The most trusted source for computer security training, certification and research.

select a course
Orlando, FL - December 3 - 6, 2007
Global Information Assurance Certification

SANS training is like a catalyst. It not only boosts your knowledge but also inspires you to learn more.
-Tan Koon Yaw, IDA


Additional Summit Offered in Orlando: Additional Summit sessions are available in Orlando on December 3-4. Please visit the WhatWorks in Stopping Data Leakage and Insider Threat Summit 2007 page for more information.

SECURITY 526

Next Evolution in Digital Forensics

Thursday, December 6, 2007 : 9am - 5pm
Rob Lee, SANS Faculty Fellow
6 CPE Credits Per Day

This advanced course is perfect for the diligent student familiar with core forensic methodology and techniques. If you understand forensic filesystem fundamentals, then this course is for you. It moves quickly from covering memory forensics to recovering and discovering deleted partitions from hard drives. This course focuses on innovative forensic techniques and methodologies so the seasoned practitioner can keep his skills sharp and up-to-date with the latest research areas in both live and static based disk forensics.

You will receive:

  • Forensic analysis workstation VMware machine equipped to investigate forensic data
  • Course DVD loaded with case examples, tools, and documentation

Prerequisites: This advanced course is perfect for the diligent student conversant with file system forensic techniques. If you are just beginning in digital forensics, this course is not appropriate for you, as the basics of digital forensics will not be covered.

  • Who Should Attend
    • System administrators and incident handling personnel who are trying to further their knowledge in the latest forensic techniques
    • Anyone who wants to learn how file system partitions are structured
    • Anyone who wants to learn how to recover lost partitions from a physical disk image
    • Anyone who wants to learn how to forensically recover artifacts from memory collected from a machine.
  • A Sampling of Topics
    • File system structures and metadata
    • Partitioning schemes
    • Mapping out disk partitions by hand
    • Discovering lost partitions from a formatted drive
    • Windows memory structures
    • Following Microsoft Windows memory process
    • The usefulness of collecting memory
    • Techniques to collect memory
    • Memory analysis techniques

I learned more here in six days than I could in a year in terms of breadth of knowledge.
-Stephen Yuhas, TESSCO Technologies

Author Statement

One of the most exciting areas in digital forensics is the ability to image and scrutinize physical memory collected from a live system. Starting with discovering basic memory structures, the student will learn how to recover and analyze processes that were seized from a live Windows-based system. Additionally, the student will learn how to discover and recover deleted partitions from hard drives that have corrupted partition tables or that have been formatted. Finally, new techniques in digital forensics will be covered. In the ever-changing world of digital forensics, it is essential that the prepared investigator have the right knowledge combined with new techniques.
- Rob Lee