Computer Forensics Training
Next scheduled classes in English for mixed
groups of attendees:
Apr 17-20 | Canberra, Australia | X-Ways Forensics |
Apr 30-May 3 | Chicago, IL | X-Ways Forensics |
May 3-4 | Liverpool, England ![]() |
X-Ways Forensics II |
Jun 18-21 | Washington DC area![]() |
X-Ways Forensics |
Jul 2-5 | London, England | X-Ways Forensics |
Jul 9-12 | Vancouver, BC ![]() |
X-Ways Forensics |
More classes in North America, UK, and Asia will be added depending on demand. Classes in German: click here
To be notified of newly scheduled classes in English,
please enter your e-mail address and click OK:
We offer the below courses internationally also as on-site training to law enforcement agencies and corporate customers on request (in English or German, only for reasonably sized groups). If you are interested, please contact us by e-mail and let us know the number of prospective attendees and the address of your facilities. However, demand is currently very high, and we may only be able to accommodate the most important requests (i.e. for the basic 4-day course, for large groups) and in such cases try to provide you with an individual quote. Thank you very much.
List of previous classes and attendees Old list (2005-2009)
X-Ways Forensics, 4 days
This main training course is focused on the systematic and efficient examination of
computer media using our integrated computer forensics software X-Ways
Forensics. After attending this course, you may start
the X-PERT certification
process (though taking the advanced course as well, see below, is
recommended). Complete and systematic coverage of most computer forensics features in
WinHex and X-Ways Forensics.
Hands-on exercises, simulating most aspects of the complete computer
forensics process. Attendees are encouraged to immediately try newly
gained insights as provided by the instructor, with sample image files.
Many topics are explained along with their theoretical background (slack
space, partially initialized space, how hash databases are
internally structured, how deleted partitions are found automatically,
with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics
are forensically sound disk imaging and cloning, data recovery, search
functions, dynamic filtering, report creation, ... You will receive complete
printed training material for later repetition. Prerequisite: basic
knowledge of computer forensics. The students will learn e.g. how to get the most thorough overview
conceivable of existing and deleted files on computer media, how to scan
for child pornography in the most efficient way, etc. There will be a
practical exam at the end of the course, which you can regard as just
another exercise for yourself or that you can take more seriously and
get scored by the instructor if you like. The exam recapitulates the
most important functions of the software and helps you to gauge your
proficiency. The results will not be recorded by us in any way. Note
that the instructor will present the answers to the test during the
final 20 minutes.
Basic setup of
the software It is the goal to be able to draw sustainable conclusions from the data
and metadata stored on or seemingly deleted from media to answer to
specific problems while documenting the proceedings in a manner
acceptable in court. |
X-Ways Forensics II, 2 days Advanced training course for experienced users and previous attendees of the main course. Topics may include (not all guaranteed because of time constraints, instructor availability or for other reasons):
.e01 evidence file format |
Memory Forensics, 1 day
Essentials of virtual memory management (Intel, AMD; 32 Bit, 64 Bit) |
File Systems Revealed Variable combination of file system courses, with extensive introduction to file system basics (binary data storage concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4 (1/2 day). See below for file system courses that are available.
By fully
understanding the on-disk structures of the file system, you are able
to recover data manually in many severe data loss scenarios, where automated recovery software fails,
and to verify
the correct function of computer forensics software and to collect meta information beyond what is reported
automatically, which might yield clues for the given case. In general,
this also leads to a better understanding of the data presented by
forensic software, of how computer forensics software works and of its
limitations. Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. Explanation of the effects of file deletion and potentials for file recovery. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge). |
FAT12, FAT16, FAT32, 1/2 day Structure of FAT file systems |
NTFS, 1 day Boot sector |
Ext2/Ext3/Ext4, 1/2 day File system basics |
XFS, short version, 1/2 day (precondition: Ext2/Ext3/Ext4) IRIX heritage vs. current Linux file
system |
ReiserFS, Reiser4, 1 day ReiserFS: Reiser4: |
exFAT, 1/2 day Partition layout |
NTFS+XWFS2, 1 day NTFS: see above |
training trainings course courses class classes
seminar seminars education lecture exercise teaching computer forensic forensics
electronic evidence acquisition data recovery electronic digital examine examination IT
security analysis analyze software tool tools