the most trusted source for computer security training, certification and research
select a course
Global Information Assurance Certification

Intense, fast paced. Modern day Sherlock Holmes!
-Cody Drake, Allstate Ins. Co.

SECURITY 508

Computer Forensics, Investigation, and Response

6 CPE Credits per day

Unpatched, unprotected computers connected to the Internet are compromised in less than 3 days. Additionally, government regulations and organizational policy might require Computer Forensic Investigators to perform system forensics to investigate intellectual property theft, harassment, regulatory compliance, as well as traditional internet based crimes. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. The System Forensics, Investigation, and Response track will teach you forensic techniques and tools in a hands-on setting for both Windows and Linux based investigations. This course emphasizes a "hands-on" approach so you will learn in-depth open source and commercial forensic tool functionality and how to exploit their capabilities in a variety of case types.

Beginning with fundamental forensic concepts such as the file system structures of Windows and Linux, the content and difficulty level of this track advances rapidly to include evidence acquisition, hash database comparisons, and full and partial file recovery and analysis. Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with diverse tools such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. Your learning will rapidly move on to advanced forensic and investigation analysis topics and techniques. The SANS, hands-on, technical courseware arms you with a deep understanding of the forensic methodology, tools, and techniques to successfully solve even the most difficult case.

As part of the course, you will receive the SANS Investigative Forensic Toolkit (SIFT). Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in-depth. We will examine various investigation methodologies and techniques discovering new places to find evidence and discover the tracks of a motivated suspect who is trying to stay hidden.

The SIFT Toolkit consists of:

  • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
  • HELIX incident response & computer forensics live CD
  • SANS VMware based Forensic analysis workstation equipped to investigate forensic data
  • Course DVD loaded with case examples, tools, and documentation
  • Best-selling book File System Forensic Analysis by Brian Carrier

Prerequisites: This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program.

  • Who Should Attend
    • System administrators and incident handling personnel who are looking for an integration of forensics and investigative methodologies and legal issues
    • Anyone who wants to understand the technical side of incident response
    • Anyone who wants to learn how to collect evidence and analyze Windows and Linux systems involved in an investigation
    • Anyone who wants to learn how to forensically recover and analyze data without relying on a tool to automatically accomplish the task
    • Anyone who wants to learn how files systems are structured and store their data so that they can understand where evidence exists on any type of hard drive
  • A Sampling of Topics
    • File System Structures and Metadata
    • FAT/NTFS/Ext2/Ext3 File System Essentials
    • Evidence Handling and Integrity Best Practices
    • Evidence Acquisition of Hard Drives and Volatile Data
    • String Searching Utilizing Dirty Word Lists
    • File System Timeline Analysis
    • Data Recovery Techniques Using Strings and File Headers
    • Forensic Hash Comparisons via Hash Databases
    • Media Analysis of System Registry, Internet Activity, and File Metadata
    • Application Footprinting
    • USB Forensic Analysis
    • Fuzzy Hashing
    • Windows XP and VISTA Forensics
Author Statement

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their forensic skills in very real situations. Graduates in the Computer Forensics, Investigation & Response track are the front line troops deployed when incidents occur. From stopping online bank heists, to logic bombers destroying data that could have affected many lives, SANS forensic graduates are battling and winning the war on crime. Graduates have described solved cases involving computer break-ins, intellectual property theft, fraud, and, in some cases, internal infractions by belligerent employees. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign cyber attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics, Investigation & Response course at SANS helped prepare them to fight and solve crime.
- Rob Lee

SECURITY 508 :: Computer Forensics, Investigation, and Response
SANS Network Security 2008 Las Vegas, NV September 28, 2008 - October 06, 2008
SANS Cyber Defense Initiative 2008 Washington, DC December 10, 2008 - December 16, 2008
SANS Monterey 2008 Monterey, CA October 31, 2008 - November 06, 2008
SANS Virginia Beach 2008 Virginia Beach, VA August 22, 2008 - August 29, 2008
SANS Vancouver 2008 Vancouver, BC November 17, 2008 - November 22, 2008
Community SANS Toronto 2008 Toronto, ON November 24, 2008 - November 29, 2008
SANS London 2008 London, United Kingdom December 01, 2008 - December 09, 2008
SANS Helsinki 2008 in cooperation with TeliaSonera Helsinki, Finland September 15, 2008 - September 20, 2008
Mentor Session - Security 508 Woodland Hills, CA December 09, 2008 - February 24, 2009
SANS WhatWorks Summit in Forensics, and Incident Response Las Vegas, NV October 10, 2008 - October 20, 2008
Mentor Session - Security 508 Mexico City, Mexico November 18, 2008 - February 03, 2009
Mentor Session - Security 508 Boston, MA September 23, 2008 - December 02, 2008
Mentor Session - Security 508 Boise, ID September 16, 2008 - October 16, 2008
Mentor Session - Security 508 Kansas City, KS January 29, 2009 - April 02, 2009
SANS OnDemand Online Anytime
SANS SelfStudy Books and .MP3s Only Anytime