THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING. LET US SHOW YOU HOW
FOR498: Battlefield Forensics & Acquisition Course will help you to:
- Acquire data effectively from:
- PCs, Microsoft Surface, and Tablet PCs
- Apple Devices, and Mac, and Macbooks
- RAM and Memory
- Smartphones and portable mobile devices
- Cloud storage and services
- Network storage repositories
- Produce actionable intelligence in 90 minutes or less
The first step in any investigation is the gathering of evidence. Digital forensic investigations are no different. The evidence used in this type of investigation is data, and this data can live in many varied formats and locations. You must be able to first identify the data that you might need, determine where that data resides, and, finally, formulate a plan and procedures for collecting that data.
With digital forensic acquisitions, you will typically have only one chance to collect data properly. If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation, but more importantly, destroying the very data that could have been used as evidence.
With the wide range of storage media in the marketplace today, any kind of standardized methodology for all media is simply untenable. Many mistakes are being made in digital evidence collection, and this can cause the guilty to go free and, more importantly, the innocent to be incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes that you are tasked with properly collecting and interpreting.
An examiner can no longer rely on "dead box" imaging of a single hard drive. In today's cyber sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a normal day. Compounding this issue is the expanding use of cloud storage and providers, and the proper collection of data from all these domains can become quite overwhelming.
This in-depth digital acquisition and data handling course will provide first responders and investigators alike with the advanced skills necessary to properly respond to, identify, collect, and preserve data from a wide range of storage devices and repositories, ensuring that the integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today's need for widespread knowledge and understanding of the challenges and techniques that investigators require when addressing real-world cases.
Numerous hands-on labs throughout the course will give first responders, investigators, and digital forensics teams practical experience needed when performing digital acquisition from hard drives, memory sticks, cellular phones, network storage areas, and everything in between.
During a digital forensics response and investigation, an organization needs the most skilled responders possible, lest the investigation end before it has begun. FOR498: Battlefield Forensics & Acquisition will train you and your team to respond, identify, collect, and preserve data no matter where that data hides or resides.
You Will Be Able To
- Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
- Handle and process a scene properly to maintain evidentiary integrity
- Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
- Identify the numerous places that data for an investigation might exist
- Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less
- Assist in preparing the documentation necessary to communicate with online entities such as Google, Facebook, Microsoft, etc.
- Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network addressable storage
- Identify and collect user data within large corporate environments where it is accessed using SMB
- Gather volatile data such as a computer system's RAM
- Recover and properly preserve digital evidence on cellular and other portable devices
- Address the proper collection and preservation of data on devices such as Microsoft Surface/Surface Pro, where hard-drive removal is not an option
- Address the proper collection and preservation of data on Apple devices such as MacBook, MacBook Air, and MacBook Pro, where hard-drive removal is not an option
- Properly collect and effectively target email from Exchange servers, avoiding the old-school method of full acquisition and subsequent onerous data culling
- Properly collect data from SharePoint repositories
- Access and acquire online mail stores such as Gmail, Hotmail, and Yahoo Mail accounts
FOR498: Battlefield Forensics & Acquisition Course Topics
- Advanced use of a wide range of best-of-breed, open-source tools in the SANS Windows 10 environment, as well as other external tools to perform proper data acquisition and evidence handling
- Rapid incident response collection of artifacts to quickly further the investigation without waiting for completion of a forensic image
- Remote and enterprise digital evidence collection
- Windows live artifact collection
- Memory collection
- Volume shadow copy acquisition
- Understanding advanced storage containers such as RAID, EMC, and JBOD
- Examination of file systems and how they hold data
- Advanced understanding of proper evidence collection and scene management
- Identifying data storage devices and locations
- Properly identifying a vast array of interface styles and adapter usage
- Gaining access to storage media using non-destructive methods
- Accessing and collecting cloud-based storage containers, including online email such as Gmail and Outlook.com
- Instruction specific to the acquisition of Apple devices
- Methodologies for accessing and acquiring data from portable and cellular devices, as well as nontraditional devices such as GPS units and Internet of Things devices
What You Will Receive
SANS Windows SIFT Workstation
- This course uses the SANS Windows DFIR Workstation extensively to teach first responders and forensic analysts how to respond to, acquire, and investigate even the most time-sensitive cases.
