> For the complete documentation index, see [llms.txt](https://muserint.gitbook.io/navigating-cybersecurity/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muserint.gitbook.io/navigating-cybersecurity/forensics/become-computer-forensics-expert-and-start-your-career.md).
# Become Computer Forensics Expert & Start your career!
Udemy course: [Become Computer Forensics Expert & Start your career!](https://www.udemy.com/course/become-computer-forensics-expert-in-7-days/) by EH Academy approx. 1.5hrs long
Things you will learn:
* Understand the process to handle a crime scene
* Conduct computer forensics analysis to find the evidence
* Maintain the integrity of the data and will able to perform hashing
* Learn the process to acquire disk images and the process to analyze disks
### Notes
#### Computer Forensics Process
1. Collection - plan for acquiring the data and what are the sources of data
2. Examination - sift and extract data of interest for evidence
3. Analysis - analyse data gathered and draw conclusions
4. Reporting - present information
* Disk imaging - exact copies of storage media and protect the original data storage.
* Evidence: evidence is hidden
* Destination image types:
(a) Raw (disk dump)
(b) **E01** (encase file format)
(c) SMART (metadata is on another file)
(d) AFF (data and meta are all in a file)
* Create image and note hash values. If hash values are altered, data integrity is lost.
* Important to validate hash value before and after copy to ensure nothing is altered.
**Analyse disk image on Windows:**
1. **FTK Imager** extracts evidence
Overview shows a summary of all the data files on the disk image (includes deleted files)
**2. ProDiscover Basic** analyses the connected disk e.g. USB drive, shows content and cluster view depending on preferences
**Create disk image on Linux:**
* DD command line
* Dcfldd - advanced version of DD
Process for Creating Disk Image on Linux
1. Identify partition `fdisk -l`
2. Check the system file and space `parted -l`
3. Create a folder and mount it on Linux file system `sudo mkdir /mnt/example`
4. Mount the drive on the created folder `sudo mount /dev/sdb /mnt/example`
5. Create another folder for case analysis `mkdir /mnt/example/case`
6. Note the details in output file fdisk `fdisk -l >/mnt/example/case/fdisk.txt`
7. Create the image, store md5 and sha256 in the selected folder `dcfldd if=/dev/sdb hash=md5,sha256 hashwindow=1G md5log=/root/md5.txt sha256log=/root/sha256.txt hashcon=after conv=noerror,syncof=/root/diskimage.dd`
**Analyse disk image on Linux:**
**Autopsy** analyses the disk image by showing system information, metadata information, file information.
**Examine disk image on Linux:**
**Digital Forensics Framework in Linux** uses open-source technologies. It can find hidden data, recover deleted files, analyse files and examine metadata.
First up, with 1.5hrs of learning, you can't become a professional like what they say. The content is an overview of the forensic processes and introduction to some commonly used tools. Good stepping stone to explore in-depth into Forensics!
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://muserint.gitbook.io/navigating-cybersecurity/forensics/become-computer-forensics-expert-and-start-your-career.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.