Overview & Objectives:

It focuses on the critical knowledge that a computer forensic investigator must know to investigate computer crime incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic, knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as FTK, Registry Analyzers, FTK Imager, Prefetch Analyzers, and much more.

Focus: Investigations begin with a firm knowledge in proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. You must focus on the facts to seek the truth. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.

Course Duration: 5 days

Who Should Attend

Information technology professionals who wish to learn the core concepts in computer forensics investigations
Incident Response Team Members who are responding to security incidents and need to utilize computer forensics to help solve their cases
Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
Anyone interested in computer forensic investigations with a background in information systems, information security, and computers

Course Contents:

Day 1 -

Purpose of Forensics
Discussion Major Case Types
Types of Electronic Stored Information
Location of Electronically Stored Evidence (ESI)
Evidence Collection Order of Volatility
File System Basics
Evidence Fundamentals
Reporting and Presenting Evidence
Forensic Methodology

LABS

Install Forensic Toolkits
Working with the Write Blocker
Become familiar with the functionality and capabilities of the Write Blocker
Reporting/Presenting/Documentation
Describe through writing and presentation a simple technical event for potential use in court.
Challenging Evidence:

Day 2 -

Evidence Acquisition Basics
Preservation of Evidence
Types of Acquisition
Forensic Field Kits
Full Disk Image Acquisition Tools and Techniques
Network Acquisition
Graphical Forensic Tools
Traditional Tasks Utilized Using the Forensic Tools
Recover Deleted Files

LABS
Image a hard drive for evidence using a Tableau Write Blocker.
Image a USB device for evidence.
Image system memory for evidence.
Fill out a chain of custody form.
Documenting evidence acquisition for reporting.
Recover Deleted Files

Day 3 -

E-mail Forensics
Registry Forensics In-Depth

LABS
Search for files or e-mails containing specific words related to a case.
Find e-mail evidence sent to a specific e-mail address.
Profile a computer system using evidence found in the registry.
Profile a user's activities using evidence found in the registry.
Examine USB device residue in the registry and filesystem
Recover critical user data from pagefiles, memory images, and unallocated space

Day 4 -

Memory, Pagefile, and Unallocated Space Analysis
Forensicating Files Containing Critical Digital Forensic Evidence
Browser Forensics

LABS
Examine prefetch, skype, chat, link and other critical files on a windows system. Find and examine various logfiles from hosts and servers to determine critical case details

Day 5 -

Nothing will prepare you more than a full hands-on challenge utilizing the skills and knowledge presented throughout the week. In the morning, you will have the option of working in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. Every team will work on the case for the majority of the day with the objective of discovering critical pieces of evidence to present during the trial.
The case presented is a complex murder case that will engage the individual to examine one of the most recent versions of the Windows Operating System released (Windows 7). The case took 3 weeks to create following a script that lays out the key parts of the case in correct time sequence to make for the most realistic training opportunity available. The case will utilize skills from each of the previous day's sections in order to solve the case.
The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

Windows 7 Based Forensic Challenge
Mock Trial

Course Material:
Material provided by Technology and Management Training

see less