The most trusted source for computer security training, certification and research.

select a course
Amsterdam, Netherlands - November 6 - 11, 2006
Global Information Assurance Certification

The fire hose strikes again! My brain hurts!
-Dean Farrington, Wells Fargo

SECURITY 508

Computer Forensics, Investigation, and Response

Monday 6 November - Saturday 11 November 2006
Jess Garcia, SANS Certified Instructor & Maury Shenk, Steptoe & Johnson LLP
6 CPE Credits per day

This course is now sold out. A waiting list is available for any vacancies at www.sans.org/training_events/waitinglist.php?cid=1370&tid=458

NOTE: The legal day in this course will be based on European legal material. If you are taking this course and you are from the US and intend to pursue certification, please contact info@giac.org.

This advanced track is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems are not covered in this program.

Unpatched, unprotected computers connected to the Internet are being compromised in 3 days or less. The Blaster Worm proves systems behind a firewall can become the victim of a successful attack. Security professionals must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues. Learn forensic techniques and tools in a lab-style, hands-on setting for both Windows and Linux investigations. This course emphasizes a "try-it-by-hand" approach so that any student attending will take with them a solid grasp of how open source and commercial forensic tools complete their tasks, without having to merely have faith in the tool. This is accomplished by teaching the fundamental concepts of computer forensics in a tool-independent manner.

Beginning with foundation concepts such as file system structures, MAC times, and forensic auditing, the content and difficulty level of this track advances rapidly. You will learn more than just how to use a tool; you will be able to show how the tool is able to recover data, find the smoking gun, and present your data in a format that can be easily understood by others. You'll learn how and when to use various tools such as the Sleuthkit, Autopsy Forensic Browser, the Windows Forensic Toolchest (WFT), and then quickly move on to advanced forensic and incident response topics and techniques. Five days of intense, hands-on courses, and a deep-knowledge education into legal challenges and issues culminate with an over-the-shoulder view of an investigation performed on a real-world compromised system collected by the Honeynet Project.

  • Who Should Attend
    • System administrators and incident handling personnel who are looking for an integration of forensics and investigative methodologies and legal issues
    • Anyone who wants to understand the technical side of incident response
    • Anyone who wants to learn how to image and analyze Windows and Linux systems involved in an investigation
    • Anyone who wants to learn how forensically recover and analyze data without relying on a tool to automatically accomplish the task
    • Anyone who wants to learn how filesystems are structured and store their data so that they can understand where evidence exists on any type of hard drive
  • A Sampling of Topics
    • Core Forensic Filesystems Knowledge
    • Incident Response
    • Forensic Preparation
    • Windows Forensics
    • Unix and Linux Forensics
    • Data Recovery and Analysis
    • Malicious Code Analysis
    • Law Enforcement Interaction and Case Law
    • Corporate and Managerial Legal Concerns and Direction
    • The Honeynet Project's Forensic Challenge

This course lays the foundation necessary to understand data storage, then jumps into using the latest tools available today to ensure immediate value upon returning to work
-Dave Howard, Emerson