Basic Computer Forensics Training
The Computer Forensics and Electronic Discovery (CFED) training course was designed to train “digital investigators” to properly conduct a computer forensics examination and give them an understanding of the process of electronic discovery. Unlike other training courses in computer forensics, our training is “vendor neutral” and takes an in-depth approach to manually conducting a digital investigation. The students will learn the skills and techniques necessary to conduct a thorough examination. The training will also teach the students they cannot rely solely on automated software to conduct an effective investigation. The environment is extremely hands-on and interactive, and the students will work with the most widely accepted “tools of the trade” in addition to manually examining digital evidence. Some of the modules covered in Basic Computer Forensics Techniques include:
History of Computer Crime
This brief introduction to the history of computer crime will show why most of the standard techniques we use today originated. Computer crimes have evolved significantly over the past few decades and knowing the reasons for the processes we use helps to protect a digital investigator from putting themselves in a liable situation. Although this is not meant to be a complete history lesson, it will cover the most significant changes and landmark decisions that affect the legal aspects of the way we do must do things today.
Disk Storage Concepts
This lesson will cover everything from the anatomy of a hard disk to the way data is stored on the drive. Most end users do not have a clear understanding of the way Microsoft operating systems store information in different environments. This is an in-depth look of how files are actually tracked and stored in both FAT and NTFS environments. Students will gain an understanding of the FAT table, the MFT file structure, and how to locate and recover digital artifacts in slack and unallocated space on the drive. Even though information may not be physically visible on the drive, there are techniques to recover information that did exist on the drive at some point. Having a clear understanding of how data is stored will give the investigator the knowledge necessary to overcome these hurdles.
Basic Forensic Principles
This lesson will define computer forensics and teach students the protocols that have become the accepted methodology used by computer forensic examiners and laboratories throughout the United States. The guidelines taught in this section adhere to the standards, protocols and procedures set forth by the U.S. Department of Justice, the International Association of Computer Investigative Specialists (IACIS®), the National Institute of Justice and The Scientific and Technical Working Groups on Digital Evidence. These are the proven techniques that have been the most effective since the inception of computer crime. This section will define the different types of digital evidence, to include residual data, electronic mail and user data. Students will learn the considerations to account for when acquiring electronic evidence on stand alone and laptop computers, as well as computers in a complex or networked environment. Proper forensically sound acquisition methods are covered, including documentation, packaging, transportation and storage.
With email being as prevalent as it is in today’s society, understanding how to properly trace the origin or authenticity of an email can be an important factor in any investigation. Students will learn how to read the complete header of an email message to determine the original source, and will also learn techniques to track down forged email headers.
Introduction to Electronic Discovery
Students will learn to properly read and prepare electronic discovery requests and the importance of the information available. This section will cover the necessary steps for both the producing and the requesting party in the document discovery process. The history of digital evidence in litigation will show how the prominence of electronic discovery and document retention are necessary today. This section will expose the students to developing laws and the cost factors involved.
Digital Investigation Techniques
This is a 2 day series of hands-on exercises that will teach the students how to properly conduct a forensically sound investigation. The entire process from acquisition to presenting your findings is covered. Students will learn the strengths and weaknesses of the automated tools that have been accepted by the computer forensics community. Students will also gain a clear understanding of how the tools work, and how to manually examine digital evidence to conduct the most through examination possible. This section teaches the students the importance of automated software, but also how relying on it alone may cause them to miss crucial evidence that can be detrimental to an investigation.
Seating is limited and classes fill quickly.
So contact a GDF training specialist today at 1-800-868-8189 for more information.
Advanced Computer Forensics Training
The Advanced Computer Forensics Techniques (ACFT) course was designed to train corporate and law enforcement investigators in the advanced elements of computer forensics. The main focus of the advanced course is to help digital investigators identify information that is not readily, or easily available. The ACFT course follows the guidelines set forth in the CFED course and is taught in a hands-on, interactive training environment. This course is designed for the computer forensics savvy investigator with previous training, or with experience working in the field. Students attending this class must have a firm understanding of conducting a proper computer forensics examination.
Manual Data Carving
Students will learn to manually carve numerous file types out of digital evidence. In addition to the common image files, such as JPEG, PNG and GIF, students will learn to identify and successfully carve Word documents, spreadsheets and numerous other file types out of raw data. Students will also learn to visibly identify and include the slack space associated with those files, as well as handle many different file systems like MAC, EXT2, EXT3 and more.
This section will cover advanced data acquisition techniques in complex networked environments. As a digital investigator, you will run across occasions when it is not feasible to shut down a system. Students will learn to map a basic network diagram and create an acquisition plan that will be the least intrusive to the operating environment.
|Back Up Tapes|
|Testifying on Electronic Evidence|
|Acquiring Mail Servers (Notes, Exchange)|
|Acquiring Database Servers|
|Large Data Stores|
|Acquiring Specialized Systems (SAS, PeopleSoft, etc.)|
|Mainframe Basics and Acquisition Techniques|
Computer Forensics Lab Setup
Students will learn the requirements of setting up, maintaining and operating a computer forensics lab. This section will cover the physical requirements, Standard Operating Procedures (SOP), Access Control List (ACL) and auditing. This section will also give the students a realistic look at the forensic hardware, software and peripherals to ensure maximum capability. Media storage, safeguards and lab specs are also covered to ensure the integrity of digital evidence is maintained.
Data Hiding and Digital Encryption
Students will learn the history of encryption and how encryption works in a digital environment today. This section will not only cover the most common forms of encryption, but will also expose students to techniques and tools used to decrypt information that has been hidden.
Cryptographic Issues and Techniques for the Forensic Examiner
This section will cover readily available encryption techniques used in email, documents, disks and other digital information. There are multiple hands-on exercises during this section where students will learn how to defeat common encryption schemes. This section will cover password protected items, Encrypted File Systems (EFS) and other common methods of encryption used to protect or hide data. Students will learn the most successful techniques to use when an investigator is confronted with these hurdles.
- Techniques for PGP
- Handling EFS (Encrypted File System)
- Preparing for WinFS
- Protected Storage Areas
Students will learn the history of steganography and how it is used to hide data in a digital environment today. This section has a number of hands-on exercises where the students will learn to hide data and how to detect data that has been hidden. Some of the techniques covered in the lesson will be embedded information in images and sound files and information which may be hidden in the Alternate Data Stream (ADS) of the NTFS operating system. These are areas that are not easily detectable and must be reviewed manually by the investigator.
Advanced Windows Investigations
This section will take the students into the heart Microsoft's operating systems. Students will learn how to effectively retrieve valuable information from the Microsoft Windows Server operating systems. Students will also learn the value of unique system identifiers that can link a suspect or computer system with an event, or a particular object. This section will teach the students what historical data is contained within the system registry and where to locate that information.
Classes are limited in size and fill quickly, so please call 1-800-868-8189 and speak with a GDF training coordinator for availability.
We can also do custom curriculums and private classes, in your facility or ours.