Forensic File System Artifacts Learning Path

This course will teach how to properly collect, analyze and interpret data from file system artifacts at the file and disk level.

8 hours, 8 minutes

Quick facts

About this learning path

  • courses

    100% online

  • Duration

    8 hours, 8 minutes

  • Assessment


About Forensic File System Artifacts

Learn to collect and analyze artifacts in system memory and on disk. As you proceed, you'll cover many common Windows OS artifacts showing evidence of program execution and file access. We will demonstrate dealing with file compression and recovering file metadata and EXIF data. The student will take a deep dive into examining evidence left behind by browsers, including specific detailed examination or popular browsers such as Chrome, Firefox and Edge.



Forensic File Systems Artifacts Skill Assessment

Assessment - 60 questions

Analyzing volatile data

Course - 01:05:00

A forensic examiner only has one shot at collecting volatile data. This course covers volatile data, the structure of this data, why it's essential and the tools that are needed to obtain it. This course also covers how to examine the data and what an examiner should expect to find.
Windows forensic artifacts

Course - 02:27:00

This course covers the modern Windows operating system and the location of forensic artifacts within the OS, such as artifacts showing program execution and installation, user interaction with a file, network connections and internet artifacts.
Metadata, EXIF data and file compression

Course - 00:42:00

This course explains what EXIF and file metadata are and how to locate them. A specialized tool is used by the student to extract the EXIF data so that the student can review and interpret the data. This course also explores the importance of metadata to a case and how to interpret the metadata accurately.
Browser forensics

Course - 01:31:00

Explore what a browser is and how it functions. Looking at the most popular browsers, the student examiner learns what information they store and where to find artifacts within them.
Email artifacts

Course - 00:41:00

This course explores the different types of email protocols, such as POP, IMAP and SMTP. The forensic examiner student learns to interpret email headers, locate the message ID and discover the source and destination. An explanation of spoofing is included.
File carving, and carving data from unallocated space

Course - 01:32:00

This course defines what unallocated space is. The student examiner learns how to carve data from unallocated space and explores the importance of file headers when doing so.

Meet the author

Denise Duffy

In addition to being an Infosec instructor, Denise Duffy teaches computer forensics worldwide to European law enforcement through the European Anti-Fraud Office. During her 25-year career at the Middletown Police Department, Denise underwent extensive training in specialized computer and mobile device forensics, including widespread access data courses, multiple IACIS trainings, U.S. Secret Service Training at the National Computer Forensics Institute, BlackBag Technologies Training, many National White Collar Crime (NW3C) courses, an X-Ways online course and considerable Internet Crimes Against Children Training (ICAC) courses.

Denise currently holds the following certifications: CFCE (Certified Forensic Computer Examiner), CCFE (Certified Computer Forensics Examiner), CMFE (Certified Mobile Forensics Examiner) and CEH (Certified Ethical Hacker). She is most proud of her two sons who joined the U.S. Military, as Denise is a Desert Shield/Desert Storm veteran herself.

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Plans & pricing

Infosec Skills Personal

$299 / year

  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo