics.

Advanced Drone Forensics Analysis

Course Overview

This 36-hour Advanced level course will equip you with the practical skills and competencies required to identify and extract various sources of data recoverable from Unmanned Aircraft Systems (UAS), also known as Drones, including their associated control devices in line with approved best practices.

Using leading research and development from Spyder Forensics, this course will introduce you to the world of UAV’s and instruct you how a Drone fly’s followed by best practices in conducting forensically sound extractions and analysis of UAS data for use as evidence or intelligence gathering. Attendees will learn how to collect data from within the aircraft using non-destructive processes utilizing industry-standard tools to create forensic collections of storage media that include flight logs, aircraft data, photo, and video files without the need to disassemble the aircraft or controller. Students will then learn procedures in the acquisition of application data found on the mobile device.

Once data has been acquired, attendees will master how to analyze the flight logs and user data using software originally designed to work with these types of structures, gaining knowledge on workflows to connect data between the drone application and the flight data recovered from the aircraft.

This course uses non-destructive processes to extract and analyze the data from all hardware in the UAS including the handheld device, mobile application, and drone. Much of the software used in class can be utilized your DFIR lab free of charge and without the need to purchase additional applications to conduct a simple Drone examination.

Primary Learning Objectives

• Become proficient in the extraction of UAV s flight logs, Ground-based controller data and multimedia storage using industry recognized forensic software.
• Recognize types of data available from Drones, their linked devices and third-party sources.
• Conduct forensic extractions of data from the leading drone devices,
• analyze extracted data effectively to produce reports fit for use in criminal justice proceedings.
• Use CFID, Disero and Forensic software to extract and analyze UAV data

Learning Module Outlines

Introduction to UxV Forensics

This module introduces the fundamentals of Uncrewed Vehicle (UxV) forensics with a focus on small
Uncrewed Aircraft Systems (sUAS). Students are introduced to common UxV platforms and
manufacturers, examining how ecosystem differences across DJI, ArduPilot, PX4, and FPV systems
influence data storage, logging behavior, and forensic acquisition strategies.

The module addresses key handling considerations and common obfuscation or anti-forensic techniques
encountered in UxV investigations, followed by an overview of core UAV forensic artifacts, including
flight logs, telemetry, configuration data, and controller-side records. This module establishes the
baseline knowledge required for subsequent hands-on UxV forensic analysis.

Components of sUAS

This module introduces the core components and control architectures of small Uncrewed Aircraft
Systems (sUAS), examining how different controller types—including mobile device–based controllers,
integrated display systems, bespoke flight controllers, and FPV controllers—impact command execution
and forensic data generation across DJI, ArduPilot, PX4, and FPV ecosystems.

Students are introduced to autonomous flight concepts such as Return-to-Home, pre-planned missions,
and error or failsafe initiation, with an emphasis on how these features are implemented and recorded
within flight logs, telemetry, and controller artifacts. The module provides foundational knowledge for
interpreting operator intent, system behaviour, and recorded events during sUAS forensic
investigations.

First Responder Responsibilities and Data Acquisition

This module addresses the responsibilities of first responders when encountering small Uncrewed
Aircraft Systems (sUAS), focusing on evidence preservation, safe handling, and preparation for
transport. Students are introduced to controlled disassembly techniques and best practices to minimize
data loss and contamination.

The module provides an overview of data extraction methods from the aircraft, associated mobile or
tablet devices, and remote controllers, including the use of vendor and forensic tools such as Disero –
CFID. Students are also introduced to advanced acquisition techniques, including FTP-based data
extraction and ADB bridging to access exposed communications ports. This module establishes
procedural and technical foundations for reliable sUAS evidence collection.

Forensic Analysis and Interpretation of sUAS Data

This module introduces techniques for reviewing sUAS evidence using open-source and commercial
forensic tools, with an emphasis on structured workflows and defensible analysis. Students examine
UAV-resident data, focusing on file system considerations, registered user information, aircraft
identifiers, configuration data, and flight log analysis techniques used to reconstruct operational activity.

The module explores the interpretation of data stored on flash media devices, including examination of
media folder structures, EXIF metadata associated with images, and embedded telemetry and metadata
inserted into graphics and video files by manufacturers such as DJI. Emphasis is placed on understanding
how flight, location, and sensor data are persistently embedded within media artifacts.

