FORENSICS 408

Computer Forensic Investigations - Windows In-Depth

Master computer forensics. Learn critical investigation techniques. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threat, industrial espionage, and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve these cases, organizations are hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in these cases.

FOR408: Computer Forensic Investigations - Windows In-Depth focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic and media exploitation methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as Access Data's Forensic Toolkit (FTK), Guidance Software's EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that each student can take with them.

FOR408: Computer Forensic Investigations - Windows In-Depth is the first course in the SANS Computer Forensic Curriculum. If this is your first computer forensics course with SANS we recommend that you start here.

FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.

You will receive with this course

Free SANS Investigative Forensic Toolkit (SIFT) Essentials

As a part of this course you will receive a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit. The entire kit will enable each investigator to accomplish proper and secure examinations of SATA, IDE, or Solid State Drives (SSD). The toolkit consists of:

• Tableau T35es Write Blocker Kit
  • One Tableau T35es Write Blocker (Read-Only)
  • IDE Cable/Adapters
  • SATA Cable/Adapters
  • FireWire and USB Cable Adapters
  • Forensic Notebook Adapters (IDE/SATA)

• SANS VMware-Based Forensic Analysis VMware Workstation
  • Fully functioning tools that include working with Access Data's Forensic Toolkit (FTK) and Guidance Software's EnCase
• Course DVD: Loaded with case examples, tools, and documentation

Who should attend

• Information technology professionals who wish to learn the core concepts in computer forensics investigations
• Incident Response Team Members who are new to responding to security incidents and need to utilize computer forensics to help solve their cases
• Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
• Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by an individual. They will be able to specifically determine how the individual used their system, who they communicated with, and files they have downloaded, edited, or deleted.
• Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
• Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
• Anyone interested in computer forensic investigations with a background in information systems, information security, and computers

Computer Forensic Investigations - Windows In-Depth course topics

• Windows File System Basics
• Evidence Acquisition Tools and Techniques
• Law Enforcement Bag and Tag
• Evidence Integrity
• Registry Forensics
• Windows Artifact Analysis
  • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
  • E-mail Forensics (Host, Server, Web)
  • Microsoft Office Document Analysis
  • Windows Link File Investigation
  • Windows Recycle Bin Analysis
  • File and Picture Metadata Tracking and Examination
  • Prefetch Analysis
• Event Log File Analysis
• Firefox and Internet Explorer Browser Forensics
• Deleted File Recovery
• String Searching and Data Carving
• Examine cases involving Windows XP, VISTA, and Windows 7
• Media Analysis And Exploitation Involving:
  • Tracking user communications using a windows PC (email, chat, IM, webmail)
  • Tell if and how the suspect downloaded a specific file to the PC
  • Determine the exact time and the number of times a suspect executed a program
  • Show when any file was first and last opened by a suspect
  • Determine if a suspect had knowledge of a specific file
  • Show the exact physical location of the system
  • USB device tracking and analysis
  • Show how the suspect logged into the machine via the console, RDP, or network
  • Recover and examine browser artifacts even those used in private browsing mode
• Fully Updated to include full Windows 7 and Server 2008 Examinations

Certifications

• FOR408 - Computer Forensic Investigations - Windows In-Depth is an Authorized Training Center for the following Digital Forensic Certifications:
• GIAC Certified Forensic Examiner (GCFE)
• ISFCE Certified Computer Examiner (CCE)

SANS COMPUTER FORENSIC WEBSITE - HTTP://COMPUTER-FORENSICS.SANS.ORG

The learning does not end when class is over. SANS Computer Forensic Website is a community-focused site offering digital forensics professionals a one-stop forensic resource to learn, discuss, and share current developments in the field. It also provides information regarding SANS forensics training, GIAC certification, and upcoming events. Visit http://computer-forensics.sans.org. New content is added regularly, so please visit often. In addition, do not forget to share this information with your fellow forensic professionals.

Best IT Security return on Investment.
-Mario Chiock, Schlumberger

Author Statement

After 25 years in law enforcement, when I think of what makes a great digital forensic analyst, three things immediately rise to the top of my list. Superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408, Windows In-Depth was designed around imparting these critical skills to the students. Unlike many other forensics training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel every forensicator needs a variety of tools in their arsenal so they can pick and choose the best tool for each task. But we also understand that a great forensics analyst is not great because of the tool(s) they use; they are great because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 is designed to teach and allow each student to apply digital forensic methodologies for a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, this course is designed to teach and demonstrate problem-solving skills necessary to be a truly successful forensicator. Almost immediately after starting your forensic career, you learn each forensic analysis presents its own unique challenges. A technique that worked flawlessly in previous exams may not work in the next. A good forensicator must be able to overcome obstacles through advanced trouble shooting and problem solving. FOR408 gives students the foundation that will allow them to solve future problems, overcome obstacles and become great forensicators. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must have course. - Ovie Carroll

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their digital forensic skills in very real situations. Graduates of Computer Forensics Windows In-Depth are the front line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn properly how to conduct analysis and run investigations properly. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics Investigations-Windows In-Depth course at SANS helped prepare them to fight and solve crime. - Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for those investigators working to repel computer intrusions, stop intellectual property theft, and put the bad guys in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, and with frequent updates I am confident this course provides the most up to date training available -- whether you are just starting out or are looking to add to your forensic arsenal. - Chad Tilbury