The most trusted source for computer security training, certification and research.

Security 508: Computer Forensics, Investigation, and Response
SANS vLive! SEC508-200811
Webcast Classroom Training
Tuesday, July 14, 2009 - Tuesday, September 29, 2009
CLOSED
Course Fee: $3,425.00
Proctored Certification Fee: $499.00
OnDemand Fee: $399.00


Instructors: Rob Lee & Michael Murr
Start Date:  Tuesday, July 14, 2009
End Date:  Tuesday, September 29, 2009
Meeting Times:  7:00 PM - 10:00 PM EDT
Meeting Days
  • Tuesday, July 14
  • Tuesday, July 21
  • Tuesday, July 28
  • Tuesday, August 4
  • Tuesday, August 11
  • Tuesday, August 18
  • Tuesday, August 25
  • Tuesday, September 1
  • Tuesday, September 8
  • Tuesday, September 15
  • Tuesday, September 22
  • Tuesday, September 29
Where:
World Wide Web
Secure Site Requires Login ID & Password

Bios:
 Rob Lee: Rob Lee is a director for MANDIANT (www.mandiant.com), a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. government. Rob is also the curriculum lead for digital forensic training at the SANS Institute (forensics.sans.org). Rob has more than 13 years' experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, he directly worked with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. Rob also coauthored the bestselling book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Finally, Rob was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast 2009 Awards.

 Michael Murr: Michael has been a forensic analyst with Code-X Technologies for over five years, has conducted numerous investigations and computer forensic examinations, and has performed specialized research and development. Michael has taught SANS Security 504 (Hacker Techniques, Exploits, and Incident Handling), SANS Security 508 (Computer Forensics, Investigation, and Response), and SANS Security 601 (Reverse-Engineering Malware); has led SANS@Home courses; and is a member of the GIAC Advisory Board. Currently, Michael is working on an open-source framework for developing digital forensics applications. Michael holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands.

Unpatched, unprotected computers connected to the Internet are compromised in less than 3 days. Additionally, government regulations and organizational policy might require Computer Forensic Investigators to perform system forensics to investigate intellectual property theft, harassment, regulatory compliance, as well as traditional internet based crimes. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. The System Forensics, Investigation, and Response track will teach you forensic techniques and tools in a hands-on setting for both Windows and Linux based investigations. This course emphasizes a "hands-on" approach so you will learn in-depth open source and commercial forensic tool functionality and how to exploit their capabilities in a variety of case types.

Beginning with fundamental forensic concepts such as the file system structures of Windows and Linux, the content and difficulty level of this track advances rapidly to include evidence acquisition, hash database comparisons, and full and partial file recovery and analysis. Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with diverse tools such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. Your learning will rapidly move on to advanced forensic and investigation analysis topics and techniques. The SANS, hands-on, technical courseware arms you with a deep understanding of the forensic methodology, tools, and techniques to successfully solve even the most difficult case.

As part of the course, you will receive the SANS Investigative Forensic Toolkit (SIFT). Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in-depth. We will examine various investigation methodologies and techniques discovering new places to find evidence and discover the tracks of a motivated suspect who is trying to stay hidden.

The SIFT Toolkit consists of:

  • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
  • HELIX incident response & computer forensics live CD
  • SANS VMware based Forensic analysis workstation equipped to investigate forensic data
  • Course DVD loaded with case examples, tools, and documentation
  • Best-selling book File System Forensic Analysis by Brian Carrier

Prerequisites: This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program.

Full Course Description >>