Computer Forensics

Computer Forensics is a fully hands-on course developed around a set of real-case intrusion scenarios. The structure of the course follows the same sequence of steps that a computer forensic investigator will typically carry out in a real life investigation, from the very first response to the report writing phase or even presenting electronic evidence as expert witness. Topics for this training will include:

• Setting a forensic laboratory
• Performing initial forensic response
• Collecting System Memory and other volatile evidence acquisition
• File slack, ram slack, drive slack and unallocated space
• Hard drive imaging
• Analyzing EXT, FAT 12/16/32 and NTFS file systems
• Creating event time lines
• Recovering data from unallocated space
• Extracting evidence from the Windows Registry
• Parsing Windows Event Logs
• Conducting keyword searches
• Interpreting Internet History and HTTP concepts
• Writing forensic reports
• Providing expert opinion in a court of law

A laptop is required to be able to work through all the practical hands-n workshops. Failure to meet the requirements below may result in the delegate not being able to carry out one or more of the practical workshops and thus not taking full benefit for the course. The minimum laptop requirements are:

• x86-compatible 1.5 Ghz CPU Minimum or higher
• DVD Drive
• 1GB RAM minimum or higher
• 20 Gigabyte available hard drive space
• The system must be capable of booting from a CD
• VMware Player or VMware Workstation.

Computer Forensics Toolkit

The content of the Computer Forensics Toolkit is:

• DVD Containing the Virtual Forensics Workstation configured with all the necessary tools to perform a forensic investigation
• A CD with a set of ready to use incident responce tools

 

Day	Details
1	After introducing the core concepts of the computer forensic methodology, you will learn how to perform live forensic response, acquiring volatile and non-volatile evidence without damaging or altering the original data for later analysis. Day 1 will finish with a fascinating section on physical memory analysis.
2	Following the computer forensics methodology discussed on day 1, you will use your forensics toolkit to analyze and investigate the evidence acquired from the compromised system. You will learn how to use TSK tools and Autopsy to create and analyze a timeline, how to parse and correlate Windows Event Logs and how to extract valuable evidence from the System Registry among others.
3	You will complete your work with the analysis of metadata and use tools such as Wireshark and NetworkMiner to analyze network traffic captures and add valuable information to your investigation. Finally, you will use all the information gathered through your analysis to solve the case and present your findings in a forensically sound manner.
4	You will learn how to investigate a windows environment and be moreconfident with a Linux Crime scene. You will also learn how to approach different flavors of Linux, shells and GUIs. We will show how to identify services and connections in Linux and Unix servers. You will gather volatile data and forensics artifacts in a Linux/Unix machine and extract valuable information/Evidence
5	You will complete most of the case analysis by attempting to understand which processes were running during the incident and which hacking tools had been used to compromise the hosts. We will get to understand the vital parts of /proc and analyze file after file to complete the Linux casing. After understanding the security settings and other persistent data presented in the Linux system, a full admissible evidence will be captured.

Day 1
1.1. Introduction to computer forensics
1.2. Crime Scene Preparation
1.3. Incident Response and handling

Day 2
2.1. Live Data Analysis
2.2. Windows Files System
2.3. The Sleuthkit & Autospy
2.4. Disk Investigation and Analysis

Day 3
3.1. Investigating the internet explorer
3.2. File Metadata
3.3. Network Forensics
3.4. Final Challenge

Day 4
4.1. Linux Forensics
4.2. Cyber criminals and Linux
4.3. Linux Distributions
4.4. Linux file systems and structure
4.5. Linux Servers

Day 5
5.1. Data analysis
5.2. Linux hacking softwares
5.3. Deeper intio the proc
5.4. Forensics file analysis
5.5. Parsing Windows Event Logs
5.6. Data Recovery

"Our trainers are security consultants with many years of experience, highly dedicated to teach and share their knowledge."

"Windows Forensics is about acquiring practical skills and competence
- not just theory."

"We focus on the tools and techniques which are used in real life
by computer forensics investigators."

 

Dr. Almerindo Graziano
CEO Silensec

Ismael Valenzuela
Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in international projects across UK, Europe, India and Australia. Ismael holds a Bachelor in Computer Science and is certified in Business Administration. He also holds a number of professional certifications, including GIAC Certified Forensic Analyst, GIAC Certified Intrusion Analyst, GIAC Penetration Tester, ITIL, CISM, CISSP and IRCA ISO 27001 Lead Auditor by Bureau Veritas UK. He is also a member of the SANS GIAC Advisory Board and international BSi Instructor for ISO 27001, ISO 20000 and BS 25999 courses. He currently works as Global IT Security Manager for a large multinational software provider and has authored a number of articles on information security, including the two series article “My ERP got hacked, An Introduction to Computer Forensics”, recently published on the Hakin9 magazine.