The module concludes with analysis of data from portable devices used to control sUAS, covering
default Android and iOS application folder structures, synchronized versus local logs, error log analysis,
and media file examination for geolocation and temporal context. Students are introduced to workflows
for correlating offline artifacts across aircraft, controllers, and mobile devices to support comprehensive
forensic reconstruction.

Advanced sUAS Examination and Analysis Workflows

This module introduces advanced workflows for the forensic examination of sUAS data, focusing on the
correlation, normalization, and visualization of complex datasets. Students learn techniques for
simplifying and graphically representing flight and telemetry data to support timeline construction and
investigative interpretation.

The module covers CFID and Disero data analysis, including the review of decrypted flight logs using
both vendor and third-party external viewers. Students apply geospatial analysis techniques using tools
such as Google Earth to visualize flight paths, events, and environmental context. The module concludes
with ecosystem-specific examination approaches for PixHawk and PX4 platforms, as well as Betaflight-
based FPV systems, preparing students to analyze diverse sUAS data sources using consistent,
defensible workflows.

Reporting and Documentation in UxV Forensics

This module introduces best practices for documenting sUAS and UxV forensic investigations. Students
review report structure, content considerations, and professional presentation, with examples of clear
and defensible investigative reporting. The module also provides a glossary of key terms to standardize
terminology and support consistent communication of technical findings across UAV ecosystems,
including DJI, ArduPilot, PX4, and FPV platforms.

• Final Assessment
  – Student knowledge assessment.

PREREQUISITES
To get the most out of this class, you should:

• Have minimal experience of forensic examinations.

CLASS MATERIALS AND SOFTWARE
You will receive a student manual, lab exercises, open-source software for UAV analysis.
Students will have the ability to learn how to fly a UAV and collect data from the handset and aircraft.

Advanced Applied Database Forensics

Course Overview

Delve into the intricate world of database forensics across multiple platforms with our comprehensive course. Learn to harness various applications and utilities to adeptly identify, process, understand, and exploit diverse database structures.

Gain invaluable insights into the functioning of databases, unravelling the intricate storage of records and fields of information essential for supporting front-end applications. Delve deep into SQLite, mastering techniques to recover deleted information from Freeblocks, Free Pages and page unallocated space within primary and journal files using sophisticated scripting techniques.

Explore a myriad of additional databases including SNSS Files, LevelDB’s, Realm databases and Binary Plists, equipping yourself with a versatile skill set crucial for forensic investigations across various platforms. Throughout the course, students will examine data that can be found on a range of systems including Mac, Windows, Android, and iOS, providing a holistic understanding of database forensics across diverse environments. Hands-on labs and student exercises provide practical application of acquired knowledge, utilizing a blend of open-source and leading forensic applications. By engaging in multiple hands-on activities, participants refine their skills, gaining proficiency in examining key artifacts crucial for successful forensic investigations.

By the end of the course, participants will be equipped with advanced database forensics skills, ready to extract active and deleted data from databases across a wide range of systems with confidence and precision.

What You Will Learn

Database Fundamentals

• Relational vs NoSQL databases
• Discuss relational database concepts
• Learn about relationships between different database tables
• Gain an understanding of database terminology

Introduction to SQLite Databases

• SQLite Overview
• Introduction to SQLite data files
• Discuss different SQLite page types
• Explore the main database file header

Navigating SQLite B-Trees

• Introduction to SQLite B-Trees
• Explore SQLite B-Tree Page Structures
  – Define Page Header
  – Learn How to Interpret the Cell Pointer Array
  – Understand Page Unallocated Space
• Navigating SQLite B-Trees
  – Table Interior Page Cell Structures
  – Introduction to Decoding Varints

Examining SQLite B-tree Leaf Pages

• Exploring the structure of SQLite B-Tree Table Leaf Pages
  – Mapping the Cell Content Area
• Introduction to Decoding Cells
  – Explore Freeblocks
• Understand the concept of Secure_Delete

SQLite Overflow pages & Freelist pages

• Learn how overflow pages are Used
  – Explore page structure
• Learn how to identify freelist pages in a database
  – Explore the freelist trunk page structure
  – Discuss the important of Freelist Pages

