This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Advanced Forensic Techniques"
(→Advanced Forensics Techniques) |
(→Advanced Forensics Techniques) |
||
| Line 1: | Line 1: | ||
= '''Advanced Forensics Techniques''' = | = '''Advanced Forensics Techniques''' = | ||
| − | Course: Advanced Forensics Techniques<br>Course ID: SB1DAFT<br>Instructor: | + | Course: Advanced Forensics Techniques<br>Course ID: SB1DAFT<br>Instructor: Dr. Chandrasekar Umapathy<br>CPE Credits: 7 CPE’s<br>Duration: 1 Day<br>Date: November 19th, 2009 (9 AM – 6 PM)<br> |
'''Who should attend?'''<br>• General IT security specialists and administrators<br>• IT security specialists who are interested in learning core concepts of Forensics specifically<br>• Security officers for organisations and companies<br>• Law Enforcement agencies<br>• Incident Response Team members | '''Who should attend?'''<br>• General IT security specialists and administrators<br>• IT security specialists who are interested in learning core concepts of Forensics specifically<br>• Security officers for organisations and companies<br>• Law Enforcement agencies<br>• Incident Response Team members | ||
| Line 13: | Line 13: | ||
'''Course Description:''' | '''Course Description:''' | ||
| − | This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.<br> | + | This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. |
| − | ''' | + | |
| + | '''Module 1 - Computer Forensic Investigative Theory'''<br> | ||
| + | - History of Digital Forensics<br> | ||
| + | - Digital Evidence<br> | ||
| + | - Three Main Aspects to Digital Evidence Reconstruction<br> | ||
| + | - Attack Guidelines for the Recovery of Digital Data<br> | ||
| + | - Classification<br> | ||
| + | - Reconstruction<br> | ||
| + | - Demo - TimeStomping<br> | ||
| + | - Behavioral evidence analysis (BEA)<br> | ||
| + | - Equivocal forensic analysis (EFA)<br> | ||
| + | - Victimology<br> | ||
| + | - Demo - Following the Clues from an Email Header<br> | ||
| + | |||
| + | '''Module 2 - Computer Forensic Processing Techniques'''<br> | ||
| + | - Goal of Digital Evidence Processing<br> | ||
| + | - Demo - Logical Review with FTK<br> | ||
| + | - Duplication<br> | ||
| + | - Documenting and Identifying<br> | ||
| + | - Disassembling the Device<br> | ||
| + | - Disconnecting the Device<br> | ||
| + | - Document the Boot Sequence<br> | ||
| + | - Removing and Attaching the Storage Device to Duplicated System<br> | ||
| + | - Circumstances Preventing the Removal of Storage Devices<br> | ||
| + | - Write Protection via Hardware/Software<br> | ||
| + | - Geometry of a Storage Device<br> | ||
| + | - Host Protected Area (HPA)<br> | ||
| + | - Tools for Duplicating Evidence to Examiner's Storage Device<br> | ||
| + | - Demo - Hashing and Duplicating a Drive<br> | ||
| + | - Preparing Duplication for Evidence Examination<br> | ||
| + | - Recording the Logical Drive Structure<br> | ||
| + | - Logical Processes<br> | ||
| + | - Known Files<br> | ||
| + | - Reference Lists<br> | ||
| + | - Verify that File Headers Match Extensions<br> | ||
| + | - Demo - Introduction to FTK<br> | ||
| + | - Regular Expressions<br> | ||
| + | - Demo - Using Regular Expressions<br> | ||
| + | - File Signatures<br> | ||
| + | - Demo - Hex Workshop Analysis of Graphic Files<br> | ||
| + | - Module 2 Review <br> | ||
| + | |||
| + | '''Module 3 - Crypto and Password Recovery'''<br> | ||
| + | - Background<br> | ||
| + | - Demo - Stegonography<br> | ||
| + | - History<br> | ||
| + | - Concepts 1<br> | ||
| + | - Demo - Cracking a Windows Hashed Password<br> | ||
| + | - Concepts 2<br> | ||
| + | - File Protection<br> | ||
| + | - Options 1<br> | ||
| + | - Demo - Recovering Passwords from a Zip File<br> | ||
| + | - Options 2<br> | ||
| + | - Rainbow Tables<br> | ||
| + | - Demo - Brute Force/Dictionary Cracks with Lophtcrack<br> | ||
| + | - Demo - Password Cracking with Rainbow Tables<br> | ||
| + | - Module 3 Review <br> | ||
| + | |||
| + | '''Module 4 - Specialized Artifact Recovery'''<br> | ||
| + | - Overview<br> | ||
| + | - Exam Preparation Stage<br> | ||
| + | - Windows File Date/Time Stamps<br> | ||
| + | - File Signatures<br> | ||
| + | - Image File Databases<br> | ||
| + | - Demo - Thumbs.DB<br> | ||
| + | - The Windows OS<br> | ||
| + | - Windows Operating Environment<br> | ||
| + | - Windows Registry<br> | ||
| + | - Windows Registry Hives 1<br> | ||
| + | - Demo - Registry Overview<br> | ||
| + | - Windows Registry Hives 2<br> | ||
