Battlefield Forensics & Data Acquisition Course

What You Will Learn

THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING. LET US SHOW YOU HOW

FOR498: Battlefield Forensics & Acquisition Course will help you to:

Acquire data effectively from:

PCs, Microsoft Surface, and Tablet PCs
Apple Devices, and Mac, and Macbooks
RAM and Memory
Smartphones and portable mobile devices
Cloud storage and services
Network storage repositories

Produce actionable intelligence in 90 minutes or less

The first step in any investigation is the gathering of evidence. Digital forensic investigations are no different. The evidence used in this type of investigation is data, and this data can live in many varied formats and locations. You must be able to first identify the data that you might need, determine where that data resides, and, finally, formulate a plan and procedures for collecting that data.

With digital forensic acquisitions, you will typically have only one chance to collect data properly. If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation, but more importantly, destroying the very data that could have been used as evidence.

With the wide range of storage media in the marketplace today, any kind of standardized methodology for all media is simply untenable. Many mistakes are being made in digital evidence collection, and this can cause the guilty to go free and, more importantly, the innocent to be incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes that you are tasked with properly collecting and interpreting.

An examiner can no longer rely on "dead box" imaging of a single hard drive. In today's cyber sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a normal day. Compounding this issue is the expanding use of cloud storage and providers, and the proper collection of data from all these domains can become quite overwhelming.

This in-depth digital acquisition and data handling course will provide first responders and investigators alike with the advanced skills necessary to properly respond to, identify, collect, and preserve data from a wide range of storage devices and repositories, ensuring that the integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today's need for widespread knowledge and understanding of the challenges and techniques that investigators require when addressing real-world cases.

Numerous hands-on labs throughout the course will give first responders, investigators, and digital forensics teams practical experience needed when performing digital acquisition from hard drives, memory sticks, cellular phones, network storage areas, and everything in between.

During a digital forensics response and investigation, an organization needs the most skilled responders possible, lest the investigation end before it has begun. FOR498: Battlefield Forensics & Acquisition will train you and your team to respond, identify, collect, and preserve data no matter where that data hides or resides.

You Will Be Able To

Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
Handle and process a scene properly to maintain evidentiary integrity
Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
Identify the numerous places that data for an investigation might exist
Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less
Assist in preparing the documentation necessary to communicate with online entities such as Google, Facebook, Microsoft, etc.
Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network addressable storage
Identify and collect user data within large corporate environments where it is accessed using SMB
Gather volatile data such as a computer system's RAM
Recover and properly preserve digital evidence on cellular and other portable devices
Address the proper collection and preservation of data on devices such as Microsoft Surface/Surface Pro, where hard-drive removal is not an option
Address the proper collection and preservation of data on Apple devices such as MacBook, MacBook Air, and MacBook Pro, where hard-drive removal is not an option
Properly collect and effectively target email from Exchange servers, avoiding the old-school method of full acquisition and subsequent onerous data culling
Properly collect data from SharePoint repositories
Access and acquire online mail stores such as Gmail, Hotmail, and Yahoo Mail accounts

FOR498: Battlefield Forensics & Acquisition Course Topics

Advanced use of a wide range of best-of-breed, open-source tools in the SANS Windows 10 environment, as well as other external tools to perform proper data acquisition and evidence handling
Rapid incident response collection of artifacts to quickly further the investigation without waiting for completion of a forensic image
Remote and enterprise digital evidence collection
Windows live artifact collection
Memory collection
Volume shadow copy acquisition
Understanding advanced storage containers such as RAID, EMC, and JBOD
Examination of file systems and how they hold data
Advanced understanding of proper evidence collection and scene management
Identifying data storage devices and locations
Properly identifying a vast array of interface styles and adapter usage
Gaining access to storage media using non-destructive methods
Accessing and collecting cloud-based storage containers, including online email such as Gmail and Outlook.com
Instruction specific to the acquisition of Apple devices
Methodologies for accessing and acquiring data from portable and cellular devices, as well as nontraditional devices such as GPS units and Internet of Things devices

