Core Module
Disk Imaging & File System Forensics
Forensic imaging with FTK Imager and dd/dcfldd, file system navigation, MFT analysis, deleted file recovery, and slack space examination.
What You Learn
A structured, foundation-to-professional pathway in disk and memory forensics, from forensic imaging protocols to advanced timeline correlation — following methodology accepted in Australian courts.
Disk & Memory Forensics teaches systematic, defence-ready forensic examination of storage and volatile memory: bit-for-bit imaging, file system analysis, live memory acquisition, process reconstruction, and timeline construction — aligned to ASD Essential Eight, ISM, and Australian federal court standards.
Core Module
Memory Acquisition & Analysis
Live memory capture with WinPmem/LiME, Volatility 3 analysis, process reconstruction, injected code detection, and credential recovery from memory dumps.
Advanced
Timeline Construction & Artefact Correlation
Super-timeline buildout with Plaso/log2timeline, event correlation across disk and memory artefacts, and building a coherent narrative of attacker activity.
Module Content
Practical, operator-grade exercises using forensic images, memory dumps, and real-world investigation scenarios — the same workflows used in AFP digital forensic labs.
This Disk & Memory Forensics module covers: forensic imaging protocols, NTFS/FAT/exFAT internals, deleted file and slack space recovery, Windows Registry forensics, memory analysis with Volatility 3, and KAPE triage collection — building complete investigative competency from acquisition through to courtroom-ready findings.
Forensic Imaging Protocols
Bit-for-bit imaging, EWF/AFF formats, verification hashing, and maintaining forensic soundness throughout the imaging process.
NTFS/FAT/exFAT Deep Dive
File system internals, MFT record analysis, INDX attributes, USN journal, and how attackers manipulate file system metadata.
Deleted File & Slack Space Recovery
File carving with PhotoRec and Foremost, unallocated cluster analysis, and recovering files attackers thought they destroyed.
Windows Registry Forensics
SAM/SYSTEM/SOFTWARE hive analysis, user activity reconstruction, USB device history, and persistence mechanism detection via registry artefacts.
Memory Forensics with Volatility 3
Process listing, DLL enumeration, network connection recovery, injected code detection, and malware footprint identification from RAM captures.
KAPE Triage Collection
Rapid triage with Kroll Artifact Parser and Extractor, targeted artefact collection, and building repeatable forensic collection playbooks.
Tools & Standards Used
Professional forensics environment. Same tools operated by AFP Digital Forensics and state police forensic units.
Hacking101 Disk & Memory Forensics is taught using: FTK Imager, Autopsy, Volatility 3, KAPE, Plaso, Eric Zimmerman tools (Registry Explorer, MFTECmd, etc.), and Velociraptor for enterprise collection — the same toolchain operated by AFP Digital Forensics and state police forensic units. Compliance benchmarks include ASD Essential Eight, ASD ISM 1534, and relevant state Evidence Act provisions.
✓ ASD Essential Eight
✓ ASD ISM
✓ AFP Forensic Guidelines
🔒 $10M Cyber Liability
🏢 AU-East Hosted
Advisories
This module is built under the express tuteallage of two specialist practitioners who bring together cutting-edge machine learning and the hard-won credibility of the courtroom. You study directly under their guidance.
Christopher Tran — Resident Machine Learning Expert
Christopher Tran provides the express tuteallage for the AI and machine learning components of this module. He will guide you, step by step, through ML-driven timeline correlation and anomaly detection in forensic artefacts: applying supervised and unsupervised machine learning to super-timelines, training classifiers to identify anomalous event patterns that escape manual review, building clustering models that group related attacker activity across disparate log sources, developing confidence-scoring frameworks for automated artefact correlation, and constructing visualisation pipelines that surface hidden relationships in disk and memory evidence. Christopher ensures every student leaves with a working understanding of how machine learning amplifies the forensic investigator's capability — detecting the needle in the haystack that a manual review would miss, while always grounding conclusions in verifiable, repeatable methodology suitable for expert testimony.
