SURVIVING DIGITAL FORENSICS –  THE SERIES

High quality content & a solid training value

The Surviving Digital Forensics Series is online, on-demand topic specific training focused on building computer forensic skills using low cost and no cost tools.  The series is designed to allow students to pick and choose the topics they would like to learn more about – it is truly training “a la carte.”  When you purchase a class you have access to it forever – no time limits.  Check it out, you will be amazed how affordable quality training can be.  Remember, this is an on-going project and new classes are added regularly. 

Open Enrollment

FREE enrollment is offered for a limited time with the launch of each new SDF class. To get notified of upcoming open enrollment offers sign up for the Newsletter or follow us on Twitter.

LINK File Analysis

Windows LINK files are a great source of information when your aim is proving file use and knowledge during a computer forensic investigation. This course goes beyond automated results and digs into the body of a LINK file in order to understand how it is constructed and how to manually pull out and interpret the data. Through a series of hands-on validation exercises and practical exercises you will gain a firm understanding of how LINK file data is affected by different types of user driven behavior. Using all freely available tools, this course takes you through the process of understanding what automated tools do under the hood – all in about an hour.

Learn More

LINK File Analysis

Understand LINK file evidence on Windows computer systems
Learn More

RAM Extraction Fundamentals

Conducting a RAM extraction as part of the computer evidence collection process is a front line examiner skill which becoming more and more in demand. A system’s live memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can dig out evidence of hidden malware processes, user activity and encryption keys or password hashes that may be critical to accesses protected data.

This class provides you with the foundation knowledge to help you make better decisions about why or why not to capture live memory. It also gives you hands on experience using a number of freely available RAM capture tools and covers the advanced topic of using Inception.

Learn More

RAM Extraction Fundamentals

Learn how to apply RAM extraction basics and get hands on experience using RAM capture tools
Learn More

Resolving Attached USBs

Have you ever been asked to find out what the “F” drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. If you have ever struggled with this then this class is for you. This course breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.

Using all freely available tools, this course walks you through the process of identifying USB devices that have been attached to a system and shows you how to determine the times they were attached, what the volume names are, what the assigned drive letters were and which user mounted the USB volumes – all of this in about an hour.

Learn More

Resolving Attached USBs

Learn to Link USB activity to Windows computer systems
Learn More

Windows Shellbags

Examine how to use Windows Shellbag records to help prove file use and knowledge. Shellbag records are created by certain user activity and can be used to show where a user has navigated to on a computer system and when they did so. Very powerful evidence!

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the issue at hand. Then we set up our forensic systems and off we go. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or customize to meet your needs. You will learn how you can use freely available forensic tools, all GUI based, to extract and analyze Windows Shellbag evidence.

Learn More

Windows Shellbags

Computer forensic evidence to help prove file use & knowledge
Learn More

Volume Shadow Copy

Time travel anyone? Well, sort of… By creating computer forensic images from volume shadow copies you are able to capture the system in different points in time- going back days, weeks, months or even years. Drop these images into your favorite computer forensic tool and suddenly your pulling up previous versions of documents and deleted files and folders. I have used this technique to overcome the effects of computer “wiping” and “cleaning” utilities. This class teaches you how to identify and create these images in a few quick steps- no high cost computer forensic tools needed. In fact, you will be amazed how easy it is to do. If you are a computer forensic analyst then this is one of the top skills you need to have.

Learn More

Volume Shadow Copy

Learn how to tap into this amazing source of historical user information. It's easier than you think!
Learn More

Windows Prefetch

This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge – all in about one hour. The class covers prefetch files from Windows XP through Windows 10.

As with previous SDF classes you will learn by doing. The class begins with an overview of the Windows Prefetch and an understanding of how it works. Then we will get into a number of validation exercises to see how user activity really affects Windows Prefetch data. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Prefetch but you will learn a method you can use to answer questions that may come up in the future.

Learn More

Windows Prefetch

Computer forensic skills to prove file use and knowledge
Learn More

Imaging Mac Fusion Drives

Learn how to image a Mac using only a Mac and freely available software. This will give you not only an additional imaging option but also provide you a solution for imaging Mac Fusion drives.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the issue at hand. Then we set up our forensic systems and off we go. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or customize to meet your needs. We cover basic imaging as well as some additional options you may need such as, splitting an image, using different hash algorithms, imaging partitions and more.

Learn More

Imaging Mac Fusion Drives

Mac on Mac Imaging using all free tools!
Learn More

Windows Explorer

Oftentimes you will be asked to find information on a target system that shows if a user accessed certain files, the last time they did and/ or how often they did. Being able to put a picture together that answers these questions can be critical and make or break the case. In this course you will learn one method that can be used to answer these questions. Of course we will be using all low cost or no cost computer forensic tools. The course is focused on just what you need and you will be up and running in about an hour.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the method we will be using and then it is all hands on. There are three practicals in which you work with our prepared files in applying the technique as well as questions to answer about each scenario.

