Digital forensics is a high-stress, high-stakes job. There are so many devices, repositories, and massive data sets, yet in most cases you have only one chance to find and properly extract the evidence that can make or break your case. The new SANS new course FOR498: Battlefield Forensics & Data Acquisition is designed to provide first responders, investigators, and digital forensics teams with the advanced skills to quickly and properly identify, collect, preserve, and respond to data from a wide range of storage devices and repositories.
FOR498 is co-authored and taught by certified SANS instructors Kevin Ripa and Eric Zimmerman, both veteran cybersecurity experts who are highly regarded in the digital investigations field. With 25 years of experience in digital forensics, Kevin has assisted in complex cyber-forensics and hacking response investigations around the world. He is sought after for his expertise in information technology investigations and frequently serves as an expert witness. Keven is president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. Eric, a former FBI Special Agent, has written more than 50 programs used by thousands of law enforcement officers in over 80 countries, and has created many world-class open-source forensic tools (EZ Tools). Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice.
Kevin and Eric decided to create FOR498 in response to growing demand from SANS students for more guidance on data acquisition. Traditionally, law enforcement officers who enrolled in SANS forensics classes already had forensics experience and a strong working knowledge of how to image a device. However, examiners outside of law enforcement are often not as familiar with imaging. In addition, data acquisition and forensics are more challenging than ever before because of the constantly increasing numbers and sizes of data sets and the more complex nature of acquiring evidence from so many different types of devices and repositories. With any given hard drive, forensicators might have to deal with 1, 2, or even 4 terabytes of data, and traditional ways to get at those data are no longer tenable.
As Kevin points out in a webinar about FOR498, attacks require not only a thorough investigation but also one that produces evidence quickly. Take, for example, the Las Vegas mass shooting in October 2017, the deadliest in modern U.S. history. Investigators got to work right away, especially since there were concerns about possible accomplices who might have fled the scene. At the same time, investigators had to work thoroughly to try and determine the shooter’s motives, including documenting his Internet search history and examining all computers and cell phones tied to the case. Of note, it was reported that a hard drive in a laptop found in the shooter's hotel room was missing, and that the shooter had purchased software designed to erase files from hard drives.
Actionable Intelligence in 90 Minutes or Less
Students who sign up for FOR498: Battlefield Forensics & Data Acquisition need to get ready for a firehose of information. You’ll get practical experience for rapid triage and digital acquisition from hard drives, mobile phones, cloud storage, Internet of Things devices, and everything in between. After taking this course, students will be able to acquire data and produce actionable intelligence in 90 minutes or less. That may sound like a bold claim to traditional forensicators, but when we say you can go from seizure to actionable intelligence in that time, we mean it. In fact, with software developed by Eric called KAPE – which we’ll go over in the course – you won’t even have time to go for a cup of coffee before your data are ready! KAPE, which stands for Kroll Artifact Parser and Extractor, is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes. You can learn more about KAPE by listening to the following SANS webcasts:
- Triage Collection and Timeline Analysis with KAPE conducted by Mari DeGrazia
- Enabling KAPE at Scale conducted by Mark Hallman
On the first day of the six-day FOR498 course, you’ll learn how to use several devices and data acquisition tools, including the Windows SIFT workstation. You’ll also learn about the various data sources and formats found today, and how to acquire and analyze smartphone data. Day two lays the foundation for evidence collection, from initial arrival on a scene to controlling it. We’ll also examine fundamentals of understanding data at rest and properly identifying devices, interfaces, and tools necessary for successful collection. After all, forensicators must approach every single job as if there’s evidence.
Next, you’ll learn what we call “quick-win forensics” – a rapid triage approach to prioritize, locate, extract, and process the digital evidence needed to quickly move a case forward. Nearly all the digital evidence required for a typical investigation comes from only 1 to 2 percent of the data available. Quick-win forensics teaches you the most efficient way to find and process that critical evidence. Having the skills to prioritize the collection and extraction of the most important artifacts from devices is becoming increasingly relevant, so it is critical that investigators have a solid basis to approach quick-win forensics. Having those skills will also differentiate you from others investigators.
You’ll also learn how to identify and access data in nontraditional storage areas, how to acquire such data, and how to access and forensically image iPads, MacBooks, and other HFS+ devices. You’ll learn the best methods to determine attribution that links data to people and explores data collection in the pervasive Internet of Things that controls household electronics, security cameras, door locks, and more.
On the final course day, instructors will cover the techniques you can employ when traditional tools fail, including best-of-breed data recovery tools, and how to revive hard drives in order to gain access to the data they contain.
FOR498: Battlefield Forensics & Data Acquisition has been in beta for several months, and is now listed on pre-sale for OnDemand. The course will officially launch at SANS’s annual DFIRCON 2019, one of the industry’s most unique Digital Forensics and Incident Response training events, in Coral Gables, FL from Nov. 4– 9. There’s plenty to do and learn at DFIRCON 2019, so we hope to see you there!