What You Will Receive

SANS Windows SIFT Workstation

This course uses the SANS Windows DFIR Workstation extensively to teach first responders and forensic analysts how to respond to, acquire, and investigate even the most time-sensitive cases.
DFIR Workstation that contains hundreds of free and open-source tools, easily matching any modern forensic commercial suite
A virtual machine is used with many of the hands-on class exercises
Windows 10
VMWare Appliance ready to tackle forensics

F-Response Consultant Covert

Enables practitioner to access remote systems and physical memory of a remote computer via the network
Gives any forensics tool the capability to be used remotely
Perfect for network and cloud data acquisition and visibility
Deployable agent to remote systems
SIFT Workstation compatible
Vendor neutral - works with just about any tool
The six-month license allows it to continue to be used and benchmarked in your environment at work/home

Fully working licenses for 90 days:

Digital Download Package

Downoad package with case images, memory captures, DFIR Workstation, tools, and documentation

SANS DFIR Electronic Exercise Workbook

Electronic Exercise book with detailed step-by-step instructions and examples to help you master Battlefield Forensics

UltraDock Hardware Write Blocking Device

SATA to USB 3 adapter for 2.5" bare hard drives
Note: this comes with a US plug. International students taking the course OnDemand, please obtain an adapter.

SANS DFIR Cheatsheets to Help Use the Tools in the Field

SANS Video

Syllabus (36 CPEs)

