Digital Forensics

Free Digital Forensics Training

In this category, “Beginner” assumes that you have a general understanding of the four core categories listed on the home page.

Note: If you’re looking for Network Forensics, the majority of it is in the Incident Response section.

Name & Direct LinkPlatformFor BeginnersHands-On ComponentProof of CompletionTopics
Digital Forensics BasicsTEEXYesEvidentiary Reporting, Computer Technologies, Digital Evidence Collection
Digital ForensicsOpenLearnYesYes - Statement of ParticipationDigital Forensics Process, History, Types of Digital Forensics
Computer ForensicsedXMust complete the edX Cybersecurity Fundamentals course first.Costs ExtraAnti-Forensics, Unix/Linux, Windows Memory Forensics, Windows File System, Forensics Tools, Artifacts, Acquisition, Analysis
Introduction to Windows ForensicsYouTube - 13CubedSRUM, Timestamps, NTFS, LNK File, Jump Lists, Plaso, Shellbags, Recycle Bin Forensics, RDP Cache, Event Logs, CyberChef, Image Creation, KAPE, Volume Shadow Copies, EvtxECmd, Arsenal Image Mounter, Kansa, SIFT
Introduction to Memory ForensicsYouTube - 13CubedMemory Analysis, Redline, Volatility, Persistence, Prefetch, Baselines, Windows Processes
Linux Forensics IntroInternet Archive - Hal PomeranzYesMemory Forensics, Tools, Volatility, Rootkits, IOCs, Disk Acquisition, File System, Disk Mounting, Artifacts, Disk Triage, Timeline Analysis, Logs, Syslog
Digital ForensicsHackers AriseYes - These are written tutorials that can be followed.Creating a Forensically Sound Image, Live Memory Acquisition and Analysis, Recovering Deleted Files, Registry Analysis, Pre-Fetch Files, Browser Forensics, Sysinternals, Extracting EXIF information, Android Forensics, Network Forensics
KAPE GuideAboutDFIRYesHow to Use KAPE, Examining KAPE Output, KAPE Related Videos and Blog Posts
Registry Explorer/RECmd GuideAboutDFIRYesRegistry Explorer GUI, Command Line, How to use rla.exe, Examining RECmd Output, Registry Related CTFs, Videos and Blog Posts
Timeline Explorer GuideAboutDFIRYesWhy Use Timeline Explorer, Updating EZ Tools, Timeline Explorer Related Blog Posts/Videos
Free Course Content from eForensics MagazineeForensics MagazineAndroid Forensics, File System Tunneling, EXT4 Layout, CyberChef Tutorial, Android Boot Process, FTK Imager Intro, Windows Registry Extraction with FTK Imager
Email Header Analysis and Forensics InvestigationYouTube - 13CubedEmail Header Analysis, DMARC, SPF, DKIM
Email Forensics WorkshopMetaspikeMessage Headers, DKIM, ARC, MIME, Server Metadata, Forensic Preservation Strategies
IoT Digital Forensics CourseGitHub - RJC497YesIoT Forensics, Fitbit, Echo, Smartwatch
Digital Forensics Training Materials (Slides & Command Line Cheat Sheet)circl.luPost-mortem Digital Forensics, File System Forensics and Data Recovery, Windows Memory and File Forensics
Cyber Forensics WorkshopYouTube - Ryan ChapmanYesYesNetwork Forensics, OSI Model, Encoding Schemes, File Signatures, Tools, Wireshark, Hex, ASCII, PCAP Analysis, Hashing, Covert Channels
Cellebrite Reader Online On DemandCellebriteYesYesCellebrite Reader, .UFDR reports
Cloud Forensics Course (scroll to the bottom of the page)HTCIACloud Forensics, Magnet Axiom
Free Paraben Training VideosParaben CorporationE3 Platform, Windows 10 Artifacts, Chip Dumps, Google Takeout Evidence, Importing Cellebrite Data, Processing WhatsApp Data, Data Triage, Email Deduplication, Office365 Acquisition, FitBit Data, Android Root Engine
Introduction to Digital ForensicsYouTube - DFIR.ScienceYesDigital Forensics, Cybercrime, Windows, Linux, Investigation Methods, Documentation and Reporting, Scientific Method, Data Storage, Acquisition, Photorec, tsk_recover, The Sleuth Kit, Autopsy, hfind, Malware, Memory Acquisition and Analysis, FTK Imager, Volatility, Mobile Device Aquisition, Network Analysis
DFIR.Science YouTube ChannelYouTube - DFIR.ScienceDigital Forensics, SleuthKit, hfind, Tsurugi Linux, SDELETE, FTK Imager, File Mounting, Forensic Acquisition in Linux, DD, Volatility, LiME, Research, Scientific Method, Android Acquisition
Linux LEOLinux LEOYesYes - This is a detailed written guide with links to the Supplemental Files on the website. Go to "The Beginner's Guide" under Documents for the text.Linux Commands, Linux Boot Sequence, Linux Network Basics, Configuring a Forensic Workstation, Evidence Acquisition, Write Blocking, Tools, Mounting Images, Sleuth Kit, Network Investigation Tools
Linux Forensics WorkshopGitHub - ashemeryYesLinux Forensics
XRY Reader to XAMN Viewer TransitionMSABXAMN Viewer capabilities that were not available in XRY Reader. XAMN Viewer is a free tool.
13Cubed's YouTube ChannelYouTube - 13CubedPlaso, WSL 2, Cyber Triage, Log2Timeline, Windows Terminal, EventFinder2, Redline, macOS Forensics, iLEAPP, iOS Forensics
Trainings for Cybersecurity Specialists - Digital ForensicsENISAYesThis site contains handbooks with lab exercises, VMs, and Toolsets related to Digital Forensics.
macOS ForensicsYouTube - AccessDatamacOS Forensics, structure, artifacts, Plist
MFT Explorer/MFTECmd Guide AboutDFIRYesMFT Explorer, MFTECmd
NW3C Live Online TrainingNW3CThe training is intended for current US Criminal Justice Practitioners. An agency-issued email is needed.YesYesmacOS Forensics, iOS and Android Forensics, Cyber Investigations, Cellular Records Analysis, Digital Footprints, Dark Web & OSINT, Seizure, Windows Acquisition, Windows Forensics, Advertising Identifiers, Virtual Currency, Automated Forensic Tools, SQLite,