EnCase® dv6 Computer Forensics I on June 2-5, 2008
Posted on March 26, 2008
First in the Philippines: EnCase® dv6 Computer Forensics I on June 2-5, 2008
Fee: Php56,000.00 (Inclusive of 12%VAT, Training Materials, Certificate and AM/PM Snack and Lunch)
Venue: 25th Flr. Unit 2502b West Tower, Philippine Stock Exchange, Ortigas Center Pasig City
CPE credits: 32 | Level: Introductory | Prerequisites: Basic computer skills. Advance preparation for this course is not required.
This hands-on course involves practical exercises and real-life simulations. The class provides participants with an understanding of the proper handling of digital evidence from the initial seizure of the computer/media to acquisition, and then progresses to the analysis of the data. It concludes with archiving and validating the data. Delivery method: Group-Live.
Students attending this course will learn the following:
- What constitutes digital evidence and how computers work
- An overview of the EnCase Computer Forensic Methodology
- Basic structures of the FAT and NTFS file systems
- How to create a case and how to preview/acquire media
- How to conduct basic keyword searches
- How to analyze file signatures and view files
- How to restore evidence
- How to archive files and data created through the analysis process
- How to prepare evidence for presentation in court
- How to verify the evidence file
WHO SHOULD ATTEND
This course is intended for IT security professionals, litigation support and forensic investigators Participants may have minimal computer skills and may be new to the field of computer forensics.
|
DAY 1 OUTLINE |
DAY 2 OUTLINE |
|
Ø EnCase Concepts · Case File · Evidence File · Case File Backup · Configuration Files Ø What constitutes Digital Evidence · Computers as an instrumentality of the crime · Computers as a repository of evidence · Examples of mediums of storing digital evidence Ø How Computer Works · Power Sequence o BIOS o POST o Etc. · Bits/Bytes/Hex/Binary Ø Encase Navigation Ø Diskette Preview / Acquisition · Create Case · Options
Day one provides an understanding of the proper handling of digital evidence from seizure to acquisition. Students receive a basic overview of how computers function, as well as the constitutes digital evidence |
Ø NTFS/FAT File Systems · How these file systems track data · What happens when a file is created · What happens when a file is deleted Ø Creating a Boot Disk · Why a forensically sound boot disk is needed · Components of a forensically sound boot disk Ø Hard Drive Preview and Acquisitions · Physical disk versus logical drive · Fastbloc · DOS based via disk to disk · DOS based via crossover cable Ø Creation of Keywords and Searching · Global versus Case Specific · Selecting Keywords · Selecting where/what to search · Viewing results Ø Bookmarking/Preserving Findings · Highlighting sections of data · Pointing to file(s)
Day two begins with a discussion of the FAT file systems as well as an overview of the NT file system. Hard disk acquisition is covered, using both a forensically sound boot diskette, as well as a hardware write blocking device. Attendees will learn how to properly preview a computer system prior to acquisition, as well as explore keyword searching and bookmarking of relevant data. |
|
DAY 3 |
DAY 4 |
|
Ø File Types · Icons/Description column Ø Bookmarking Techniques · Pointing to file(s) · Comments · Organizing Report Ø Signature Analysis · Search Button · All or Selected · Compares Extension to Header · Interpreting results Ø Installing External Viewers · Link Application to EnCase · Can link file extensions to Application Ø Copy/Unerase Options Ø Restoring Evidence Ø Reacquiring an Evidence File · Don’t need original hardware to change options · Quick Reacquisition
Day three includes more complex bookmarking of data, and examination of file signatures to accurately identify file types. Attendees will install external viewers within EnCase and learn how to copy data from within an evidence file. Students learn how to restore an evidence file back to physical media and reacquire an evidence file with different options. |
Ø Archiving/Reopening an Archived Case · What to archive · Specify path to EnCase of Evidence file to reopen case Ø Verification of Evidence File · Change 1 bit; EnCase detects change · Manually re-verify at any time Ø Timeline · Define four Date/Time stamps Ø Windows Artifacts · User Accounts · Recently Accessed Files · Internet Cache · Desktop/My Documents Ø Searching Unallocated Space · Use file header for image · Display image
Day four explores how to archive a completed case, as well as how to reopen this case if needed in the future. Attendees will observe how EnCase can detect and identify any changes to the content of an evidence file, as well as take a detailed look at the Timeline view within EnCase. Pertinent areas of interest within the Windows operating system and user accounts are explored as well as locating data in unallocated space. |
EnCase® v6 Computer Forensics II on June 16-19, 2008
Fee: Php56,000.00 (Inclusive of 12%VAT, Training Materials, Certificate and AM/PM Snack and Lunch)
Venue: 25th Flr. Unit 2502b West Tower, Philippine Stock Exchange, Ortigas Center Pasig City
CPE credits: 32 | Level: Intermediate | Prerequisites: EnCase® Computer Forensics I. Advance preparation for this course is not required.
