The most trusted source for computer security training, certification and research.

Global Information Assurance Certification

The perfect balance of theory and hands on experience.
-James d. Perry II, University of Tennessee

SECURITY 508

System Forensics, Investigation & Response

6 CPE Credits per day

This advanced track is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you, as the basics of the Linux and Windows operating systems are not covered in this program.

Unpatched, unprotected computers connected to the Internet are being compromised in 3 days or less. The Blaster Worm proves systems behind a firewall can become the victim of a successful attack. Security professionals must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues. Learn forensic techniques and tools in a lab-style, hands-on setting for both Windows and Linux investigations.

Beginning with foundation concepts such as file system structures, MAC times, and basic forensic auditing, the content and difficulty level of this track advances rapidly. You'll learn how and when to use various tools such as the Sleuthkit, Autopsy Forensic Browser, the Windows Forensic Toolchest (WFT), and then quickly move on to advanced forensic and incident response topics and techniques. Five days of intense, hands-on courses, and a deep-knowledge education into legal challenges and issues culminate with an over-the-shoulder view of an investigation performed on a real-world compromised system collected by the Honeynet Project.

  • Who Should Attend
    • System administrators and incident handling personnel who are looking for an integration of both forensics and investigative methodology and legal issues
    • Anyone who wants to understand the technical side of incident response
    • Anyone who wants to learn how to image and analyze Windows and Linux systems involved in an investigation
  • A Sampling of Topics
    • Incident Response
    • Forensic Preparation
    • Windows Forensics
    • Unix and Linux Forensics
    • Data Recovery and Analysis
    • Malicious Code Analysis
    • Law Enforcement Interaction and Case Law
    • Corporate and Managerial Legal Concerns and Direction
    • The Honeynet Project's Forensic Challenge
Author Statement

Imagine this headline:
FORMER SYSTEM FORENSICS, INVESTIGATIONS AND RESPONSE TRACK STUDENT BREAKS WHITE COLLAR CRIME RING.
Internet based crimes occur everyday. Despite concerted proactive and preventative efforts, the unthinkable often happens. Students in the System Forensics, Investigations and Response track experience first-hand involvement in responding to internet crimes. As the front line troops deployed when these incidents occur, students investigate computer break-ins, intellectual property theft, fraud, and, in some cases, internal infractions by belligerent employees. Knowing that this track places the correct tools in the hands of responders who may thwart the plans of misguided individuals brings me great comfort. Someday Ill read an actual headline like the hypothetical one I mentioned, and will be proud that the System Forensics, Investigations and Response track at SANS prepared that student for combating and investigating these crimes.
- ROB LEE