The Advanced Computer Forensics Techniques (ACFT) course was designed to train corporate and law enforcement investigators in the advanced elements of computer forensics. The main focus of the advanced course is to help digital investigators identify information that is not readily, or easily available. The ACFT course follows the guidelines set forth in the CFED course and is taught in a hands-on, interactive training environment. This course is designed for the computer forensics savvy investigator with previous training, or with experience working in the field. Students attending this class must have a firm understanding of conducting a proper computer forensics examination.
Manual Data Carving
Students will learn to manually carve numerous file types out of digital evidence. In addition to the common image files, such as JPEG, PNG and GIF, students will learn to identify and successfully carve Word documents, spreadsheets and numerous other file types out of raw data. Students will also learn to visibly identify and include the slack space associated with those files, as well as handle many different file systems like MAC, EXT2, EXT3 and more.
This section will cover advanced data acquisition techniques in complex networked environments. As a digital investigator, you will run across occasions when it is not feasible to shut down a system. Students will learn to map a basic network diagram and create an acquisition plan that will be the least intrusive to the operating environment.
|Back Up Tapes|
|Testifying on Electronic Evidence|
|Acquiring Mail Servers (Notes, Exchange)|
|Acquiring Database Servers|
|Large Data Stores|
|Acquiring Specialized Systems (SAS, PeopleSoft, etc.)|
|Mainframe Basics and Acquisition Techniques|
Computer Forensics Lab Setup
Students will learn the requirements of setting up, maintaining and operating a computer forensics lab. This section will cover the physical requirements, Standard Operating Procedures (SOP), Access Control List (ACL) and auditing. This section will also give the students a realistic look at the forensic hardware, software and peripherals to ensure maximum capability. Media storage, safeguards and lab specs are also covered to ensure the integrity of digital evidence is maintained.
Data Hiding and Digital Encryption
Students will learn the history of encryption and how encryption works in a digital environment today. This section will not only cover the most common forms of encryption, but will also expose students to techniques and tools used to decrypt information that has been hidden.
Cryptographic Issues and Techniques for the Forensic Examiner
This section will cover readily available encryption techniques used in email, documents, disks and other digital information. There are multiple hands-on exercises during this section where students will learn how to defeat common encryption schemes. This section will cover password protected items, Encrypted File Systems (EFS) and other common methods of encryption used to protect or hide data. Students will learn the most successful techniques to use when an investigator is confronted with these hurdles.
- Techniques for PGP
- Handling EFS (Encrypted File System)
- Preparing for WinFS
- Protected Storage Areas
Students will learn the history of steganography and how it is used to hide data in a digital environment today. This section has a number of hands-on exercises where the students will learn to hide data and how to detect data that has been hidden. Some of the techniques covered in the lesson will be embedded information in images and sound files and information which may be hidden in the Alternate Data Stream (ADS) of the NTFS operating system. These are areas that are not easily detectable and must be reviewed manually by the investigator.
Advanced Windows Investigations
This section will take the students into the heart Microsoft’s operating systems. Students will learn how to effectively retrieve valuable information from the Microsoft Windows Server operating systems. Students will also learn the value of unique system identifiers that can link a suspect or computer system with an event, or a particular object. This section will teach the students what historical data is contained within the system registry and where to locate that information.
Classes are limited in size and fill quickly, so please call 1-800-868-8189 and speak with a GDF training coordinator for availability.
We can also do custom curriculums and private classes, in your facility or ours.