3 Days Left to Save $250 on SANS Boston 2009! >> More Info
the most trusted source for computer security training, certification and research
select a course
Global Information Assurance Certification

The fire hose strikes again! My brain hurts!
-Dean Farrington, Wells Fargo

SECURITY 508

Computer Forensics, Investigation, and Response

6 CPE Credits per day

Unpatched, unprotected computers connected to the internet are compromised in less than three days. Government regulations and organizational policy might require computer forensic investigators to investigate intellectual property theft, harassment, and regulatory compliance. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. This course will teach you forensic techniques and tools in a hands-on setting for both Windows- and Linux-based investigations. This course emphasizes a hands-on approach where you will learn in-depth forensic functionality and how to solve a variety of incidents.

Most incident response and security personnel will need to be familiar with core forensic techniques in order to respond to a variety of incidents for their organizations. This course teaches investigators how to follow the trail typical for intrusions and incidents that they might encounter. Incident responders should learn how intruders breached the infrastructure to identify additional systems/networks that are compromised. You will learn how to investigate traces left by complex attacks using the latest exploit methodologies.

Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with tools, such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. We will rapidly move on to advanced forensic and investigation analysis topics and techniques. This SANS hands-on technical course arms you with a deep understanding of the forensic methodology, tools, and techniques to solve even the most difficult case.

FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME. We not only teach a firm understanding of the computer forensics tools and techniques, we also teach you the legally approved forensic methodology that will result in success.

You Will Receive With This Course

Included in your paid tuition, you will receive the SANS Investigative Forensic Toolkit (SIFT) Advanced. Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in-depth. We will examine various investigation methodologies and techniques, discovering new places to find evidence and discover the tracks of a motivated suspect, who is trying to stay hidden.

The SIFT Kit Advanced consists of:
  • Single Licensed Copy of HELIX3 Pro CD for Live Response and Data Acquisition
  • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
  • SANS VMware based Forensic analysis workstation equipped to investigate forensic data (Download SIFT Toolkit)
  • Course DVD loaded with case examples, tools, and documentation
  • Best-selling book "File System Forensic Analysis" by Brian Carrier

New Addition! The SIFT Kit Advanced will now include a single version Helix3 Pro that will be individually licensed to each student. Helix3 Pro is a brand new acquisition and analysis framework. This license is for the current release of Helix3 Pro only and does not include the Helix Pro subscription. As a result, students will not receive access to the Helix forum, white papers, webinars, and additional Helix software downloads.

  • Works on Mac OS X, Windows, and Linux.
  • Simplified Live Analysis with both Memory and Disk Acquisition
  • Built in Memory Analysis
  • Boots most Intel x86 machines including Mac OS X

Prerequisites

This course is perfect for the diligent student conversant with Linux system administration, Windows system administration, intrusion, or hacker techniques. If you are just beginning in system administration, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program. This course is also a perfect follow on for those that have taken Security 408.

  • Who Should Attend
    • Information technology professionals who are responding to security incidents and need to utilize computer forensics to help solve their cases
    • The information security professional who is interested in learning how to identify additional systems/networks that are compromised
    • Forensic professionals who want to solidify their understanding of file system forensic and incident response related topics
    • Law enforcement officers, federal agents, or detectives who want to expand their investigative skills
    • System administrators and incident handling personnel who are looking for an integration of forensics and investigative methodologies and legal issues
    • Anyone who wants to understand the technical side of incident response and forensics
    • Information security professionals with some background in hacker exploits and incident response
  • Course Topics
    • Who Can Investigate and Investigative Process Laws
    • Evidence Acquisition/Analysis/Preservation Laws and Guidelines
    • U.S. Laws Investigators Should Know
    • E.U. Laws Investigators Should Know
    • Presenting Data
    • Forensic Reports and Testimony
    • Computer Forensics Methodology
    • Forensic Investigation
    • File System Essentials
    • Linux/Unix File System Basics
    • Windows FAT File System Basics
    • Windows NTFS File System Basics
    • Key Forensic Acquisition/Analysis Concepts
    • Volatile Evidence Gathering and Analysis
    • Evidence Integrity
    • Forensic Evidence Acquisition and Imaging
    • File System Timeline Analysis
    • Forensic Analysis Key Methods
    • File System and Data Layer Examination
    • Metadata Layer Examination
    • File Name Layer
    • File Sorting and Hash Comparisons Windows Response and Volatile Evidence Collection
    • Key Windows File System Analysis Concepts
    • Windows Registry Analysis
    • Windows Internal File Metadata
    • Application Footprinting and Software Forensics
    • Automated GUI Based Forensic Toolkits

