Certified Digital Forensics Examiner – C)DFE

The Certified Digital Forensics Examiner (C)DFE course is designed to equip professionals with the expertise to investigate cybercrimes, analyze digital evidence, and apply forensic methodologies to recover and examine data from various digital devices. This course provides hands-on training in forensic analysis tools, cyber incident investigations, and legal considerations for handling digital evidence.

Mile2’s Certified Digital Forensics Examiner training participants will gain in-depth knowledge of data recovery, evidence handling, forensic reporting, and courtroom procedures, making them well-prepared for careers in law enforcement, corporate investigations, and cybersecurity incident response.

Learning Outcomes

By the end of this course, participants will be able to:
✅ Understand the principles of digital forensics and cyber investigations
✅ Analyze and extract data from hard drives, mobile devices, and network logs
✅ Utilize forensic tools and methodologies to recover deleted or encrypted files
✅ Investigate cybercrimes, including hacking, fraud, and insider threats
✅ Maintain chain of custody and legal compliance in evidence handling
✅ Generate detailed forensic reports for use in legal proceedings
✅ Apply best practices in forensic data preservation and analysis

DETAILED OUTLINE

Module 1 – Computer Forensics Incidents   

• Origins of digital forensic science
• Differences between criminal and civil incidents
• Types of computer fraud incidents
• Internal and external threats
• Investigative challenges
• Industry Standards

Module 2 – Computer Forensic Investigative Theory   

• Investigative Theory
• Investigative Concepts
• Behavioral evidence analysis (BEA) & Equivocal Forensic Analysis (EFA)

Module 3 – Computer Forensic Investigative Process   

• Investigative Prerequisites
• Scene Management
• The digital forensics process
• ISO 27043

Module 4 – Digital Acquisition and Analysis Tools  

• Acquisition Procedures
• Computer forensics field triage process model (CFFTPM)
• Acquisition Authentication
• Forensic Tools

Module 5 – Disks and Storages   

• Disk OS and Filesystems
• Spinning Disks Forensics
• SSD Forensics
• Files Management
• Handling Damaged Drives

Module 6 – Live Acquisitions  

• Live Acquisition
• Apple Acquisition
• Linux/UNIX Acquisition

Module 7 – Windows Forensics

• Windows Event Viewer Overview
• EVTX and EVT Logs
• Logs Analysis to Identify Breaches and Attacks

Module 8 – Linux Forensics  

• Linux Artifacts
  • File System Structure
  • Basic Identifiers
  • Common Log Files

Module 9 – MAC Forensics

• OSX Artifacts
  • File System Structure
  • Core Storage
  • Default Apps
  • Other Artifacts

Module 10 – Forensic Examination Protocols 

• Science Applied to Forensics
• Cardinal Rules
• Alpha 5
• The 20 Basic Steps of Forensics
• Scientific Working Group on Digital Evidence (SWGDE) Standard
• Digital Evidence Categories
• Evidence Admissibility
• International Organization on Computer Evidence (IOCE) Standard

Module 11 – Digital Evidence Protocols 

• Digital Evidence Categories
• Evidence Admissibility

Module 12 – Digital Evidence Presentation   

• The Best Evidence Rule
• Hearsay
• Authenticity and Alteration

Module 13 – Computer Forensic Laboratory Protocols

• Forensics Lab Standard Operating Procedures
  • Quality Assurance
  • Quality Control
  • Peer Review
  • Annual Review
  • Deviations
  • Lab Intake

Module 14 – Specialized Artifact Recovery 

• Forensics Workstation Prep
• Windows Components with Investigative Interest
• Files Containing Historical Information
• Web Forensics

Module 15 – Advanced Search Strings and File Signatures

• Search Strings
• RegEx
• File Signatures

Module 16 – eDiscovery and ESI  

• Electronically Stored Information Rules
  • Legal System
  • Disclosure
  • Rule 37
  • eDiscovery Tools

Module 17 – Mobile Forensics 

• Cellular Network
• Forensic Process
• Tools
• Paraben Forensics

Module 18 – Incident Handling

• What is an Incident?
• Incident Handling Steps
  • Preparation
  • Identification and Initial Response
  • Containment
  • Eradication
  • Recovery
  • Follow-up

Module 19 – Digital Forensics Reporting  

• Report Sections and Content

LAB’s

• Lab 1 – Chain of Custody
• Lab 2 – Identify Seized Evidences
• Lab 3 – Devices Acquisition
• Lab 4 – Memory Acquisition
• Lab 5 – Prepare the Case Evidence
• Lab 6 – Investigate the Acquired Evidence
• Lab 7 – Prepare the Case Evidence
• Lab 8 – Windows Event Logs Analysis
• Lab 9 – Linux Primary Info Retrieval
• Lab 10 – Investigate OSX Evidence
• Lab 11 – Finding Clues
• Lab 12 – Construct the Case Events
• Lab 13 -Evidence found from a Seized Android Device
• Lab 14 – Incident Response