This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase forensic software. This course builds upon the skills covered in the EnCase Computer Forensics I course and enhances the examiner’s ability to work efficiently through the use of the unique features of EnCase.
*Students must understand evidence handling; the structure of the evidence file; creating and using case files; data acquisition methods including DOS based, hardware write protected, crossover cable and disk to disk; recovering deleted files and folders in a FAT environment; keyword searches across logical and physical media; creating and using EnCase bookmarks; file signatures and signature analysis; and locating and understanding Windows® artifacts. Delivery method: Group-Live.
Focusing on investigations common to the private sector, students will learn about the following:
- How to create and use of logical evidence files
- How to locate and recover deleted partitions and folders
- How to conduct keyword searches and advanced searches using GREP
- Students will gain an understanding of the EnCase Virtual File System (VFS) and Physical Disk Emulator (PDE)
- Students will learn about the Windows® Registry
- Students will learn how to deal with compound file types
- How to export files, directories and entire volumes
- How to identify files using hash values and building hash libraries
- How to identify Windows XP operating system artifacts such as link files, recycle bin, and user folders
- How to prepare reports and evidence for presentation in court
- How to recover artifacts such as swap files, file slack, and spooler files
- How to recover printed and faxed pages
WHO SHOULD ATTEND
This course is intended for IT security professionals, litigation support and forensic investigators. Participants should have attended the EnCase Computer Forensics I.
|
DAY 1 |
DAY 2 |
|
Ø How the EnCase Evidence File is Stored and Verified Ø Encase Forensic Edition Overview · Data flow · Navigating EnCase Ø Logical Evidence Files · What are they? · Why would I use them? · How to create them Ø Single Evidence Files · What are they? · Why would I use them? · How to create them Ø Software Write Protection · Fast Bloc SE Ø Introduction to NTFS · Understanding the Windows® New Technology File System Ø Handling Formatted or Repartitioned Media Ø Partition recovery · Folder Recovery
Day one provides an understanding of EnCase concepts. Students will learn how an evidence file is acquired, verified, added to a case, and stored. They will learn how to create and use logical evidence files and single evidence files. Students will receive hands-on imaging training using FastBloc SE. |
Ø Hash Analysis · Using file hashes to improve accuracy and efficiency Ø Compound files · An overview of compound files · Mounting compound files · Searching compound file types Ø - Windows Registry · Appropriate keywords · How EnCase searches the evidence file Ø VFS / PDE · Using Virtual File System · Using Physical Disk Emulator Ø Using GREP to focus searches. GREP allows the examiner to create concise keywords using control characters, reducing false positives and increasing efficiency.
Day two introduces the students to the process of analyzing the evidence. The hashing of files both as a means of identification and as a tool to speed up the searching process is covered. Students also take a first look into the Windows Registry and learn how, why and when to use VFS and PDE. We continue to build on the students’ skill sets, moving from general keyword searches and file type analysis to advanced keyword searches using GREP. |
|
DAY 3 |
DAY 4 |
|
Ø Quickly locating file system artifacts unique to the NTFS file system Ø De-constructing link files to reveal artifacts that indicate the who, what, when and where of file manipulation. Ø E-mail recovery and examinations including Microsoft Outlook, Outlook Express and Ø web based e-mail. Ø Recovering and analyzing e-mail attachments Ø Internet history concepts and analysis using Internet Explorer Ø Understanding and recovering documents that have been printed Ø Recycle Bin analysis to reveal important information about deleted files
Day three moves to specific analysis of common artifacts that cannot normally be locatedthrough keyword searches. This analysis can often provide vital information to investigations by revealing data that can provide a clear indication of a user’s activities. We look at how EnCase handles common e-mail files and Internet history. |
Ø Handling and acquiring Flash Memory and artifacts Ø Reporting · How and what to report after the investigation is completed · Using bookmarks we created to prepare a written report within the EnCase interface · Exporting the report in an HTML or other format
On day four students learn how to utilize all of the techniques from the previous days to create a readable, coherent report using EnCase. |
ENROLL NOW!
GLOBALKNOWLEDGE PHILIPPINES, INC.
2502B West Tower, PSE Bldg. Exchange Road, Ortigas Center, Pasig City, Philippines 1600
Tel. Nos. (632) 683-0969; 637-3657; 0920-709-8298
Email: Sandra@globalknowledgeph.com YM: Sandra_medalla@yahoo.com
» Filed Under Security
Comments
One Response to “EnCase® dv6 Computer Forensics I on June 2-5, 2008”
Leave a Reply
Hi, I was looking around for a while searching for computer forensic training and I happened upon this site and your post regarding ? dv6 Computer Forensics I on June 2-5, 2008 | penoycentral.net, I will definitely this to my computer forensic training bookmarks!