Forensics 408
For GIAC Certification
If you register for the full course, you may register to seek your GCFE Certification.
Students who attend a live SANS Training Event will receive access to the GIAC certification attempt approximately 7-10 business days after the last day of the event.
Additional information:
GCFE Information
GIAC FAQ
Fee Information
COSEINC, our Singapore Course Provider will be marketing this program locally. Note that Singapore Citizens and PRs must register via COSEINC for CITREP eligibilityDigital Forensics Fundamentals and Evidence Acquisition
Monday, March 12, 2012 : 9am - 5pmChad Tilbury, SANS Certified Instructor
6 CPE/CMU Credits
Focus: Investigations begin with a firm knowledge in proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.
At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students are familiarized with fundamental forensic topics that every investigator should know.
Securing or "Bagging and Tagging" digital evidence can be tricky. Each computer forensic examiner should be familiar with different methods of successfully acquiring it maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence handling procedures, you will learn firsthand the best methods for acquiring evidence in a case. You will utilize the Tableau T35es write blocker, part of your SIFT Essentials kit, to obtain evidence from a hard drive using the most popular tools utilized in the field. You will learn how to utilize toolkits to obtain memory, encrypted or unencrypted hard disk images, or protected files from a computer system that is running or powered off.
Day 1 topics include:
- Purpose of Forensics
- Investigative Mindset
- Focus on the Fundamentals
- Evidence Fundamentals
- Admissibility
- Authenticity
- Threats against Authenticity
- Reporting and Presenting Evidence
- Taking Notes
- Report Writing Essentials
- Best Practices for Presenting Evidence
- Evidence Acquisition Basics
- Tableau Write Blocker Utilization
- Access Data's FTK Imager
- Access Data's FTK Imager Lite
- Preservation of Evidence
- Chain of Custody
- Evidence Handling
- Evidence Integrity
- Types of Acquisition
- Logical vs. Physical
- Basic Windows Memory Acquisition
- Basic Disk Based Acquisition
- E-discovery Acquisition
- Forensic Field Kits
- Adapters/Cables
- Write Blockers
- Laptops/Handheld Imagers
- Full Disk Image Acquisition Tools and Techniques
- Seize Evidentiary Image of a USB Device
- Seize Evidentiary Image From a Hard Drive
Day 1 exercises
- Install Forensic Toolkit
- Image a hard drive for evidence using a Tableau Write Blocker
- Image a USB device for evidence
- Image only selective files, and folders for evidence
- Collect protected system files from a running computer
- Image system memory for evidence
- Fill out a chain of custody form
- Documenting evidence acquisition for reporting