C)DFE: Digital Forensics Examiner

The Certified Digital Forensics Examiner (CDFE) course delivers a complete, modern approach to digital investigations. Students will learn the methodology and processes needed to properly seize, preserve, acquire, and analyze digital evidence across diverse environments.

From traditional computer systems to mobile devices and emerging IoT technologies, the course ensures examiners are prepared for today’s investigative challenges.

Designed for both hands-on practitioners and managers overseeing forensic operations, CDFE blends technical depth with legal and managerial perspective. Every step of the forensic process is aligned with international standards (ISO/IEC 27037, NIST 800-101) to ensure findings are defensible in court.

 

COURSE DETAILS:

  • Core Forensic Methodology – Evidence handling, acquisition methods, and analytical best practices.
  • Operating System Forensics – Windows, Linux, and macOS investigations with emphasis on system artifacts and timeline reconstruction.
  • Data Acquisition Techniques – Logical, file system, physical, and cloud acquisitions, with comparisons of strengths and limitations.
  • Specialized Investigations – Artifact recovery, eDiscovery/ESI, live acquisitions, and memory forensics.
  • Mobile & IoT Forensics – A focused overview of processes and tools for iOS, Android, wearables, and smart devices.
  • Forensic Tools Mastery – Exposure to leading platforms (Cellebrite, Magnet AXIOM, Oxygen, MSAB XRY, Paraben E3:DS, GrayKey).
  • Legal & Ethical Considerations – Chain of custody, admissibility, privacy issues, and expert witness testimony.
  • Comprehensive Scope – Covers the full spectrum of digital forensics while addressing current trends like cloud, mobile, and IoT.
  • Courtroom Ready – Evidence handling and reporting practices aligned with global standards.
  • For All Roles – Balanced for technical examiners, investigators, managers, and compliance/legal professionals.
  • Career Impact – Strengthens credibility and career advancement in law enforcement, cybersecurity, corporate security, and consulting.

Want to learn about new technologies like virtual networks and SD Networks found in many cloud architectures? We've got you covered, and then we move to physical components, TCP/IP Stack, OSI Model, switches, routers, wireless, and Bluetooth.

Lastly, we finish up the C)NP with the knowledge you need to perform the day to day operations of an organization, so you will be able to secure and maintain an entire network!

Key takeaways

Upon completion you will be able to establish industry acceptable digital forensics standards with current best practices and policies.  

By completing this course you will earn 40 CEUs.

Prerequisites

Suggested Prerequisites: 

  • 1 YR experience in computers
  • Mile2’s C)SP course
  • Mile2’s Foundational Course Pack

Target audience

  • Digital Forensic Examiners & Investigators
  • Law Enforcement & Military Personnel
  • Cybersecurity Professionals & Incident Responders
  • Legal & Compliance Specialists
  • IT Managers & Security Leaders
  • Corporate Investigators & Fraud Analysts

 

 

Modules:

  • Module 01 – Forensics Incidents
  • Module 02 – Forensic Investigative Theory
  • Module 03 – Forensic Prerequisites and Standards
  • Module 04 – Forensic Investigative Process
  • Module 05 – Forensic Examination/Evidence Protocols
  • Module 06 – Digital Acquisition and Analysis Tools
  • Module 07 – Disks and Storages
  • Module 08 – Live Acquisitions
  • Module 09 – Windows Forensics
  • Module 10 – Linux Forensics
  • Module 11 – MAC Forensics
  • Module 12 – Specialized Artifact Recovery       
  • Module 13 – Advanced Search Strings and File Signatures
  • Module 14 – Mobile Forensics
  • Module 15 – eDiscovery
  • Module 16 – Computer Forensic Laboratory Protocols
  • Module 17 – Digital Evidence Presentation and Reporting  

Labs: 

  • Lab 01 – Chain of Custody
  • Lab 02 – Identify Seized Evidence
  • Lab 03 – Device Acquisition
  • Lab 04 – Memory Acquisition
  • Lab 05 – Prepare the Case Evidence
  • Lab 06 – Investigate the Acquired Evidence
  • Lab 07 – Add Additional Case Evidence
  • Lab 08 – Windows Event Logs Analysis
  • Lab 09 – Linux Primary Info Retrieval
  • Lab 10 – Investigate OSX Evidence
  • Lab 11 – Finding Clues
  • Lab 12 – Regex
  • Lab 13 – Data Carving
  • Lab 14 – Specialized Artifact Recovery
  • Lab 15 – Construct the Case Events
  • Lab 16 – Tie Evidence to Android
  • Lab 17 – Incident Response

DETAILED OUTLINE

Module 1 – Computer Forensics Incidents       

  • Origins of digital forensic science
  • Legal System
  • Types of Cybercrime Incidents
  • Internal and external threats

Module 2 – Computer Forensic Investigative Theory    

  • Investigative Theory
  • Investigative Concepts
  • Behavioral evidence analysis (BEA) & Equivocal Forensic Analysis (EFA)

Module 3 – Computer Forensic Prerequisites and Standards    

  • Investigative Prerequisites
  • Scene Management
  • Industry Standards

Module 4 – Computer Forensic Investigative Process   

  • Foundations of the Digital Forensics Process
  • Identification & Scope
  • Collection & Preservation
  • Examination
  • Analysis & Interpretation
  • Documentation & Interim Reporting
  • Quality Control & Review

Module 5 – Forensic Examination/Evidence Protocols 

  • Science Applied to Forensics
  • Digital Evidence Categories
  • Evidence Admissibility

Module 6 – Digital Acquisition and Analysis Tools

  • Acquisition Procedures
  • Computer forensics field triage process model (CFFTPM)
  • Evidence Authentication
  • Forensic Tools
  • AI and Forensics