- DFIR Workstation that contains hundreds of free and open-source tools, easily matching any modern forensic commercial suite
- A virtual machine is used with many of the hands-on class exercises
- Windows 10
- VMWare Appliance ready to tackle forensics
F-Response Consultant Covert
- Enables practitioner to access remote systems and physical memory of a remote computer via the network
- Gives any forensics tool the capability to be used remotely
- Perfect for network and cloud data acquisition and visibility
- Deployable agent to remote systems
- SIFT Workstation compatible
- Vendor neutral - works with just about any tool
- The six-month license allows it to continue to be used and benchmarked in your environment at work/home
Fully working licenses for 90 days:
Digital Download Package
- Downoad package with case images, memory captures, DFIR Workstation, tools, and documentation
SANS DFIR Electronic Exercise Workbook
- Electronic Exercise book with detailed step-by-step instructions and examples to help you master Battlefield Forensics
UltraDock Hardware Write Blocking Device
- SATA to USB 3 adapter for 2.5" bare hard drives
- Note: this comes with a US plug. International students taking the course Live Online or OnDemand, please obtain an adapter.
SANS DFIR Cheatsheets to Help Use the Tools in the Field
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
- Do not bring a system that has critical data you cannot afford to lose. You do so at your own risk.
- SANS and its instructors are not responsible for any damage caused to student systems.
- Many of the activities involved in this course will be performed on your host computer, and not inside the virtual machine.
- You will risk damaging or destroying data on your host computer if you fail to follow lab directions exactly as specified.
- Apple Mac Note: While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience.
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
MANDATORY FOR498 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class
- CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
- 16 GB (Gigabytes) of RAM or higher is required for this class to run two VMs at the same time. Systems with 8 GB of RAM may still permit labs to function but will be significantly slow and severely limited.
- Wireless 802.11 Capability
- USB 3.0
- 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
- Additional Non-SSD Hard Drive: Students must provide a minimum 500 GB (can be larger) spinning hard drive (no SSD), 2.5" SATA, 7200 RPM. We recommend a bare hard drive similar to the one that can be viewed HERE.
- Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
- Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.
MANDATORY FOR498 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
- While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
- Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Do not bring a host system that has critical data you cannot afford to lose.
FOR498 CELLULAR DEVICE CONFIGURATION (OPTIONAL):
- Apple iPhone or Android phone.
- Must have full access to the device. If the device is controlled through Mobile Device Management (MDM), the student will not be able to perform the exercise.
- One exercise with the student cellular device is live on the device. As a result, the student is strongly recommended to have a current backup of the device.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Please download and install VMware Workstation 16.0, VMware Fusion 12.0, or VMware Workstation Player 16.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
- Install 7Zip on your host OS
- Some version of Microsoft Office (2013 or newer) to include Word and Excel. Viewer is NOT acceptable
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8 GB+ ram, 200GB free drive space) and operating system configuration
- Bring a supported host OS
- Install VMware (Workstation, Player, or Fusion) and 7zip
- Install Microsoft Office 2013 version or newer
- Bring iPhone or Android cellular device (optional)
- Bring 500GB (or larger) BARE 2.5" SATA spinning hard drive
Your course media will be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"During my time as a Special Agent with the FBI, it became evident that the digital forensics community needed better methods to look at large amounts of data in an efficient manner to be able to get to answers quickly. As storage capacities increased, more traditional means began to take longer from a collection and analytical perspective. For this reason, I began creating triage software for use by the law enforcement community (and beyond). This problem has not changed since I left the FBI; in fact it has only continued to grow. For this reason, I decided to take a new approach to this problem, but this time in a way that could be given away to everyone in the digital forensics community. The result of this work is KAPE, which allows for rapid collection and analysis as determined by an incident responder. Of course, processing the data is only part of the equation, so this course spends a significant amount of time talking about acquisition--that is, how to get digital data from the devices we encounter. We not only talk about specific techniques for specific devices and situations, but for many of the topics covered, we provide the framework for how you can be successful when you encounter new devices. This course will focus on two key areas: getting the data that have the answers and extracting the answers from the data. We look forward to seeing you in class!" --Eric Zimmerman
"My digital forensics experience started in the mid 1990s. Back then, a hex editor was the most important tool that an examiner had. You had to understand data at rest in its most fundamental levels if you wanted to be effective at forensics. Fast forward to today and there is a myriad of tools to perform most any task that a forensic examiner might want to do. The by-product of this is that an examiner can be overwhelmed with not only the amount of tools available, but the amount of data that needs review. We recognized that the industry needed a more focused approach at the most important information on a hard drive, to the exclusion of the vast amounts of unnecessary noise. We also recognized that examiners need a better understanding of deleted data and how to extract some of the most important information that we have been missing. Finally, in recent years we have taken notice of the number of devices in use today that contain storage that cannot be removed from the machine. Couple this with live response and data that is encrypted at rest and we must recognize that certain approaches have to change. Thus FOR498 was born. We certainly hope you enjoy taking this class is much as we've enjoyed writing it, and our sincere hope is that this information allows you to become more effective at your craft." --Kevin Ripa
"FOR498 is an excellent course! I learned a lot of new skills that I can't wait to develop further, and Kevin Ripa did an outstanding job delivering the content and making it interesting. His personal stories and examples kept the course engaging and rooted in reality." - Christopher Coy, Microsoft