Computer Forensics Training

Duration:

5 Days

Audience:

Employees of federal, state and local governments; and businesses working with the government.

Course Description:

Prepare for 3 certifications in one class!

5-day comprehensive course that covers both the CCFP and CHFI exam as well as extra details on memory forensics. The labs use OSForensics for PC forensics, and prepare the student for that exam as well.

Students will learn basic forensic science along with the concepts of phone and computer forensics.

Course Outline:

  • Forensic science (The Scientific Method, Locards principle, how to write a report, etc.)
  • Legal Issues such as chain of custody and warrants
  • Basic computer science fundamentals (file systems, hard drives, etc.)
  • Mobile forensics
    • The various mobile operating systems
      • iOS
      • Android
      • Windows
    • Mobile networks
      • 3g
      • 4g
      • 5g
    • Cell phone concepts
      • SIM
      • IMEI
      • PUK
    • General Overview of JTAG and Chip Off
  • Windows forensics (Registry, logs, how data is stored)
    • File issues
      • Properties
      • Deleted vs Orphaned Files
      • Moving vs Copying
      • Create, Modified, Accessed
    • Windows Registry
      • General overview
      • Keys of interest
    • Windows Prefetch
    • Windows Event Codes
    • MFT
    • Windows User Assist
    • Shadow Copy
    • ShimCache
  • Basic Linux operating system
  • Basic network forensics
    • Basic Networking Knowledge
      • IP Addresses
      • MAC Addresses
      • Devices
      • Packets
      • Protocols
      • Packet Structure
    • Packet Tracing
    • Packet Analysis
    • Virtual Systems
      • VMs
      • Cloud
    • Email Forensics
      • Servers
      • Header analysis
  • Memory Forensics
    • Types of Analysis
      • Swap space analysis
      • Memory Analysis
      • Data acquisition as per RFC 3227
    • In-memory data
      • Current processes
      • Memory mapped files
      • Caches
      • Open Ports
    • Memory Architectural Issues
    • Data structures
      • Windows Objects
      • Processes
      • Handles
      • Pool-tag scanning
      • %SystemDrive%/hiberfil.sys
      • Page/Swap File
    • Tools used
      • Using volatility
      • Dumpit.exe
      • hibr2bin
  • Basic electronic discovery

Students will have hands on labs where they will learn to:

  1. Image a drive with FTK imager and with OSForensics
  2. Recover deleted files with OSForensics
  3. Create an index and search an index with OSForensics
  4. Recover data from Windows Registry with OSForensics
  5. Prepare a forensics report
  6. Recover data from a phone
  7. Examine memory dumps with volatility