Make your own free website on



Computer forensics deals with the preservation, identification, extraction and documentation of computer evidence. Evidence exists on computers in many places and formats. In addition to evidentiary documents themselves, operating systems and programs leave a vast array of evidentiary artifacts that can be used to establish the guilt or innocence of accused parties. Computer forensics has been described as the autopsy of a computer hard drive because specialized software tools and techniques are required to analyze the various levels at which computer data has been stored after the fact.

Computer forensics, once a discipline restricted to a small group of law enforcement officers, is now a booming business. Demand for services is exploding as electronic evidence becomes widely used in court, and as companies become concerned about the use of computer networks for corporate spying and other mischief. Gain the knowledge and skills needed for this technology with Heathkits Computer Forensics course.


Heathkit...the industry s leading company.



Computer Forensics


Course Objectives


After you complete this course,

you will be able to:


        Properly preserve data on a suspect computer.


        Demonstrate the correct procedure for seizing and processing a computer system.


        Produce forensically clean target media on which to image the suspect machines


        Make an image (an evidence-grade backup) of the suspect drive for further analysis.


        Authenticate that the image is an exact copy of the suspect drive.


        Explain how the recycle bin works and explore the forensic evidence trail that it leaves behind.


        Identify past Internet activity by examining cookie files, browser history, etc.


        Identify names of individuals previously associated with the suspect computer.


        Recover deleted files.


        Recover data from a freshly formatted disk.


        Recover data from unallocated clusters.


        Recover data from disk space that is not currently partitioned.


        Recover data from bad clusters.


        Recover data from Slack Space on a hard drive.


Course Objectives



        Recover data from RAM slack.


        Determine who is sending you spam.


        Capture a virus for analysis.


        Break a weak password.


        Find a password in RAM.


        Forensically match a floppy diskette to particular computer. Prove that a particular computer placed information on a floppy disk.



        Forensically match a particular TCP/IP frame to a particular computer.


        Conduct a forensic search using targeted strings of text.


        Conduct computer usage timeline analysis.


        Demonstrate how to permanently delete sensitive data and validate that the data no longer exists.


        Break encryption schemes.


        View multiple CD-R sessions and unclosed CD-R sessions.


        Retrieve data via Google Desktop.


        Examples of Event Time Bounding to overcome objections of time sharing.




1. Looking for Evidence in Obvious Places


2. Examining Time Lines


3. Looking for Evidence in not so Obvious Places


4. The Recycle Bin


5. The Forensic Software Suite


6. Working with Hashes


7. Working with Floppy Disks


8. Seizing a Computer System


9. Defeating the Bios Password


10. Defeating the Administrative Password in Windows XP


11. Seizing and Processing a Computer System


12. Making an Evidence-Grade Image of a Suspects Hard Drive


13. Examining the Directory and File Structure of the Hard Drive.


14. File Space vs. Slack Space


15. Finding Information in Legitimate Files


16. Finding Information in Slack Space


17. Examining the Windows Dump Files


18. Exploring Steganography - Part I


19. Exploring Steganography - Part II


20. Introduction to Live Forensics


21. Preparing Bootable Media


22. Accessing the Suspect Machine


23. Examining Live RAM