Download PDF

Overview
Any baker knows that if you bake with the wrong ingredients, the result will fail. The same holds true for digital evidence collection.
Investigators often respond in high-stress environments where many different entities are critically scrutinizing the collection process. Personnel need to be properly trained and equipped to work in less-than-optimal surroundings, and they must be confident that they have managed the scene, identified all necessary data, collected it in a properly defensible manner, and maintained its integrity.
One of the most common scenarios that can cause headaches is receiving an evidence file (usually an E01), and being expected to provide answers immediately. The common approach is to mount the image and then start running carving and other tools against it. These automated tasks can take many hours (and sometimes days) just by themselves!
Exercises
- DFIR Workstation Installation
- Converting an E01 into a Bootable VM
- Interface Identification and BIOS/UEFI
Topics
SIFT Introduction
- Introduction to the Widows SIFT workstation
- Installation of the Windows SIFT workstation
Introduction to Digital Forensic Acquisition
- Need for a strong understanding of intake/collection
- Understanding how a lack of this knowledge can damage your case
- Not acquiring memory
- Skipping BIOS information
- Determining if encryption is present
- ISO 27037:2012 - Guidelines for identification, collection, acquisition, and preservation of digital evidence
- How to go from where you are to lethal forensicator - the basics
- To specialize or generalize? You can't be good at everything
- Options for diving deeper into specializations
Understanding the Data
- Where is data common to todayâ€™s acquisition requirements found?
- What types of critical data are needed for triage and quick-hit investigations?
  - Evidence of communication
- Chat, email, phone calls, SMS
  - Evidence of browser history
- Where the individual was researching, reading, or accessing via Web apps
  - Evidence of geo-location
- Where has the device been located recently?
- GPS, geo-tagging Info
- Pictures - GPS coordinates in EXIF, etc.
- Maps
- Other GEO-tagging artifacts
- Physical devices
- Going from physical disks to data storage
- File system overview
  - Purpose: Organize and retrieve data
- How do different file systems achieve this?
  - NTFS, FAT, EXT, HFS, APFS
- Specialty file systems
- File system metadata
- Evidence file formats
Scene Management and Evidence Acquisition
- The go bag
- Documenting the scene
- Identifying and collecting evidence
- Evidence seizure
- Documenting storage devices prior to imaging
- Storage and maintenance of evidence
  - Evidence lockups
  - Long-term storage considerations
Device and Interface Identification
- Storage device interface recognition
  - IDE, SATA, SAS, fiber channel, SCSI, USB, Firewire
- Using adapters to convert interfaces
- Accessing BIOS/UEFI
Overview
There is no second chance when seizing or acquiring data. Make sure you get it right the first time.
Portable devices bring their own set of challenges to the table. These devices are more ubiquitous than computers. Seldom is the case today that does not include a cellular device. Unfortunately, there is no standard for cellular operating systems. Even within brands, there can be vastly different data storage. This course section will introduce students to several devices and the tools that will acquire them.
Investigators and first responders should be armed with the latest tools, digital container access techniques, and enterprise methodologies to identify, access, and preserve evidence across a vast range of devices and repositories. They must also be able to scale their identification and collection across thousands of systems in their enterprise. Enterprise and cloud storage collection techniques are now a requirement to track activity that has been intentionally and unintentionally spread across many devices. Responding to these many systems cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will result in lost opportunities due to the time it takes to forensically image entire hard drives. Furthermore, investigators need actionable intelligence as quickly and responsibly as possible. This course section lays the foundation for evidence collection, from initial arrival on a scene to the fundamentals of understanding data at rest and properly identifying the devices, interfaces, and tools that will be needed to carry out collection successfully.
We will also explore the myriad of acquisition hardware and software, not to mention adapters and identification, so that you can make the best decisions about the data.
Exercises
- Portable Device Acquisition
- Portable Device Analysis
- Hard Drive Wiping and Formatting
- Write Blocking Methodologies
- Preparing the Analyst Machine
- Using Timeline Explorer
Topics
Smartphone Acquisition
- Proper device handling techniques
- Acquisition tools
- SIM card acquisition
Smartphone Analysis
- Apple iOS
- Apple iOS fundamentals and "quick win" data
- iOS backups
  - Local and cloud
Android
- Android fundamentals and "quick win" data
- Android backups
- Common analysis techniques
- Applications (Apps)
Acquisition Hardware and Software
- Live response
- Dead box: Write blocking with software imagers
- Preparing destination media
Acquisition Methodology
- Is the computer off or just suspended?
- Hibernation vs. sleep mode
- Accessing a device: Laptop vs. desktop, etc.
- Recognizing signs of tampering
- Be aware of how the data are stored
  - JBOD vs. RAID vs. network
- Acquisition verification
Discovering and Interacting with Data
- Windows and CLI basic navigation and usage
- PowerShell vs. cmd vs. bash
- Data review techniques
  - Timeline Explorer
- Fundamental artifacts
Overview
Quick Win Forensics prioritizes locating, extracting, and processing the 1 percent of digital evidence you need to move a case forward.
Given that 99 percent of the necessary evidence typically will exist in 1-2 percent of the data acquired, it is easy to see how a great deal of time can be wasted following the normal procedures in today's digital forensics world. Instead, let's focus on this 1-2 percent and perform a very rapid triage collection that can be used to start our investigation sooner!
Far too often, computers are seized in an "on" state, and immediately powered down because, "that is how we've always done it." With today's computers, this means you are throwing away (essentially destroying) many gigabytes of data. The RAM in a computer holds a treasure trove of data, from keystrokes to network connections, running services, and, quite importantly, passwords and decryption keys. With the vastly increasing spread of file-less malware, in many cases the only place that evidence will exist is in memory. Another often-overlooked factor is full disk encryption. In cases like this, "live" acquisition will be your only hope.
Exercises
- Mounting Evidence
- Triage Acquisition
- RAM Acquisition and Encrypted Media
- Host Based Live Acquisition
- Dead Box Acquisition
Topics
Beginning the Collection Process
- Live response (the system is running)
- Document state of computer (photograph screen and open apps)
- Dump memory
- Triage collection, depending on case
