Tutorial T4 – Digital Forensics 2: Disk Forensics and Lab


Dr. Simson L. Garfinkel, Naval Postgraduate School

Tuesday, December 8th, Full Day

Computer forensics is the study of information stored in computer systems for the purpose of learning what happened to that computer at some point in the past-and for making a convincing argument about what was learned in a court of law. This day-long course includes basic information on conducting an investigation, disk forensics, network forensics, popular forensic tools, and current forensic research. Several classroom exercises will be worked. Students should bring laptops running either Windows, MacOS or Linux: forensic tools and data will be provided for the in-class exercises.


  1. Conducting the investigation
  2. Introduction to Disk Forensics: Getting to the Data: Disk Imaging; File Recovery with SleuthKit; Understanding File systems: FAT32, NTFS and EXT3; Class Exercise.
  3. Network Forensics: What is network forensics; Lab exercise: Harassment at Nitroba University.
  4. Mobile Device Forensics
  5. Anti-Forensics


Basic understanding of operating systems and file systems.

About the Instructor

Dr. Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, CA. He is also the founder of Sandstorm Enterprises, a computer security firm that develops advanced computer forensic tools used by businesses and governments to audit their systems. Garfinkel has research interests in computer forensics, the emerging field of usability and security, information policy, and terrorism. He has actively researched and published in these areas for more than two decades. He is the author or co-author of fourteen books on computing. He is perhaps best known for Database Nation: The Death of Privacy in the 21st Century and for Practical UNIX and Internet Security.

Dr. Garfinkel holds a doctorate in computer science from MIT and a master's degree in journalism from Columbia University.