Module 7 – Disks and Storages

  • Disk OS and Filesystems
  • Spinning Disks Forensics
  • SSD Forensics (IoT-Mention)
  • Cloud Storage
  • Handling Damaged Drives

Module 8 – Live Acquisitions

  • Live Acquisition
  • Windows Acquisition
  • MacOS Acquisition
  • Linux/UNIX Acquisition
  • Cloud/Virtualization Acquisition

Module 9 – Windows Forensics

  • Windows Event Viewer Overview
  • EVTX and EVT Logs
  • Logs Analysis to Identify Breaches and Attacks

Module 10 – Linux Forensics

  • Linux Artifacts
    • File System Structure
    • Basic Identifiers
    • Common Log Files

Module 11 – MAC Forensics

  • OSX Artifacts
    • File System Structure
    • Default Apps
    • Other Artifacts

Module 12 – Specialized Artifact Recovery      

  • Windows Components with Investigative Interest
  • Files Containing Historical Information
  • Web Forensics
  • Memory Forensics

Module 13 – Advanced Search Strings and File Signatures

  • Search Strings
  • REGEX (Regular Expressions)
  • Files Signatures (Formats, Headers, and HEX Analysis)

Module 14 – Mobile Forensics 

  • Forensic Process
  • Tools
  • IoT and Wearables
  • Legal Considerations

Module 15 – eDiscovery

  • eDiscovery
  • Laws and Regulations
  • eDiscovery Process

Module 16 – Computer Forensic Laboratory Protocols

  • Forensics Workstation Prep
  • Forensics Lab Standard Operating Procedures
  • Quality Assurance
  • Quality Control
  • Peer Review
  • Annual Review
  • Deviations
  • Lab Intake

Module 17 – Digital Evidence Presentation and Reporting       

  • The Best Evidence Rule
  • Hearsay
  • Authenticity and Alteration
  • Report Sections and Content  

Objective:

Upon completion, Certified Digital Forensics Examiner students will be prepared to competently take the C)DFE exam.

Exam information:

The exam is taken online through Mile2’s Learning Management System and is accessible on your Mile2.com account. The exam will take approximately 2 hours and consist of 100 multiple choice questions. 

A minimum grade of 70% is required for certification.

Your exam is included in the course fee!

Re-certification requirements:

All Mile2 certifications will be awarded a 3-year expiration date.

There are two requirements to maintain Mile2 certification:

  • Pass the most current version of the exam for your respective existing certification
  • Earn and submit 20 CEUs per year in your Mile2 account  

1. Hvem passer dette kurset for?

For digitale etterforskere og teknikere, politi og forsvar, fagfolk innen cybersikkerhet og hendelseshåndtering, juridisk og etterlevelse (compliance), IT- og sikkerhetsledere, samt bedrifts­etterforskere og svindelanalytikere

2. Hvilke forkunnskaper bør jeg ha?

Anbefalt: ca. 1 års erfaring med IT, og/eller Mile2-kurs som C)SP eller Foundational Course Pack.

3. Hva lærer jeg i kurset?

En komplett, moderne metodikk for innsamling, sikring, erverv og analyse av digitalt bevis – på Windows, Linux og macOS, samt mobil/IoT. Du dekker anskaffelses-teknikker (inkl. live/memory), verktøybruk (f.eks. Cellebrite, Magnet AXIOM, Oxygen, MSAB XRY, Paraben, GrayKey), kjedekontroll og beviskrav, og rapportering i tråd med standarder som ISO/IEC 27037 og NIST 800-101.
Fullført kurs forbereder deg til C)DFE-eksamen og gir 40 CEUs.

4. Hvordan foregår kurset?

Leveres som klasseromskurs, live virtuelt eller bedriftsinternt/skreddersøm. Varighet: 5 dager, undervisning på engelsk.

5. Er dette kurset praktisk?

Ja – omfattende labber dekker bl.a. chain of custody, identifisering og erverv av enheter, minnedump, Windows-logganalyse, Linux/macOS-undersøkelser, regex og data-carving, artefaktgjenfinning, Android-kobling og incident response – slik at funn kan forsvares i retten.

6. Hvor mye koster kurset?

Kursavgiften er 35 000 NOK, og eksamen er inkludert i prisen.

7. Hva slags materiell får jeg?

Du får tilgang til Mile2 sitt digitale læringssystem, offisielt kursmateriell, videoer og øvelser.

8. Gir kurset sertifisering?

Ja – kurset inkluderer sertifiseringseksamner Certified Digital Forensics.

  • Eksamen varer ca. 2 timer og består av 100 multiple-choice spørsmål

  • Du må ha minst 70 % riktig for å bestå.

Eksamen tas online via Mile2 sin læringsplattform.

9. Hvor lenge varer sertifiseringen?

Sertifiseringen er gyldig i 3 år. For å beholde den må du:

  1. Bestå den nyeste versjonen av eksamen
  2. Opparbeide og registrere 20 CEUs per år i Mile2-kontoen din

10. Kan jeg delta digitalt?

Ja – kurset tilbys både som fysisk kurs i klasserom og som live, virtuelt kurs.

11. Kan jeg få kurset spesialtilpasset?

Ja – kurset kan tilbys bedriftsinternt og tilpasses organisasjonens behov.

12. Kan jeg bestille kurset for min organisasjon?

Ja – vi tilbyr bedriftsinterne kurs både fysisk og virtuelt.

Andre relevante kurs

5 dager
Classroom Virtual
5 dager
Classroom Virtual
4 dager
Classroom Virtual