|
Computer forensics, once a discipline restricted to a small group of law enforcement officers, is now a booming business. Demand for services is exploding as electronic evidence becomes widely used in court, and as companies become concerned about the use of computer networks for corporate spying and other mischief. Gain the knowledge and skills needed for this technology with Heathkit’s Computer Forensics course.
Heathkit...the industry ’s leading company.
|
|
|
Computer Forensics |
|
|
Course Objectives
After you complete this course, you will be able to:
Ø Properly preserve data on a suspect computer.
Ø Demonstrate the correct procedure for seizing and processing a computer system.
Ø Produce forensically clean target media on which to image the suspect machine’s
Ø Make an image (an evidence-grade backup) of the suspect drive for further analysis.
Ø Authenticate that the image is an exact copy of the suspect drive.
Ø Explain how the recycle bin works and explore the forensic evidence trail that it leaves behind.
Ø Identify past Internet activity by examining cookie files, browser history, etc.
Ø Identify names of individuals previously associated with the suspect computer.
Ø Recover deleted files.
Ø Recover data from a freshly formatted disk.
Ø Recover data from unallocated clusters.
Ø Recover data from disk space that is not currently partitioned.
Ø Recover data from bad clusters.
Ø Recover data from Slack Space on a hard drive.
|
Course Objectives (continued)
Ø Recover data from RAM slack.
Ø Determine who is sending you spam.
Ø Capture a virus for analysis.
Ø Break a weak password.
Ø Find a password in RAM.
Ø Forensically match a floppy diskette to particular computer. Prove that a particular computer placed information on a floppy disk.
Ø Forensically match a particular TCP/IP frame to a particular computer.
Ø Conduct a forensic search using targeted strings of text.
Ø Conduct computer usage timeline analysis.
Ø Demonstrate how to permanently delete sensitive data and validate that the data no longer exists.
Ø Break encryption schemes.
Ø View multiple CD-R sessions and unclosed CD-R sessions.
Ø Retrieve data via Google Desktop.
Ø Examples of “Event Time Bounding” to overcome objections of time sharing.
|
Exercises
1. Looking for Evidence in Obvious Places
2. Examining Time Lines
3. Looking for Evidence in not so Obvious Places
4. The Recycle Bin
5. The Forensic Software Suite
6. Working with Hashes
7. Working with Floppy Disks
8. Seizing a Computer System
9. Defeating the Bios Password
10. Defeating the Administrative Password in Windows XP
11. Seizing and Processing a Computer System
12. Making an Evidence-Grade Image of a Suspect’s Hard Drive
13. Examining the Directory and File Structure of the Hard Drive.
14. File Space vs. Slack Space
15. Finding Information in Legitimate Files
16. Finding Information in Slack Space
17. Examining the Windows Dump Files
18. Exploring Steganography - Part I
19. Exploring Steganography - Part II
20. Introduction to Live Forensics
21. Preparing Bootable Media
22. Accessing the Suspect Machine
23. Examining Live RAM
|
Computer forensics deals with the
preservation, identification, extraction and documentation of computer
evidence. Evidence exists on computers in many places and formats. In
addition to evidentiary documents themselves, operating systems and programs
leave a vast array of evidentiary artifacts that can be used to establish
the guilt or innocence of accused parties. Computer forensics has been
described as the autopsy of a computer hard drive because specialized
software tools and techniques are required to analyze the various levels at
which computer data has been stored after the fact.