Host Forensics (2020)

From CyberEdWiki
Jump to: navigation, search

The intent of the Host Forensics Knowledge Unit is to provide students with the ability to apply forensics techniques to investigate and analyze a host in a network.


After completing the KU, students will be able to:

  1. Describe what can/cannot be retrieved from various OSes.
  2. Describe the methodologies used in host forensics.


More than one operating system should be demonstrated.

  1. File Systems and File System Forensics
  2. Hypervisor Analysis
  3. Cryptanalysis
  4. Rainbow Tables
  5. Known File Filters (KFF)
  6. Steganography
  7. File Carving
  8. Live System Investigations
  9. Timeline Analysis
  10. Include samples of hands-on activities

Examples of acceptable operating system specific topics may include:

  1. Registry Analysis, NTFS (Microsoft Windows)
  2. Preference List Analysis, HFS+/AFS (Apple MacOS)
  3. System configuration Analysis, EXT2/3/4 (Linux, e.g. /etc)


  • Adaptability
  • Analytical
  • Attention to detail
  • Communication
  • Creativity
  • Methodical
  • Operating systems
  • Organization
  • Presentation
  • Professional writing
  • Windows Registry
  • Work under pressure

NICE Framework Categories[edit]

CSEC 2017 Categories[edit]

Specialization Areas[edit]

See also[edit]

Related Knowledge Units

Further reading[edit]

Suggested textbooks[edit]

  • Carrier, B., 2005. File system forensic analysis. Addison-Wesley Professional.

Suggested academic readings[edit]

Sample knowledge test[edit]

Sample skills test[edit]

Sample abilities test[edit]

Additional notes or materials[edit]


Reference ID[edit]