Announcing the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends.
Please take a moment to complete our survey.
the most trusted source for computer security training, certification and research
select a course
Helsinki, Finland - September 15 - 20, 2008
Global Information Assurance Certification

The fire hose strikes again! My brain hurts!
-Dean Farrington, Wells Fargo

SECURITY 508

Computer Forensics, Investigation, and Response

Monday, September 15, 2008 - Saturday, September 20, 2008
Jess Garcia, One eSecurity
6 CPE Credits per day

Unpatched, unprotected computers connected to the Internet are compromised in less than 3 days. Additionally, government regulations and organizational policy might require Computer Forensic Investigators to perform system forensics to investigate intellectual property theft, harassment, regulatory compliance, as well as traditional internet based crimes. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. The System Forensics, Investigation, and Response track will teach you forensic techniques and tools in a hands-on setting for both Windows and Linux based investigations. This course emphasizes a "hands-on" approach so you will learn in-depth open source and commercial forensic tool functionality and how to exploit their capabilities in a variety of case types.

Beginning with fundamental forensic concepts such as the file system structures of Windows and Linux, the content and difficulty level of this track advances rapidly to include evidence acquisition, hash database comparisons, and full and partial file recovery and analysis. Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with diverse tools such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. Your learning will rapidly move on to advanced forensic and investigation analysis topics and techniques. The SANS, hands-on, technical courseware arms you with a deep understanding of the forensic methodology, tools, and techniques to successfully solve even the most difficult case.

As part of the course, you will receive the SANS Investigative Forensic Toolkit (SIFT). Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in-depth. We will examine various investigation methodologies and techniques discovering new places to find evidence and discover the tracks of a motivated suspect who is trying to stay hidden.

The SIFT Toolkit consists of:

  • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
  • HELIX incident response & computer forensics live CD
  • SANS VMware based Forensic analysis workstation equipped to investigate forensic data
  • Course DVD loaded with case examples, tools, and documentation
  • Best-selling book File System Forensic Analysis by Brian Carrier

Prerequisites: This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program.

  • Who Should Attend
    • System administrators and incident handling personnel who are looking for an integration of forensics and investigative methodologies and legal issues
    • Anyone who wants to understand the technical side of incident response
    • Anyone who wants to learn how to collect evidence and analyze Windows and Linux systems involved in an investigation
    • Anyone who wants to learn how to forensically recover and analyze data without relying on a tool to automatically accomplish the task
    • Anyone who wants to learn how files systems are structured and store their data so that they can understand where evidence exists on any type of hard drive
  • A Sampling of Topics
    • File System Structures and Metadata
    • FAT/NTFS/Ext2/Ext3 File System Essentials
    • Evidence Handling and Integrity Best Practices
    • Evidence Acquisition of Hard Drives and Volatile Data
    • String Searching Utilizing Dirty Word Lists
    • File System Timeline Analysis
    • Data Recovery Techniques Using Strings and File Headers
    • Forensic Hash Comparisons via Hash Databases
    • Media Analysis of System Registry, Internet Activity, and File Metadata
    • Application Footprinting
    • USB Forensic Analysis
    • Fuzzy Hashing
    • Windows XP and VISTA Forensics
Author Statement

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their forensic skills in very real situations. Graduates in the Computer Forensics, Investigation & Response track are the front line troops deployed when incidents occur. From stopping online bank heists, to logic bombers destroying data that could have affected many lives, SANS forensic graduates are battling and winning the war on crime. Graduates have described solved cases involving computer break-ins, intellectual property theft, fraud, and, in some cases, internal infractions by belligerent employees. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign cyber attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics, Investigation & Response course at SANS helped prepare them to fight and solve crime.
- Rob Lee