Computer Forensics L-1

Computer Forensics – Level II

50 hours/4 Months /Mentor Supported

Computer Forensics Level II Training

This is not a "watered down" training course. Not like other courses, we tell you in detail what we cover during the course and what our experience and expertise is. We have a great training course, great material, experienced instructors and we truly want you to learn the material and to become good forensic examiners. We want you to compare and decide what is best for you.
Our instructors are all Certified Forensic Computer Examiners or Certified Computer Examiners (CCE)® who are currently involved in computer forensic examinations. They will coach and tutor you through the practical exercises, your reports and through the test questions for each module. Our instructors are highly qualified, experienced and understand forensic examinations far beyond the material in this course. Your interaction with your instructor will normally be via email, but direct assistance is available. We truly want you to learn the material and to become a good forensic examiner. This online program is designed for people interested in becoming Computer Forensics experts. Students move at their own pace through all 3 levels (5 modules) and learn how to forensically Exam(s)ine and recover data from DOS, Windows 95 and Windows 98 operating systems. Students learn core forensic procedures for any operating or file system, and how to conduct forensically sound Examinations to preserve evidence for admission and use in legal proceedings. Each module requires an Exam(s) and completion of practical exercises before you can move to the next module. Additionally, this course will help prepare you for the upcoming Certified Computer Examiner (CCE) Examination.

Prerequisites - Successful completion of the Computer Forensics Level I training.

Outline:

Module 2

The DOS and Windows boot process.
A continuation of how files are created and stored.
How to recover more complex deleted files.
The significance and determination of the creation date and time.
The significance and determination of the last accessed date and the modification date and time.
How Windows long file names are stored.
What happens when Windows long file names are deleted?
How to recover Windows long file names.
How sub-directories are stored.
What happens when sub-directories are deleted?
How to recover a deleted sub-directory and its files.
What happens when a diskette or hard disk drive is formatted?
How to recover files, sub-directories and data from formatted disks.
How to determine which files had been deleted prior to formatting.
What file slack is and how to recover data from file slack.
There are five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery f long file names, the recovery of deleted sub directories and the recovery of formatted disks.
A written examination regarding the material covered in this module.

Module 3

An in-depth exploration of NTFS logical structures (nothing similar is available anywhere) including:
The partition table:

The boot record
Bitmaps
The root directory
The MFT
Headers
Attributes
Resident files
Non-resident files
Run lists, etc.
Alternate data streams
File storage
The various dates and times stored in attributes
File deletion
File recovery
Directory storage
Tracing files/directories
The NTFS registry "hive".
Examining NTFS drives

A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS dive.
A written examination regarding the material covered in this module.

We will provide a detailed handout for each module covered. The handouts can be used as a reference manual. Sample reports, additional practical exercises, a DOS primer, Diskedit primer and other useful information and applications will be provided. You will be subscribed to our list servers that provide both administrative and technical information. Even after you complete the course, as material is updated, you will be able to download the new material from our web site.

We will provide some forensic software that was written specifically for forensic examiners, including:

A fast and thorough wiping program
A fast checksum program
A fast program that documents files (including deleted files) on a drive
A program that will allow examination of unallocated space
A program that will make exact forensic copies of floppy diskettes
An excellent forensic "carving" utility
The Passware Kit from Lost Password.com
See hardware and software requirements for details on the software provided.

You will be required to purchase:

Norton Utilities
Norton Ghost
QuickView Plus (a viewing application) QuickView
A good virus scanning utility
You will be required to use your own USB drive for the examinations. We recommend a size no less than 32 MB

Demo1 - This is a simple practical exercise that simulates a common issue that a forensic examiner may encounter. This demonstration practical exercise is based upon actual cases.

To download and open Demo1:

Click on the Demo1 link above.
Download the demo1.zip file.
Unzip the demo1.zip file to get demo1.exe.
Have a freshly formatted 3 1/2 inch HD diskette ready and execute demo1.exe.
You will be prompted to place the freshly formatted diskette in your A: drive.
The "original" demo1 diskette will be created and will be ready for examination.

Final Thoughts

Historically, computer forensics was the exclusive domain of the police and law enforcement; however, corporations are increasingly becoming concerned with security and computer forensics. More than ever, companies are tasked with the examination of attempted hacking attacks and allegations of employee computer misuse. Mishandling of these concerns can cost companies millions. Companies must handle each in a legal and defensible manner. This requires trained employees that possess computer forensic skills. If you are looking to gain this type of knowledge, the CCE is one certification to consider.