Advanced Forensics Techniques

Course: Advanced Forensics Techniques
Course ID: SB1DAFT
Instructor: Dr. Chandrasekar Umapathy
CPE Credits: 7 CPE’s
Duration: 1 Day
Date: November 19th, 2009 (9 AM – 6 PM)

Who should attend?
• General IT security specialists and administrators
• IT security specialists who are interested in learning core concepts of Forensics specifically
• Security officers for organisations and companies
• Law Enforcement agencies
• Incident Response Team members

Class Pre-requisite:
• This class is for anyone who wants to begin with Forensics.

Class Requirement:
• Students to carry their laptop with at least Windows XP professional SP2.
• Students should have Administrative access / Privileges on the laptop for installing software.
• USB or CD/DVDROM device (N.B for bootable software).
• Wireless Enabled
• Required tools would be distributed during the session

Course Description:

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime.

Module 1 - Computer Forensic Investigative Theory
- History of Digital Forensics
- Digital Evidence
- Three Main Aspects to Digital Evidence Reconstruction
- Attack Guidelines for the Recovery of Digital Data
- Classification
- Reconstruction
- Demo - TimeStomping
- Behavioral evidence analysis (BEA)
- Equivocal forensic analysis (EFA)
- Victimology
- Demo - Following the Clues from an Email Header

Module 2 - Computer Forensic Processing Techniques
- Goal of Digital Evidence Processing
- Demo - Logical Review with FTK
- Duplication
- Documenting and Identifying
- Disassembling the Device
- Disconnecting the Device
- Document the Boot Sequence
- Removing and Attaching the Storage Device to Duplicated System
- Circumstances Preventing the Removal of Storage Devices
- Write Protection via Hardware/Software
- Geometry of a Storage Device
- Host Protected Area (HPA)
- Tools for Duplicating Evidence to Examiner's Storage Device
- Demo - Hashing and Duplicating a Drive
- Preparing Duplication for Evidence Examination
- Recording the Logical Drive Structure
- Logical Processes
- Known Files
- Reference Lists
- Verify that File Headers Match Extensions
- Demo - Introduction to FTK
- Regular Expressions
- Demo - Using Regular Expressions
- File Signatures
- Demo - Hex Workshop Analysis of Graphic Files
- Module 2 Review

Module 3 - Crypto and Password Recovery
- Background
- Demo - Stegonography
- History
- Concepts 1
- Demo - Cracking a Windows Hashed Password
- Concepts 2
- File Protection
- Options 1
- Demo - Recovering Passwords from a Zip File
- Options 2
- Rainbow Tables
- Demo - Brute Force/Dictionary Cracks with Lophtcrack
- Demo - Password Cracking with Rainbow Tables
- Module 3 Review

Module 4 - Specialized Artifact Recovery
- Overview
- Exam Preparation Stage
- Windows File Date/Time Stamps
- File Signatures
- Image File Databases
- Demo - Thumbs.DB
- The Windows OS
- Windows Operating Environment
- Windows Registry
- Windows Registry Hives 1
- Demo - Registry Overview
- Windows Registry Hives 2
- Windows NT/2000/XP Registry
- Windows Registry ID Numbers
- Windows Alternate Data Streams
- Demo - Alternate Data Streams
- Windows Unique ID Numbers
- Other ID
- Historical Files 1
- Demo - Real Index.dat
- Historical Files 2
- Demo - Review of Event Viewer
- Historical Files 3
- Demo - Historical Entries in the Registry
- Historical Files 4
- Windows Recycle Bin
- Demo - INFO Files
- Outlook E-Mail
- Outlook 2k/Workgroup E-Mail
- Outlook Express 4/5/6
- Web E-Mail

Exercises

Two cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.