There are many places to get Security Training, but SANS is premium training.
-Carl Ness, University of Iowa

Author Statement

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have e-mailed me regularly about how they were able to use their forensic skills in very real situations. Graduates of Computer Forensics, Investigation, and Response are the front line troops deployed when incidents occur. From stopping online bank heists to logic bombers trying to destroy data that could affect many lives, SANS forensic graduates are battling and winning the war on crime. Graduates have described solved cases involving computer break-ins, intellectual property theft, fraud, and, in some cases, internal infractions by belligerent employees. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign cyber attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics, Investigation, and Response course at SANS helped prepare them to fight and solve crime.
- Rob Lee

SECURITY 508 :: Computer Forensics, Investigation, and Response
SANS Network Security 2009 San Diego, CA September 14, 2009 - September 22, 2009
SANS Chicago North Shore 2009 Skokie, IL October 26, 2009 - November 02, 2009
SANS Boston 2009 Boston, MA August 02, 2009 - August 09, 2009
SANS Virginia Beach 2009 Virginia Beach, VA August 28, 2009 - September 04, 2009
SANS Vancouver 2009 Vancouver, Canada November 14, 2009 - November 19, 2009
SANS@Home - Security 508 - Rob Lee Webcast Classroom Training, VA July 14, 2009 - September 29, 2009
SANS@Home - Security 508 - Rob Lee Webcast Classroom Training, VA November 30, 2009 - February 15, 2010
SANS Singapore 2009 Singapore, Singapore July 06, 2009 - July 11, 2009
SANS WhatWorks Summit in Forensics and Incident Response Washington, DC July 06, 2009 - July 14, 2009
Mentor Session - Security 508 Denver, CO October 01, 2009 - December 10, 2009
SANS London 2009 London, United Kingdom November 28, 2009 - December 07, 2009
Mentor Session - Security 508 San Diego, CA October 13, 2009 - December 22, 2009
Community SANS Vancouver 2009 Richmond, BC July 13, 2009 - July 18, 2009
Community SANS Pensacola 2009 Pensacola, FL July 27, 2009 - August 01, 2009
Community SANS Colorado Springs 2009 Colorado Springs, CO November 30, 2009 - December 05, 2009
Community SANS Forensics Salt Lake City 2009 Salt Lake City, UT July 27, 2009 - August 01, 2009
Mentor Session - Security 508 Charlotte, NC September 24, 2009 - December 03, 2009
Community SANS Tucson 2009 Tucson, AZ November 30, 2009 - December 05, 2009
Mentor Session - Security 508 Houston, TX October 06, 2009 - December 15, 2009
Mentor Session - Security 508 Germantown, MD September 29, 2009 - December 08, 2009
Community SANS Silicon Valley Forensics 2009 Santa Clara, CA August 24, 2009 - August 29, 2009
Mentor Session - SEC508 Reynoldsburg, OH September 10, 2009 - November 12, 2009
Mentor Session - SEC508 Mansfield, MA July 28, 2009 - September 29, 2009
SANS OnDemand Online Training & Assessments Anytime
SANS SelfStudy Books and .MP3s Only Anytime