Christopher Tran provides the express tuteallage for the AI and machine learning components of this module. He will guide you, step by step, through ML-driven timeline correlation and anomaly detection in forensic artefacts: applying supervised and unsupervised machine learning to super-timelines, training classifiers to identify anomalous event patterns that escape manual review, building clustering models that group related attacker activity across disparate log sources, developing confidence-scoring frameworks for automated artefact correlation, and constructing visualisation pipelines that surface hidden relationships in disk and memory evidence. Christopher ensures every student leaves with a working understanding of how machine learning amplifies the forensic investigator's capability — detecting the needle in the haystack that a manual review would miss, while always grounding conclusions in verifiable, repeatable methodology suitable for expert testimony.
Ms. Linda Morrell — ASFDE (Australasian Society of Forensic Document Examiners)
Ms. Linda Morrell is a bonafide, dues-paying member of the Australasian Society of Forensic Document Examiners — the peak professional body governing forensic document examination across Australia and New Zealand. While her primary domain is questioned documents, her deep command of forensic methodology, evidence handling, chain-of-custody protocols, and courtroom admissibility standards is directly embedded into this module. She provides the express tuteallage ensuring that every forensic technique taught here — from disk imaging through to memory analysis — meets the admissibility benchmarks expected by Australian federal and state courts. Ms. Morrell teaches structured evidence handling, contemporaneous note-taking to evidentiary standard, expert report authoring, and witness-box conduct: the same rigorous methodology she applies when stepping into an Australian courtroom. Her involvement guarantees that digital forensic findings produced by students of this module are court-ready, defensible under cross-examination, and aligned to the expectations of Australian judicial officers.
Ms. Linda Morrell is a bonafide, dues-paying member of the Australasian Society of Forensic Document Examiners — the peak professional body governing forensic document examination across Australia and New Zealand. While her primary domain is questioned documents, her deep command of forensic methodology, evidence handling, chain-of-custody protocols, and courtroom admissibility standards is directly embedded into this module. She provides the express tuteallage ensuring that every forensic technique taught here — from disk imaging through to memory analysis — meets the admissibility benchmarks expected by Australian federal and state courts. Ms. Morrell teaches structured evidence handling, contemporaneous note-taking to evidentiary standard, expert report authoring, and witness-box conduct: the same rigorous methodology she applies when stepping into an Australian courtroom. Her involvement guarantees that digital forensic findings produced by students of this module are court-ready, defensible under cross-examination, and aligned to the expectations of Australian judicial officers.
Christopher Tran
Machine Learning Specialist
Resident expert providing express tuteallage in ML-driven forensic artefact analysis. Christopher teaches timeline correlation via machine learning, anomaly detection in super-timelines, clustering of related attacker events, and automated confidence-scoring for forensic findings — all tooling built and demonstrated within this module.
Ms. Linda Morrell
ASFDE — Australasian Society of Forensic Document Examiners
Bonafide ASFDE member with deep forensic methodology expertise applicable across all evidence domains. A courtroom-recognised authority whose expert opinions have been accepted in Australian federal and state jurisdictions. Ms. Morrell provides the express tuteallage for forensic methodology, evidence handling, courtroom preparation, and expert-witness conduct — ensuring every digital forensic technique taught meets the admissibility standard she herself upholds under cross-examination.
Study Options
Self-Paced Essential
$1,990
- Full module video library
- 28+ hands-on forensic lab sets
- Certificate of completion
- Access to FTK/Volatility/KAPE video walkthroughs
Coached Professional
$3,490
- Everything in Essential
- Weekly coach review of forensic exercises
- Timeline construction mock investigations
- Priority report feedback
Frequently Asked Questions
Do I need to bring my own lab?
No. All labs are hosted in Hacking101's secure Australian lab environment. You only need a browser. Every student gets access to a fully provisioned forensic workstation with FTK Imager, Autopsy, Volatility 3, KAPE, Plaso, and the full Eric Zimmerman tool suite — pre-loaded with forensic images and memory dumps for hands-on investigation.
No. All labs are hosted in Hacking101's secure Australian lab environment. You only need a browser. Every student gets access to a fully provisioned forensic workstation with FTK Imager, Autopsy, Volatility 3, KAPE, Plaso, and the full Eric Zimmerman tool suite — pre-loaded with forensic images and memory dumps for hands-on investigation.
Directory: www.hacking101.com.au/forensic-analysis-101/disk-memory-forensics/
Parent path: www.hacking101.com.au/forensic-analysis-101/