top of page

Content Details of the BCFE
Basic Computer Forensic Examiner
Budapest (Hungary) 2025
6-17 October

logo iacis

​

List of Topics scheduled for the IACIS BCFE Class

(May be subject to changes or updates for each new session)

 

  • BIOS, Boot Sequence and Boot Environments

  • Numbering Systems

  • Introduction to Hex Editor

  • Disk Structures

  • FAT File System

  • NTFS File System

  • Ex-FAT

  • Case Documentation

  • First Responder

  • Hashing & Hash Sets

  • Intro to Forensic Analysis & Scenario

  • Forensic Search Methodologies

  • RAM Capture & Analysis

  • Validation, Acquisition, Control & Practical Exercises

  • Forensic Acquisition Practical Exercise

  • SQL Databases

  • File Metadata

  • Compound Files

  • Windows Registry

  • Windows Artifacts

  • File Header & Carving

  • Internet Artifacts (Browsers)

  • ​Encryption

  • ​P2P/Cloud

  • Intro to Timeline Analysis

  • Digital Soup

  • Lab Management Overview

  • Mac Triage

  • Special Class overview, Ethics/Certification, eServices

​

Link to the IACIS CFCE certification webpage
https://www.iacis.com/certification/cfce/​

​

​​

​

 

Basic Computer Forensic Examiner/Certified Forensic Computer Examiner

Core Competencies

​​​

IACIS Basic Computer Forensic Examiner (BCFE) and Certified Forensic Computer Examiner (CFCE) Programs

 

The BCFE/CFCE core competencies described in this document are a binding set of competencies that guide the training and certification programs to ensure that the skills and knowledge points are delivered within the training program are also the same set of standards evaluated within the certification program.

​

The core competencies have been identified through a job analysis process which identified the tasks and skillset for successful performance as a computer forensic examiner.

 

IACIS Basic Computer Forensic Examiner (BCFE)/Certified Forensic Computer Examiner (CFCE) Core Competencies

There are seven competency areas addressed in the BCFE/CFCE Program:

 

I.  Pre-Examination Procedures

II. Computer Fundamentals

III. Partition Schemes

IV. File Systems

V.  Data Recovery

VI. Windows Artifacts

VII. Presentation of Findings

 

I.  Pre-Examination Procedures

  • Knowledge of rules of evidence and the IACIS Code of Ethics and Professional Conduct as applicable to computer forensics.

  • Knowledge of proper computer search and seizure methodologies to include photographic and documentation procedures.

  • Ability to explain on-scene actions taken for the preservation of physical and volatile digital evidence, including the proper handling of mobile phones.

  • Ability to establish, maintain and document a forensically sound examination environment.

 

II. Computer Fundamentals

  • Recognize and understand the evidential potential of various computer hardware and small-scale devices.

  • Understand the BIOS, UEFI and Boot sequence.

  • Understand binary, decimal and hexadecimal numbering systems include bits, bytes and nibbles.

  • Knowledge of sectors, clusters, volumes and file slack.

  • Understand the difference between logical and physical drives.

  • Understand the difference between logical and physical files.

  • Knowledge of what happens when media is formatted.

 

III. Partition Schemes

  • Ability to identify current partition schemes.

  • Knowledge of individual structures and system areas used by different partition schemes.

  • Understand that partition schemes can be used with different file systems and operating systems.

  • Understand the difference between a primary and extended partition.

  • Define Globally Unique Identifier (GUID) and explain its application.

 

IV. File Systems

  • Understand file system concepts and system files.

  • Understand the structure of FAT directory entries.

  • Understand the structure of exFAT directory entries.

  • Ability to distinguish, examine, analyse, and parse the contents of the NTFS master file table, including the Standard Information, File Name and Data attributes.

  • Knowledge of deleted/orphaned files including how they are identified in their respective file entries.

  • Be able to identify file systems used by Apple and Linux.

 

V. Data Recovery

  • Understand hashing and hash sets.

  • Ability to generate and validate forensically sterile media.

  • Ability to generate and validate a forensic image of media.

  • Ability to capture data from Random Access Memory.

  • Understand file headers.

  • Understand file fragmentation.

  • Ability to extract file metadata from common file types.

  • Ability to extract data from compound files.

  • Knowledge of encrypted files/media and strategies for recovery.

  • Knowledge of Internet and Browser artifacts.

  • Understand Cloud storage and how to obtain the data.

 

VI. Windows Artifacts

  • Knowledge of the locations of common Windows artifacts.

  • Understand the purpose and structure of the component files that create the Windows registry.

  • Be able to identify and extract specific data from the registry.

  • Be able to analyze the Recycle Bin.

  • Be able to analyze the Windows thumbcaches.

  • Be able to analyze Shell Link files and Jump lists.

  • Be able to extract and examine Event Logs.

  • Understand the importance of volume shadow copy services.

  • Ability to locate, mount and examine virtual drive files.

  • Understand the Swap and Hibernation files and the evidence they may contain.

 

VII. Presentation of Findings

  • Ability to draw sound conclusions based on examination findings.

  • Be able to report findings using industry standard/technically accurate terminology.

  • Ability to explain complex technical concepts or processes in terms easily understood by non-technical people.

​

​

​

​

​

"Winkler Digital Forensic Expertise", 

2405 Route des Dolines, CS 10065, 06560 Valbonne Sophia-Antipolis (France)

Mobile: +33 (0)628604546

Email: info@digitalforensicexpertise.com

© 2021 by Patrick Winkler. Proudly created with Wix.com

bottom of page