01
Unit 1: Digital Forensics Fundamentals
Forensic science principles (Locard's exchange principle, scientific method), Digital evidence types and characteristics (volatile, non-volatile, latent), Chain of custody requirements, Legal considerations (admissibility, Daubert standard), Incident response lifecycle (NIST, SANS models), Forensic readiness planning, Roles (first responders, investigators, analysts).
02
Unit 2: Incident Response Processes
Preparation phase (policies, tools, teams), Detection and analysis (indicators of compromise, triage), Containment strategies (short-term, long-term), Eradication and recovery procedures, Post-incident activities (lessons learned, reporting), Incident classification (levels, severity), Communication protocols and stakeholder management.
03
Unit 3: Disk and File System Forensics
Acquisition methods (dead disk: dd, FTK Imager; live response), Write-blockers and validation (hashing: MD5, SHA-256), File system analysis (FAT, NTFS, ext4), Timeline reconstruction (MFT, $LogFile, superblocks), File carving (scalpel, foremost), Slack space and unallocated clusters, Metadata extraction (EXIF, MAC times).
04
Unit 4: Memory and Application Forensics
Memory acquisition (AVML, DumpIt, LiME), Volatility framework (imageinfo, pslist, psscan, hashdump), Process injection detection (hollow process, DLL injection), Registry analysis (userassist, amcache, shimcache), Browser forensics (SQLite artifacts: history, downloads, cache), Email forensics (Outlook PST/OST, MBOX), Anti-forensics techniques (timestomping, overwriting).
05
Unit 5: Network and Advanced Forensics
Packet capture analysis (Wireshark, tcpdump), Network forensics (IoCs: C2 beacons, anomalies), Log analysis (Windows Event Logs, Sysmon, firewall logs), Cloud forensics (AWS/Azure artifacts), Mobile forensics (Android logical/physical, iOS backups), Malware forensics (static/dynamic analysis), SIEM integration (Splunk, ELK Stack).