Skip to content
O'Reilly home
Learning Path

Forensic Analysis of Disk-Based Evidence

Instructor Courtney Allen
Time to complete: 2h 36m

Published byO'Reilly Media, Inc.

CreatedMarch 2018

What is this learning path about, and why is it important?

Today, our information- and knowledge-based economy generate vast amounts of data that is at some point saved to storage devices, such as hard drives or solid-state drives or chips, or portable devices like USB sticks. Still and video cameras also contain cards to store images. Understanding how all of these devices are formatted and how to get data from them is critical to a forensic investigator. Both law enforcement and corporate investigators need to understand the value and techniques of searching for evidence of crime or intrusions on computer systems.

Designed for people with entry- to intermediate-level knowledge of computer systems and data storage systems, this learning path benefits those without much practical experience in regard to digital forensics and includes instruction and demonstrations. In it, you’ll see how to use SleuthKit, an open source collection of command-line tools and a C library with which you can analyze disk images. You’ll learn about the main file storage architectures such as File Allocation Table (FAT), NT File System (NTFS), and ext2/3. You’ll learn how to conduct basic forensic procedures to extract valuable information that could be crucial in uncovering illegal activities or revealing whether a device has been the target of an attack.

What you’ll learn—and how you can apply it

  • How to use tools in SleuthKit to analyze disk images
  • Perform basic analysis using commercial tools
  • Extract data that might be hidden in a disk image
  • Explain the basics of the FAT, NTFS and ext2/3 systems

This learning path is for you because…

  • You are a law enforcement officer who handles digital evidence, and you’re interested in learning more about computer forensics
  • You are an IT professional who needs to understand how to handle evidence as part of an incident response at the company or organization where you work
  • You want to learn about how you might be able to extract what appears to be lost information from various storage devices


  • You should have basic knowledge of computer operating systems

Materials or downloads needed in advance:

  • Most of the work will be done in Kali Linux, so it’s a good idea for you to have this in place beforehand