| + | - Windows NT/2000/XP Registry<br> | ||
| + | - Windows Registry ID Numbers<br> | ||
| + | - Windows Alternate Data Streams<br> | ||
| + | - Demo - Alternate Data Streams<br> | ||
| + | - Windows Unique ID Numbers<br> | ||
| + | - Other ID<br> | ||
| + | - Historical Files 1<br> | ||
| + | - Demo - Real Index.dat<br> | ||
| + | - Historical Files 2<br> | ||
| + | - Demo - Review of Event Viewer<br> | ||
| + | - Historical Files 3<br> | ||
| + | - Demo - Historical Entries in the Registry<br> | ||
| + | - Historical Files 4<br> | ||
| + | - Windows Recycle Bin<br> | ||
| + | - Demo - INFO Files<br> | ||
| + | - Outlook E-Mail<br> | ||
| + | - Outlook 2k/Workgroup E-Mail<br> | ||
| + | - Outlook Express 4/5/6<br> | ||
| + | - Web E-Mail<br> | ||
| + | |||
| + | '''Exercises''' | ||
| + | |||
| + | Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class. | ||
= = | = = | ||
Latest revision as of 14:05, 25 October 2009
Advanced Forensics Techniques
Course: Advanced Forensics Techniques
Course ID: SB1DAFT
Instructor: Dr. Chandrasekar Umapathy
CPE Credits: 7 CPE’s
Duration: 1 Day
Date: November 19th, 2009 (9 AM – 6 PM)
Who should attend?
• General IT security specialists and administrators
• IT security specialists who are interested in learning core concepts of Forensics specifically
• Security officers for organisations and companies
• Law Enforcement agencies
• Incident Response Team members
Class Pre-requisite:
• This class is for anyone who wants to begin with Forensics.
Class Requirement:
• Students to carry their laptop with at least Windows XP professional SP2.
• Students should have Administrative access / Privileges on the laptop for installing software.
• USB or CD/DVDROM device (N.B for bootable software).
• Wireless Enabled
• Required tools would be distributed during the session
Course Description:
This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.
Module 1 - Computer Forensic Investigative Theory
- History of Digital Forensics
- Digital Evidence
- Three Main Aspects to Digital Evidence Reconstruction
- Attack Guidelines for the Recovery of Digital Data
- Classification
- Reconstruction
- Demo - TimeStomping
- Behavioral evidence analysis (BEA)
- Equivocal forensic analysis (EFA)
- Victimology
- Demo - Following the Clues from an Email Header
Module 2 - Computer Forensic Processing Techniques
- Goal of Digital Evidence Processing
- Demo - Logical Review with FTK
- Duplication
- Documenting and Identifying
- Disassembling the Device
- Disconnecting the Device
- Document the Boot Sequence
- Removing and Attaching the Storage Device to Duplicated System
- Circumstances Preventing the Removal of Storage Devices
- Write Protection via Hardware/Software
- Geometry of a Storage Device
- Host Protected Area (HPA)
- Tools for Duplicating Evidence to Examiner's Storage Device
- Demo - Hashing and Duplicating a Drive
- Preparing Duplication for Evidence Examination
- Recording the Logical Drive Structure
- Logical Processes
- Known Files
- Reference Lists
- Verify that File Headers Match Extensions
- Demo - Introduction to FTK
- Regular Expressions
- Demo - Using Regular Expressions
- File Signatures
- Demo - Hex Workshop Analysis of Graphic Files
- Module 2 Review
Module 3 - Crypto and Password Recovery
- Background
- Demo - Stegonography
- History
- Concepts 1
- Demo - Cracking a Windows Hashed Password
- Concepts 2
- File Protection
- Options 1
- Demo - Recovering Passwords from a Zip File
- Options 2
- Rainbow Tables
- Demo - Brute Force/Dictionary Cracks with Lophtcrack
- Demo - Password Cracking with Rainbow Tables
- Module 3 Review
Module 4 - Specialized Artifact Recovery
- Overview
- Exam Preparation Stage
- Windows File Date/Time Stamps
- File Signatures
- Image File Databases
- Demo - Thumbs.DB
- The Windows OS
- Windows Operating Environment
- Windows Registry
- Windows Registry Hives 1
- Demo - Registry Overview
- Windows Registry Hives 2
- Windows NT/2000/XP Registry
- Windows Registry ID Numbers
- Windows Alternate Data Streams
- Demo - Alternate Data Streams
- Windows Unique ID Numbers
- Other ID
- Historical Files 1
- Demo - Real Index.dat
- Historical Files 2
- Demo - Review of Event Viewer
- Historical Files 3
- Demo - Historical Entries in the Registry
- Historical Files 4
- Windows Recycle Bin
- Demo - INFO Files
- Outlook E-Mail
- Outlook 2k/Workgroup E-Mail
- Outlook Express 4/5/6
- Web E-Mail
Exercises
Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.
