1-Day Tracks

User Rating: / 2
PoorBest 

Who should attend?

1. General IT security specialists and administrators
2. IT security specialists who are interested in learning core concepts of Forensics specifically
3. Security officers for organizations and companies
4. Law Enforcement agencies
5. Incident Response Team members

Class Pre-requisite:

1. This class is for anyone who wants to begin with Forensics.

Class Requirement:

1. Students to carry their laptop with at least Windows XP professional SP2.
2. Students should have Administrative access / Privileges on the laptop for installing software.
3. USB or CDROM device (N.B for bootable software).
4. Wireless Enabled
5. Required tools would be distributed during the session

Course Overview

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. 

Module 1 - Computer Forensic Investigative Theory
- History of Digital Forensics
- Digital Evidence
- Three Main Aspects to Digital Evidence Reconstruction
 -Attack?Guidelines for the Recovery of Digital Data
- Classification
- Reconstruction
- Demo - TimeStomping
- Behavioral evidence analysis (BEA)
- Equivocal forensic analysis (EFA)
- Victimology
- Demo - Following the Clues from an Email Header 

Module 2 - Computer Forensic Processing Techniques
- Goal of Digital Evidence Processing
- Demo - Logical Review with FTK
- Duplication
- Documenting and Identifying
- Disassembling the Device
- Disconnecting the Device
- Document the Boot Sequence
- Removing and Attaching the Storage Device to Duplicated System
- Circumstances Preventing the Removal of Storage Devices
- Write Protection via Hardware/Software
- Geometry of a Storage Device
- Host Protected Area (HPA)
- Tools for Duplicating Evidence to Examiner's Storage Device
- Demo - Hashing and Duplicating a Drive
- Preparing Duplication for Evidence Examination
- Recording the Logical Drive Structure
- Logical Processes
- Known Files
- Reference Lists
- Verify that File Headers Match Extensions
- Demo - Introduction to FTK
- Regular Expressions
- Demo - Using Regular Expressions
- File Signatures
- Demo - Hex Workshop Analysis of Graphic Files
- Module 3 Review 

Module 3 - Crypto and Password Recovery
- Background
- Demo - Stegonography
- History
- Concepts 1
- Demo - Cracking a Windows Hashed Password
- Concepts 2
- File Protection
- Options 1
- Demo - Recovering Passwords from a Zip File
- Options 2
- Rainbow Tables
- Demo - Brute Force/Dictionary Cracks with Lophtcrack
- Demo - Password Cracking with Rainbow Tables
- Module 4 Review 

Module 4 - Specialized Artifact Recovery
- Overview
- Exam Preparation Stage
- Windows File Date/Time Stamps
- File Signatures
- Image File Databases
- Demo - Thumbs.DB
- The Windows OS
- Windows Operating Environment
- Windows Registry
- Windows Registry Hives 1
- Demo - Registry Overview
- Windows Registry Hives 2
- Windows NT/2000/XP Registry
- Windows Registry ID Numbers
- Windows Alternate Data Streams
- Demo - Alternate Data Streams
- Windows Unique ID Numbers
- Other ID
- Historical Files 1
- Demo - Real Index.dat
- Historical Files 2
- Demo - Review of Event Viewer
- Historical Files 3
- Demo - Historical Entries in the Registry
- Historical Files 4
- Windows Recycle Bin
- Demo - INFO Files
- Outlook E-Mail
- Outlook 2k/Workgroup E-Mail
- Outlook Express 4/5/6
- Web E-Mail

Exercises

Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.