Skip to main content

Host-based Digital Forensics

Enroll Now

About This Course

Digital forensics aims at collecting and analyzing of evidence from digital devices, which helps investigate computer incidents. Digital forensics encompasses many domains of IT systems; this course will focus on forensics of computers.

The course is designed for juniors in cybersecurity to learn basic principles how to identify and collect data from a computer system and perform the subsequent analysis. The course is aimed at two main target audience groups. The system administrator will perceive the importance of proper evidence gathering and learn basic techniques. The junior forensics investigator will obtain fundamentals for analysis of various data available from a common computer nowadays.

The course will start with basic principles important for computer forensics, which will be followed by more detailed description of typical areas that are crucial for forensics. The course will address processing of information from filesystems and introduce basic analysis of MS Windows and Linux systems and relevant memory structures and executables. Forensics of common user and server applications will also be covered.

Meet your instructor

Course Outline

  • Lesson 1 – Essentials of Host-based Forensics
  • Lesson 2 – Filesystems and Volumes
  • Lesson 3 – Operating Systems Forensics
  • Lesson 4 – Executable Analysis
  • Lesson 5 – Application Forensics


  • Common knowledge of principles of operating systems and their architectures (concept of processes, role of memory, files and filesystems, code compilation and execution).
  • More detailed knowledge of a main operating system – one of MS Windows, Linux, Mac OS X (administration, typical applications for server and user machines).
  • Knowledge of programming languages (compiled and interpreted). Ability to write short auxiliary scripts.

Learning outcomes

  • Knowledge of analyzing a disk volume and hosted file systems and recovering removed data.
  • Ability to identify and gather forensics artifacts from a live system (MS Windows, Linux).
  • Awareness of conduct initial analysis of executable files.
  • Ability to investigate artifacts from desktop and server applications.


  • J. Kävrestad, Fundamentals of Digital Forensics: Theory, Methods, and Real-Life Applications, 2nd ed. Cham: Springer International Publishing, 2020.
  • B. Nikkel, Practical Forensic Imaging: Securing Digital Evidence with Linux Tools, 1st ed. San Francisco: No Starch Press, 2016.
  • B. Carrier, File System Forensic Analysis, 1st ed. Boston: Addison-Wesley Professional, 2005.
  • “Forensic”, in EGIWiki, 2017,


    Q: I have an issue with registration/logging in. Who can I contact?
    A: In this case, please contact our edX administrator —
    Q: Do I need some sort of special equipment for passing the course?
    A: No. You don't need any special equipment. You will just basically need a PC or a notebook with an internet connection for studying our course.
    Q: What's the difference between your course and other online courses that seem the same?
    A: Besides the course's theoretical background (during its self-study part), it is primarily focused on practical tasks with hands-on exercises, final an assignment, and one day workshop.
    Q: I have some experience in the field that your course covers. I just need to study topics I am not experienced with. Can I just skip those parts of the course I already know?
    A: The whole self-study part of the course is focused on your own learning process. It means you can study as fast or as slow as you can at the moment. It also includes the content itself — our course allows you to learn just those important parts. But it is crucial to accomplish all mandatory tasks to finish our course.
    Q: What are the conditions for successful completion of the course?
    A: You need to accomplish the course's final assignment and be present at the workshop (which will be followed after the self-study part of the course). The final assignment consists of two parts. They are connected to the workshop, so they are a crucial element of this course.
    Q: What if I find out that the course is not useful for me?
    A: Of course, this can happen. In the first place, we recommend you contact the course administrator to help you anyhow. Even after that, if you still feel that our course does not suit you, just stop studying and let us know.

Sub-project TN01000077/8 CSIRT BootCamp implemented within the project TN01000077 The National Center of Competence for Cybersecurity is solved with the financial support of TA ČR.