Learn More

Windows Explorer

Prove file use & knowledge with evidence from Windows Explorer
Learn More

Understanding OS X Timestamps

This class is focused on helping you get a better understanding of OS X Time Stamps and to become a better Mac examiner. As with previous SDF classes you will learn by doing. The class begins with a brief overview of OS X time – as Apple sees it – then we will get into a number of validation exercises to see how user activity really affects Apple time stamps. Learning is hands on and we will use applications already installed on your Mac to do so.

Expert and novice Mac examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply to all versions of OS X. Therefore you are not just going to learn about OS X timestamps but learn a method you can use to answer many date and time questions that may come up in the future.

Learn More

Understanding OS X Time Stamps

Build core computer forensic skills and learn how to interpret & validate Mac OS X dates & times
Learn More

Paladin Virtual Machine

This class will teach you how to create a forensic virtual machine using Paladin and other free software in under one hour. Paladin is a pre-made computer forensic platform loaded with Linux-based forensic tools, so why not have it at the ready as a virtual machine for when you need it? You can create it in a few easy steps and once you get the hang of it you may create other virtual machines using many of the common forensic boot discs that are available.

The class begins with a brief background on Virtualbox and Paladin to give you a basic understanding of not only where to find and download the software, but the benefit of both programs. In particular, Paladin is filled with many forensic tools and getting an overview of what Paladin has to offer let’s you more fully appreciate it as a computer forensic platform. Understanding Virtualbox will allow you to use this tool beyond the scope of this lesson. It will also reduce the learning curve in getting your virtual machines set up and running smoothly. After this it is all hands-on. Videos will walk you through setting up Virtualbox and linking it to the Paladin .ISO.

Learn More

Paladin Virtual Machine

Create a computer forensic virtual machine using Paladin
Learn More

iOS App Forensics – Chat

If you deal with iPhone evidence then this class is for you. We are going to focus on learning how to deconstruct iOS third party applications. The concept is important to learn because, oftentimes, automated tools will miss this type of evidence or not parse it properly. We first spend some time learning how the evidence is organized and the tools (free or low cost of course!) to use to do it. Once we have become familiar with this we will learn how to break out chat from third party apps and manually connect the dots, convert machine times, translate database so it all makes sense and can be used as evidence. This is not that difficult to do, heck this class is about two hours, so you will be up and deconstructing in no time. Speaking of time, we will also have a special focus on learning how to bulk convert those pesky machine time values using nothing but Excel. So, the next time you pull 100+ chat messages from a third party app database you can quickly bulk translate them into UTC or your local time zone.

Learn More

iOS App Forensics - Chat

Learn to deconstruct iOS apps for forensic evidence
Learn More
Surviving Digital Forensics – Windows Shellbags: “The lessons are succinct and informative. I appreciate his approach of showing you what you need to know in order to teach yourself. A lot of videos I’ve seen on advanced topics take time to show you how to browse to a web page, download a tool, and install it.. That drives me insane. If I’m learning the advanced topic then I already know how to use a computer! I enjoyed these tutorials.”
Beau Galbraith
Surviving Digital Forensics – Windows Shellbags: “Awesome course. This course came at the perfect time as I was doing an exam that involved shellbags. The instructor did a great job and was clear and concise. I love the idea of these pre recorded classes that way I can take a break when I need to. Great info and very affordable.. Thanks Sumuri.”
Larry Smith
Surviving Digital Forensics – Windows Explorer: “This is a great series focusing on specific digital forensic artifacts in detail. Nicely done.”
Chris C.
Survivng Digital Forensics – Windows Prefetch: “Excellent. Brief, concise, not watered down. This is an excellent online course, which has furthered my understanding of windows prefetch. The course was engaging, providing me with the essentials and enough knowledge to continue to research and validate on my own! I am definitely going to take other Sumuri classes.”
Eugene Filipowicz, Computer Forensics Investigator
Survivng Digital Forensics – Memory Analysis 2: “Excellent. If you would like to learn more about Memory Analysis than you will not be disappointed. Easy to follow and Michael does a fantastic job reviewing the material.”
Greg Masi
Survivng Digital Forensics – Memory Analysis 2: “Nice second step course. Nice flow and progression! Very well done.”
James Cadden
Survivng Digital Forensics – Memory Analysis 2: “Excellent Memory Triage Primer. Great primer/refresher for using Volatility to find suspicious processes in memory dumps. Michael does an excellent job in breaking down the process into “bite-sized” chunks, and methodically explaining the use of some of the primary modules used to find malware in memory. Recommended for newer examiners, or for a quick “refresh” if you haven’t done these exams in a while.”
Shawn K. Dorsey
Survivng Digital Forensics – Memory Analysis 1: “Good Intro Memory Forensics. This class provides a good first step into memory forensics. By itemizing processes found in memory and their characteristics and rules, the class establishes a clear methodology for conducting the initial steps in a memory analysis.”
Daniel Arrugueta
Survivng Digital Forensics – Memory Analysis 1: ‘Informative. This is a short informative course that will introduce you to the basic processes in RAM. I recommend this course to anyone who wants to get started in analyzing RAM.”
Anders Bäckström
Survivng Digital Forensics – Understanding OS X Timestamps: “Very informative course. I came in with very limited knowledge of OSX and this course provided a great foundation to build off of. The material is straight-forward and explained in a clear way that is easy to follow along with.”
Ryan Jones