- Check for encryption
- Dead box
- Accessing storage medium
Mounting Evidence
- Mounting images
Triage Acquisition
- Triage introduction
- Triage acquisition using FTK imager
- Triage acquisition from original media vs. from forensic image
Memory Acquisition and Encryption Checking
- Introducing tools to the environment
- Command line tools
- GUI tools
- Dealing with encrypted devices
- Bitlocker introduction
Host-based Live Acquisition
- Why live acquisition -- is it okay?
- Determining what to collect
- Logical vs. physical imaging
- Important considerations
Dead Box Acquisition
- Media device removal and handling
- Hardware-based device acquisition
- Software-based device acquisition
- Special cases like Surface Pro, etc.
Overview
Cloud computing and storage is becoming more and more common. Do you know how to collect these critical data?
When we think about acquisition, it usually involves opening the side of the computer, removing the hard drive, connecting to a write blocker or imaging equipment, and completing the task. While this does not necessarily result in an inaccurate assessment, it does not address a great deal of the access and acquisition questions surrounding so much data today. If full disk imaging is necessary, then it is certainly easier and quicker to do it directly from the storage itself. But what happens with devices such as iPads, Surface Books, and other equipment held together by glue instead of screws?
Volume Shadow Copies contains a wealth of historic data that are of great use to investigators. Knowing how to access and collect data from these shadow copies is critical in cases involving the Windows operating system.
Battlefield Forensics is considered the bleeding edge of digital forensics. It requires in-depth knowledge of where the most valuable data reside on the computer and how to get at them as fast as possible. An effective battlefield forensicator needs to be extracting actionable intelligence in 90 minutes or less, but the clock does not start when the forensic imaging is done. Rather, it starts from the moment you lay your hands on the device.
This course section will teach you how to identify and access data in non-traditional storage areas. In today's world, so much data live off site, and there are very few methods in place to access and properly acquire those data. We will identify these locations, including SharePoint, Exchange, webmail, network locations, cloud storage, and social media, not to mention Dropbox, Google Drive, and the Internet of Things. This also includes RAID storage and how to best collect these devices regardless of configuration. Moving to the forefront of most Enterprise investigations, we will be examining vSphere and virtual machine collections as well!
Exercises
- Volume Shadow Copy Acquisition
- Using the KAPE Tool for Battlefield Forensics
- Network Acquisition
Topics
File Systems Revisited
- FAT
- Ext
- NTFS
- Timestamp metadata
- Alternate data streams
- Volume shadow copies
- Acquiring volume shadow copies
Battlefield Forensics with KAPE
- Introduction to the KAPE tool
- Using KAPE to rapidly collect critical artifacts
- Processing data using KAPE
- Analyzing KAPE output
Multi-Drive Storage
- Challenges in imaging multi-drive arrays
- RAID
- JBOD (Just a Bunch Of Disks)
EMC/non-traditional formats
- Accessing RAID volumes, and choosing methods to image
Remote Acquisition
- Using F-Response
- Google takeout
Overview
Apple must be approached entirely differently from traditional devices.
This course section will explore the fundamentals of acquiring data from Apple devices. Compared to Windows, there are very few tools and techniques available when it comes to acquisition of Apple products. The tools that exist can be quite expensive, and free tools are simply few and far between. In this course section, will acquire memory and identify systems that are running CoreStorage technology and full disk encryption. We will also visit the challenges posed by APFS. Many of the Apple systems are closed systems, in that you simply cannot remove the hard drive because it is soldered directly to the motherboard. The uniqueness of the data storage demands alternative methods of acquisition.
In this course section, you'll learn how to access and forensically image iPads, MacBooks, and other HFS+ devices, working at the command line, as well as how to build a free acquisition boot disk to image even the latest macOS versions on current hardware.
Not to be left out, the pervasive Internet of Things is controlling our fridges, thermostats, security cameras, and door locks. It is listening passively and waiting patiently for an instruction to perform. In this course section, you will learn how these devices communicate, and more importantly, who is controlling them.
Exercises
- PCAP Collection
- PCAP Graphical Tools
- PCAP Command Line Tools
Topics
Apple MacOS Device Overview and Acquisition
- Apple encryption
  - File vault
- Core storage
- APFS imaging
- Fusion drives
- Acquiring RAM
- Latest Apple Security Layers
- T2 Security Chip
- Collecting drive metadata
  - Live or single user mode
- Accessing storage on Apple MacOS devices
- "Must know" Apple keyboard combinations
- Target disk mode
- Command line imaging
- Creating a macOS GUI boot device
- Using Macquisition to collect a forensically sound image
Internet of Things (IoT)
- Determining devices on the network
  - Internal devices on a LAN
- Methods for collecting network traffic
- Potential communication destinations
- Determining Internet of Things (IoT) communication with portable devices
- Understanding the PCAP to find co-conspirators
- Collection of network traffic
- IoT collection considerations
Overview
Tools fail, techniques become outdated, but do not let that hold you back.
You have traced an artifact back to an IP, email, or web address. Now what? In this course section you'll learn the best methods to determine attribution, from proper collection to legal documentation.
The usefulness of file and stream carving cannot be overstated. Some data simply do not live in the defined file space that can be readily accessed by a viewer. From partially overwritten to deleted data, we will explore techniques you can employ when traditional tools fail.
Data carving is an increasingly important skill. Once the reference to a file is destroyed, how can the data still be recovered? File carving tools will assist in this, but examiners must understand the limitations of their tools. Without the proper pieces of the original file, a carver is useless.
Exercises
- Online Attribution
- Data and Stream Carving
- Data Rebuilding
Topics
Identifying Online Asset Ownership
- How to go from a hostname or IP to someone who can receive legal process
- Considerations of passive DNS
- Insuring against subsequent loss of data
- Possible pitfalls to consider
File and Stream Recovery
- Data streams
- Deleted data recovery
Advanced Data Carving and Rebuilding
- Using manual analysis techniques to find and recover data not normally recoverable
- Understanding file signatures, headers, and footers
- MS Office file format
- Manual data carving
- Data rebuilding
- Repairing corrupted and/or partially overwritten files
Where Do We Go From Here
- How do go from where you are to lethal forensicator - in depth