Examining SQLite Journal Files

• Learn how Rollback Journals Work
• Examining Rollback Journals
  – File Structure
  – Understanding Page Records
• Learn how write-ahead logging works
• Examining Write-Ahead Logs
  – File Structure
  – Understanding WAL Frames
• Understand the Forensic Relevance of SQLite Journal Files

SQLite Database Schema and Querying

• Explore SQLite database schema
  – Tables
  – Indexes
  – Triggers
  – Views
• Discuss value of the information found in the schema when writing
  SQLite queries
• Introduction the SQLite query language
• Learn how to construct queries to interrogate database tables
  – Learn how to extract meaningful data
  – Learn how to join tables in a query
  – Explore process for converting datetime stamps

Chromium SNSS Files

• Introduction the Chromium SNSS Files
• Understand the structure of the Session and Tab files
• Extracting records from SNSS Files

LevelDB Analysis

• Deep Dive into LevelDB structures
• Understand how LevelDB’s Work
• Extracting Key Value pairs from LevelDB’s

Examining Realm Databases

• Introduction to Realm Database Structure
• Working with Realm Databases

Apple Plist Files

• Introduction to Plist Files
• Review of HTML/JSON Plist Files
• Decoding Binary Plists
• Understand how to recognize obfuscated data inside a Binary Plist

PREREQUISITES
To get the most out of this class, you should:

• Be familiar with the basics of digital forensics examinations and investigations
• Understand basic data structures and methodologies beyond simple tool extractions
• Attended a Spyder Forensics Intermediate or Advanced level training or similar program in the last 18
  months

CLASS MATERIALS AND SOFTWARE

You will receive a student manual, lab exercises and other class-related material.

The course will adhere to adult learning principles, employing training aids such as presentations, diagrams, and practical instructor-led examples. Each covered artifact will be presented in either one or two 50-minute sessions, followed by review questions. Students will have opportunities throughout the course to ask questions and delve into covered objectives in greater detail. Practical exercises will be assigned each day to reinforce the topics.

Host Based Network Forensic Analysis

Course Objectives

The Advanced Host Based Network Forensics course offered by Spyder Forensics is an intensive 5-day training program designed for experienced examiners in digital forensics. Geared towards individuals familiar with digital forensic principles, this course aims to expand their expertise in advanced network exploitation forensics using host-based artifacts from systems victimized by attacks, including ransomware incidents.

Throughout the training, participants will gain unbiased knowledge and essential skills for analyzing artifacts resulting from network intrusion activities, with a strong emphasis on ransomware detection and response. The curriculum involves the use of standard techniques and open-source approaches to delve deeper into data exploration. By understanding how applications function and store data during network intrusions, attendees will acquire the expertise needed to navigate forensic challenges.

The course covers the identification, processing, understanding, and documentation of crucial forensic artifacts related to network intrusion investigations, including ransomware attack lifecycles. Participants will learn to apply various methodologies and utilities effectively. This includes investigating network intrusions through host-based evidence, capturing and analyzing network traffic artifacts on hosts, triaging live systems, and examining memory captures to pinpoint potential malware and threat artifacts linked to network activity. The curriculum also encompasses the analysis of Windows network-related artifacts to uncover additional information relevant to network intrusion investigations, such as persistence mechanisms.

Emphasizing hands-on learning, students will engage in extensive labs and exercises, including ransomware-focused scenarios and a capstone investigation. By the end of the course, attendees will have acquired comprehensive skills and knowledge to conduct advanced host- based network forensic analyses, reconstruct attack timelines, and effectively document findings for real-world applications.

Primary Learning Objectives

• Develop incident response plans and methodologies for investigating network intrusions using host-based network evidence.
• Recognize and analyze ransomware attack patterns and lifecycles within host-based artifacts.
• Construct intrusion timelines by correlating host-based network data and logs.
• Understand network components and concepts that impact host-based forensics, including malicious activity identification.
• Capture and analyze host-based network traffic artifacts to detect data exfiltration and command-and-control activity.
• Reconstruct network sessions and recover ransomware-related files using host-based evidence.
• Capture volatile memory from hosts and identify network and ransomware artifacts through memory analysis.
• Analyze Windows host-based network artifacts, including event logs and registry entries, for ransomware persistence and indicators.