Average Rating: 10.00/10
(# Rating Votes: 1 | Rate This Course | Contribute a Review )
Short Description:
The goal of this course is to educate cybercrime investigators in the techniques of computer forensics investigation.
Full Description:
The Computer Forensic Program is comprised of five integrated topical modules:
The first module will cover issues such as hardware, software, ethics, examination standards, preparing and verifying forensically sterile examination media, note taking and report writing, the acquisition, collection and seizure of magnetic media, how to best acquire, collect or seize the various operating systems, legal and privacy issues. There will be practical exercises on preparing and verifying forensically sterile examination media and recovering data using DataLifter.
Modules two through four will contain at least three practical exercise problems in the form of specially prepared diskettes. Module five will have a hard disk drive that must be examined. A case scenario will be used where a fictional private investigator brings you, the examiner, each diskette or the hard disk drive for examination. Each diskette will build to the next exercise, until finally a hard disk drive is examined and the case is concluded. Real-world computer forensic issues will be covered by the practical exercises.
The practical exercises will help you develop the skills necessary to conduct computer examinations. About 60% - 70% of the classroom time is actually spent working with and completing the practical exercises.
Module 1
An overview of what types of crimes computer evidence might be used in.
An overview of why trained forensic examiners should be used and what they may expect to encounter.
Software ethics.
Forensic ethical standards.
Forensic examination procedures.
Preparing and verifying forensically sterile examination media.
Note taking and report writing.
Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and how they can effect forensic examinations.
A very broad overview of several operating systems including Microsoft Windows, Novell, UNIX/Linux, DOS
A broad overview of networks.
Instruction on the acquisition, collection and seizure of magnetic media.
How to best acquire, collect or seize the various operating systems.
Legal and privacy issues.
Three practical exercises in preparing and verifying forensically sterile media and in using DataLifter to recover data from unallocated space.
Module 2
The logical structures of the Microsoft operating system FAT file system.
The DOS and Windows boot process.
How files are created and stored.
How to recover deleted files.
The significance and determination of the creation date and time.
The significance and determination of the last accessed date and the modification date and time.
How Windows long file names are stored.
What happens when Windows long file names are deleted.
How to recover Windows long file names.
The beginning of the case scenario including three practical exercises on the logical structure of FAT file systems, file storage and the recovery of simple deleted files and fragmented deleted files and on the recovery of long file names.
Module 3
How sub-directories are stored.
What happens when sub-directories are deleted.
How to recover a deleted sub-directory and it's files.
What happens when a diskette or hard disk drive is formatted.
How to recover files, sub-directories and data from formatted disks.
How to determine which files had been deleted prior to formatting.
What file slack is and how to recover data from file slack.
How to recover data from unallocated space.
An in-depth exploration of NTFS logical structures including the partition table, the boot record, bitmaps, the root directory, the MFT, headers, attributes, resident files, non-resident files, run lists, etc., file storage, the various dates and times stored in attributes, file deletion, file recovery, directory storage, and tracing files/directories.
The continuation of the case scenario with four practical exercises on recovering data from deleted sub-directories, recovering data from formatted disks, recovering data from the unused areas on a disk and a detailed exploration of the NTFS logical structures.
Module 4
The significance, location and recovering data from swap files, temporary files, internet cache files, the various types of Email files, internet cookies and history.
Basic internet issues. Doing a basic "whois" and similar internet checks.
How to preserve the original media and how to prevent inadvertent writes to the original media, virus introduction to the original media, and activation of "booby" traps on the original media.
How to make a Windows 95/98 boot disk that will not write to the media during the boot process.
How to make bitstream (exact copies) of the original media.
The safe handling of the media by the forensic examiner.
The most common situations that an examiner may encounter during an examination.
Finding and documenting normal data or graphical files.
How people commonly try to hide data.
Finding and documenting data and files in unallocated space.
Finding hidden data.
An overview of password protection and unlocking passwords.
Accessing and interpreting "metadata" in MS Office documents.
The continuation of the case scenario with three practical exercises on recovering data from swap files, temporary files, etc.; determining registration of a URL; finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords and accessing metadata.
Module 5
Data formats and types.
Basic data format conversion.
Examining CDR media and accessing multiple unclosed sessions.
Managing data.
Presenting the data to the client in a useful format.
Presenting data in court or other proceedings in a clear and understandable manner.
The marking, storage and transmittal of evidence.
A practical exercise where an actual hard disk drive is examined. This hard disk drive will contain many current "real life" issues covered in this course and will require you to conduct a complete examination of the media. You must examine this hard drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable. The drive will be checked to ensure that no "writes" were made to the media during the examination.
On the final day of this training program, the online portion of the CCE certification examination will be provided.
We will provide a detailed handout for each module covered. The handouts can be used as a reference manual. Sample reports, additional practical exercises, a DOS primer, Diskedit primer and other useful information and applications will be provided.
Duration:
4 Days
Price:
$3,995
Submitted by: admin
Hits: 0
InfoSec Academy's Course Web Page
|
