Alternative Operating System Forensics


This course introduces students to common alternative operating systems, associated file systems, and applications as a means of conducting a forensic examination, and as sources of potential evidence.

Structure and content

Duration: 1 Week Full Time

Examination: Written Examination 1.5 hours, Practical Examination 2 hours

Topics include: Unix and Unix-like systems, BSD, System V, Solaris, Linux distributions, FreeBSD, OpenBSD, MacOS, Common O/S concepts, Kernels, Device Models, GUI’s, Shells, Filters, Useful commands (grep, head, tail, more etc), Runlevels, startup scripts and configuration files, HFS, HFS+, ext2, ext3, ext4, directories, blck and character files, security and permissions, mountpoints, mounting, common applications and servers, imaging, storage devices and partitions, image formats, use of dd, defldd and hashing tools Sleuthkit, Autopsy, bulk extractor, carving tools, and portable toolkits (CAINE etc.).

Who the course is for

This course is for practitioners, and applicants should normally be employed by, and sponsored by law enforcement or associated agencies, or a reputable organisation involved in the forensic computing domain.

Recommended prior knowledge

For new or inexperienced analysts, it is strongly recommended that Foundations of Forensic Computing is completed before other courses are attempted.

Accredited Prior Learning (APL) may be awarded for previous relevant studies. Individual guidance will be provided with respect to assessing APL.

What you will achieve

This course is designed to address the need for continuing professional development and career progression within a rapidly changing environment.

With this course students will be awarded 10 credits.  Students can then build more credits through successful completion of related courses and assessments, which may lead to a PG Cert Higher Education award.


This course is taught exclusively by Angus Marshall.

With well over 1,000 forensic examinations, and 14 years of experience in teaching forensic computing, courses offered by Angus are highly specialist with a blend of highly practical hands-on experience, combined with rigorous theoretical and academic training.


Course delivery is a combination of practical hands-on experience, combined with rigorous theoretical and academic training.


The course is delivered in the Forensic Laboratory at De Montfort University, in Leicester City Centre.

The laboratory is new, and has been purpose built with “super fast” machines, wide screen monitors, and an array of top-of-the range display systems. The Lab is situated within a security controlled area of the Cyber Security Centre, and is a very pleasant place to work.





Similar courses or related services you may be interested in

  • Foundations of Forensic Computing
  • Forensic Examination of Internet Use
  • Forensic Examination of Network Computers
  • Advanced Topics in Forensic Computing
  • Current Issues for Practitioners
  • Scripting and Searching
  • Binary Analysis of Microsoft Documents

Places to stay

There are numerous hotels within easy walking distance (5-10 minutes) of De Montfort University (DMU) offering different grades of accommodation. Most will offer Government and Law Enforcement or DMU rates. A number are on the edge of the Town Centre and either have their own car parks, or have arrangements in place for discounted parking nearby.

Contact us

Sue Williamson
Faculty of Technology
Gateway House  4.64
De Montfort University
The Gateway

T: +44 (0)116 250 6339



Shield with a lock surrounded by computer coding