Advanced Forensic Techniques

= Advanced Forensics Techniques =

Course: Advanced Forensics Techniques Course ID: SB1DAFT Instructor: Dr. Chandrasekar Umapathy CPE Credits: 7 CPE’s Duration: 1 Day Date: November 19th, 2009 (9 AM – 6 PM)

Who should attend? • General IT security specialists and administrators • IT security specialists who are interested in learning core concepts of Forensics specifically • Security officers for organisations and companies • Law Enforcement agencies • Incident Response Team members

Class Pre-requisite: • This class is for anyone who wants to begin with Forensics.

Class Requirement: • Students to carry their laptop with at least Windows XP professional SP2. • Students should have Administrative access / Privileges on the laptop for installing software. • USB or CD/DVDROM device (N.B for bootable software). • Wireless Enabled • Required tools would be distributed during the session

Course Description:

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.

Module 1 - Computer Forensic Investigative Theory - History of Digital Forensics - Digital Evidence - Three Main Aspects to Digital Evidence Reconstruction - Attack Guidelines for the Recovery of Digital Data - Classification - Reconstruction - Demo - TimeStomping - Behavioral evidence analysis (BEA) - Equivocal forensic analysis (EFA) - Victimology - Demo - Following the Clues from an Email Header

Module 2 - Computer Forensic Processing Techniques - Goal of Digital Evidence Processing - Demo - Logical Review with FTK - Duplication - Documenting and Identifying - Disassembling the Device - Disconnecting the Device - Document the Boot Sequence - Removing and Attaching the Storage Device to Duplicated System - Circumstances Preventing the Removal of Storage Devices - Write Protection via Hardware/Software - Geometry of a Storage Device - Host Protected Area (HPA) - Tools for Duplicating Evidence to Examiner's Storage Device - Demo - Hashing and Duplicating a Drive - Preparing Duplication for Evidence Examination - Recording the Logical Drive Structure - Logical Processes - Known Files - Reference Lists - Verify that File Headers Match Extensions - Demo - Introduction to FTK - Regular Expressions - Demo - Using Regular Expressions - File Signatures - Demo - Hex Workshop Analysis of Graphic Files - Module 2 Review

Module 3 - Crypto and Password Recovery - Background - Demo - Stegonography - History - Concepts 1 - Demo - Cracking a Windows Hashed Password - Concepts 2 - File Protection - Options 1 - Demo - Recovering Passwords from a Zip File - Options 2 - Rainbow Tables - Demo - Brute Force/Dictionary Cracks with Lophtcrack - Demo - Password Cracking with Rainbow Tables - Module 3 Review

Module 4 - Specialized Artifact Recovery - Overview - Exam Preparation Stage - Windows File Date/Time Stamps - File Signatures - Image File Databases - Demo - Thumbs.DB - The Windows OS - Windows Operating Environment - Windows Registry - Windows Registry Hives 1 - Demo - Registry Overview - Windows Registry Hives 2 - Windows NT/2000/XP Registry - Windows Registry ID Numbers - Windows Alternate Data Streams - Demo - Alternate Data Streams - Windows Unique ID Numbers - Other ID - Historical Files 1 - Demo - Real Index.dat - Historical Files 2 - Demo - Review of Event Viewer - Historical Files 3 - Demo - Historical Entries in the Registry - Historical Files 4 - Windows Recycle Bin - Demo - INFO Files - Outlook E-Mail - Outlook 2k/Workgroup E-Mail - Outlook Express 4/5/6 - Web E-Mail

Exercises

Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.

= =