Announcing the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends.
Please take a moment to complete our survey.
the most trusted source for computer security training, certification and research
select a course
Global Information Assurance Certification

The perfect balance of theory and hands on experience.
-James d. Perry II, University of Tennessee

SECURITY 508

Computer Forensics, Investigation, and Response

6 CPE Credits per day

Unpatched, unprotected computers connected to the internet are compromised in less than three days. Government regulations and organizational policy might require computer forensic investigators to investigate intellectual property theft, harassment, and regulatory compliance. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. This course will teach you forensic techniques and tools in a hands-on setting for both Windows- and Linux-based investigations. This course emphasizes a hands-on approach where you will learn in-depth forensic functionality and how to solve a variety of incidents.

Most incident response and security personnel will need to be familiar with core forensic techniques in order to respond to a variety of incidents for their organizations. This course teaches investigators how to follow the trail typical for intrusions and incidents that they might encounter. Incident responders should learn how intruders breached the infrastructure to identify additional systems/networks that are compromised. You will learn how to investigate traces left by complex attacks using the latest exploit methodologies.

Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with tools, such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. We will rapidly move on to advanced forensic and investigation analysis topics and techniques. This SANS hands-on technical course arms you with a deep understanding of the forensic methodology, tools, and techniques to solve even the most difficult case.

FIGHT CRIME. UNRAVEL INCIDENTS… ONE BYTE AT A TIME. We not only teach a firm understanding of the computer forensics tools and techniques, we also teach you the legally approved forensic methodology that will result in success.

You Will Receive With This Course

As part of the course, you will receive the SANS Investigative Forensic Toolkit (SIFT). Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in depth. We will examine various investigation methodologies and techniques discovering new places to find evidence and discover the tracks of a motivated suspect who is trying to stay hidden.

The SIFT Toolkit consists of:
  • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
  • HELIX incident response & computer forensics live CD
  • SANS VMware-based forensic analysis workstation equipped to investigate forensic data
  • Course DVD loaded with case examples, tools, and documentation
  • Best-selling book File System Forensic Analysis by Brian Carrier

Prerequisites

This course is perfect for the diligent student conversant with Linux system administration, Windows system administration, intrusion, or hacker techniques. If you are just beginning in system administration, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program. This course is also a perfect follow on for those that have taken Security 408.

  • Who Should Attend
    • Information technology professionals who are responding to security incidents and need to utilize computer forensics to help solve their cases
    • The information security professional who is interested in learning how to identify additional systems/networks that are compromised
    • Forensic professionals who want to solidify their understanding of file system forensic and incident response related topics
    • Law enforcement officers, federal agents, or detectives who want to expand their investigative skills
    • System administrators and incident handling personnel who are looking for an integration of forensics and investigative methodologies and legal issues
    • Anyone who wants to understand the technical side of incident response and forensics
    • Information security professionals with some background in hacker exploits and incident response
  • Course Topics
    • Who Can Investigate and Investigative Process Laws
    • Evidence Acquisition/Analysis/Preservation Laws and Guidelines
    • U.S. Laws Investigators Should Know
    • E.U. Laws Investigators Should Know
    • Presenting Data
    • Forensic Reports and Testimony
    • Computer Forensics Methodology
    • Forensic Investigation
    • File System Essentials
    • Linux/Unix File System Basics
    • Windows FAT File System Basics
    • Windows NTFS File System Basics
    • Key Forensic Acquisition/Analysis Concepts
    • Volatile Evidence Gathering and Analysis
    • Evidence Integrity
    • Forensic Evidence Acquisition and Imaging
    • File System Timeline Analysis
    • Forensic Analysis Key Methods
    • File System and Data Layer Examination
    • Metadata Layer Examination
    • File Name Layer
    • File Sorting and Hash Comparisons Windows Response and Volatile Evidence Collection
    • Key Windows File System Analysis Concepts
    • Windows Registry Analysis
    • Windows Internal File Metadata
    • Application Footprinting and Software Forensics
    • Automated GUI Based Forensic Toolkits
Author Statement

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have e-mailed me regularly about how they were able to use their forensic skills in very real situations. Graduates of Computer Forensics, Investigation, and Response are the front line troops deployed when incidents occur. From stopping online bank heists to logic bombers trying to destroy data that could affect many lives, SANS forensic graduates are battling and winning the war on crime. Graduates have described solved cases involving computer break-ins, intellectual property theft, fraud, and, in some cases, internal infractions by belligerent employees. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign cyber attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics, Investigation, and Response course at SANS helped prepare them to fight and solve crime.
- Rob Lee

SECURITY 508 :: Computer Forensics, Investigation, and Response
SANS 2009 Orlando, FL March 01, 2009 - March 09, 2009
SANS Security East 2009 New Orleans, LA May 04, 2009 - May 12, 2009
SANSFIRE 2009 Baltimore, MD June 13, 2009 - June 22, 2009
SANS Security West 2009 Las Vegas, NV January 24, 2009 - February 01, 2009
SANS Tysons Corner 2009 Tysons Corner, VA April 14, 2009 - April 22, 2009
SANS Toronto 2009 Toronto, ON May 05, 2009 - May 13, 2009
Mentor Session - Security 508 Boston, MA January 13, 2009 - March 17, 2009
SANS Dublin 2009 Dublin, Ireland March 09, 2009 - March 14, 2009
Mentor Session - Security 508 Kansas City, KS April 28, 2009 - June 30, 2009
EU Mentor Session - Security 508 Milan, Italy February 02, 2009 - February 07, 2009
Community SANS Forensics Oklahoma City 2009 Oklahoma City , OK January 26, 2009 - January 31, 2009
Community SANS Forensics DC 2009 Arlington, VA March 23, 2009 - March 28, 2009
Mentor Session - Security 508 Omaha, NE February 19, 2009 - April 23, 2009
SANS Secure Europe 2009 - Amsterdam Amsterdam, Netherlands May 11, 2009 - May 23, 2009
SANS@Home - Security 508 - Rob Lee Webcast Classroom Training, VA June 30, 2009 - September 15, 2009
SANS@Home - Security 508 - Rob Lee Webcast Classroom Training, VA November 30, 2009 - February 15, 2010
Mentor Session - Security 508 Houston, TX March 10, 2009 - May 12, 2009
Mentor Session - Security 508 East Rutherford, NJ March 18, 2009 - May 20, 2009
SANS OnDemand Online Training & Assessments Anytime
SANS SelfStudy Books and .MP3s Only Anytime