Make your own free website on Tripod.com

 

 

Computer forensics deals with the preservation, identification, extraction and documentation of computer evidence. Evidence exists on computers in many places and formats. In addition to evidentiary documents themselves, operating systems and programs leave a vast array of evidentiary artifacts that can be used to establish the guilt or innocence of accused parties. Computer forensics has been described as the autopsy of a computer hard drive because specialized software tools and techniques are required to analyze the various levels at which computer data has been stored after the fact.

Computer forensics, once a discipline restricted to a small group of law enforcement officers, is now a booming business. Demand for services is exploding as electronic evidence becomes widely used in court, and as companies become concerned about the use of computer networks for corporate spying and other mischief. Gain the knowledge and skills needed for this technology with Heathkits Computer Forensics course.

 

Heathkit...the industry s leading company.

 


 

Computer Forensics

 

Course Objectives

 

After you complete this course,

you will be able to:

 

        Properly preserve data on a suspect computer.

 

        Demonstrate the correct procedure for seizing and processing a computer system.

 

        Produce forensically clean target media on which to image the suspect machines

 

        Make an image (an evidence-grade backup) of the suspect drive for further analysis.

 

        Authenticate that the image is an exact copy of the suspect drive.

 

        Explain how the recycle bin works and explore the forensic evidence trail that it leaves behind.

 

        Identify past Internet activity by examining cookie files, browser history, etc.

 

        Identify names of individuals previously associated with the suspect computer.

 

        Recover deleted files.

 

        Recover data from a freshly formatted disk.

 

        Recover data from unallocated clusters.

 

        Recover data from disk space that is not currently partitioned.

 

        Recover data from bad clusters.

 

        Recover data from Slack Space on a hard drive.

 

Course Objectives

(continued)

 

        Recover data from RAM slack.

 

        Determine who is sending you spam.

 

        Capture a virus for analysis.

 

        Break a weak password.

 

        Find a password in RAM.

 

        Forensically match a floppy diskette to particular computer. Prove that a particular computer placed information on a floppy disk.

 

 

        Forensically match a particular TCP/IP frame to a particular computer.

 

        Conduct a forensic search using targeted strings of text.

 

        Conduct computer usage timeline analysis.

 

        Demonstrate how to permanently delete sensitive data and validate that the data no longer exists.

 

        Break encryption schemes.

 

        View multiple CD-R sessions and unclosed CD-R sessions.

 

        Retrieve data via Google Desktop.

 

        Examples of Event Time Bounding to overcome objections of time sharing.

 

Exercises

 

1. Looking for Evidence in Obvious Places

 

2. Examining Time Lines

 

3. Looking for Evidence in not so Obvious Places

 

4. The Recycle Bin

 

5. The Forensic Software Suite

 

6. Working with Hashes

 

7. Working with Floppy Disks

 

8. Seizing a Computer System

 

9. Defeating the Bios Password

 

10. Defeating the Administrative Password in Windows XP

 

11. Seizing and Processing a Computer System

 

12. Making an Evidence-Grade Image of a Suspects Hard Drive

 

13. Examining the Directory and File Structure of the Hard Drive.

 

14. File Space vs. Slack Space

 

15. Finding Information in Legitimate Files

 

16. Finding Information in Slack Space

 

17. Examining the Windows Dump Files

 

18. Exploring Steganography - Part I

 

19. Exploring Steganography - Part II

 

20. Introduction to Live Forensics

 

21. Preparing Bootable Media

 

22. Accessing the Suspect Machine

 

23. Examining Live RAM