GIAC Battlefield Forensics and Acquisition

"The GIAC Battlefield Forensics and Acquisition (GBFA) certification demonstrates that an individual is trained and qualified in the proper collection, acquisition, and rapid triage analysis of many forms of data storage. Certified GBFA professionals can traverse each point from arriving at a scene, through determining and establishing the "quick wins" necessary to rapidly move an investigation forward. They have shown skill and excellence in the use of a wide variety of tools and techniques across a vast spectrum of media storage repositories from portable devices, servers, and endpoints, through to IoT and Cloud data. This industry certification will convey that the holder is prepared to handle every facet of the collection and rapid triage process." - Kevin J Ripa, SANS FOR498 Course Co-Author

Efficient data acquisition from a wide range of devices
Rapidly producing actionable intelligence
Manually identifying and acquiring data

Prerequisites

FOR498 is an introductory-to-intermediate response and acquisition course that focuses on recognizing a wide range of electronic evidence, and the various ways to collect it. We do not cover in-depth digital forensic analysis in this course.

We recommend that you follow up this course with one of the following SANS courses: FOR500: Windows Forensics Analysis, FOR508: Advanced Digital Forensics, Incident Response & threat Hunting, FOR518: Mac and iOS Forensic Analysis & Incident Response , FOR585: Smartphone Forensics Analysis In-Depth, FOR572 Advanced Network Forensics: Threat Hunting, Analysis & Incident Response, SEC487: Open-Source Intelligence ( OSINT) Gathering & Analysis

Laptop Requirements

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Do not bring a system that has critical data you cannot afford to lose. You do so at your own risk.

SANS and its instructors are not responsible for any damage caused to student systems.
Many of the activities involved in this course will be performed on your host computer, and not inside the virtual machine.
You will risk damaging or destroying data on your host computer if you fail to follow lab directions exactly as specified.

Apple Mac Note: While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience.

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

MANDATORY FOR498 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class
BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
16 GB (Gigabytes) of RAM or higher is required for this class to run two VMs at the same time. Systems with 8 GB of RAM may still permit labs to function but will be significantly slow and severely limited.
Wireless 802.11 Capability
USB 3.0
200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
Additional Non-SSD Hard Drive: Students must provide a minimum 500 GB (can be larger) spinning hard drive (no SSD), 2.5" SATA, 7200 RPM. We recommend a bare hard drive similar to the one that can be viewed HERE.
Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.

MANDATORY FOR498 HOST OPERATING SYSTEM REQUIREMENTS:

Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Do not bring a host system that has critical data you cannot afford to lose.

FOR498 CELLULAR DEVICE CONFIGURATION (OPTIONAL):

Apple iPhone or Android phone.
Must have full access to the device. If the device is controlled through Mobile Device Management (MDM), the student will not be able to perform the exercise.
One exercise with the student cellular device is live on the device. As a result, the student is strongly recommended to have a current backup of the device.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

Please download and install VMware Workstation 16.0, VMware Fusion 12.0, or VMware Workstation Player 16.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
Install 7Zip on your host OS
Some version of Microsoft Office (2013 or newer) to include Word and Excel. Viewer is NOT acceptable

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

Bring the proper system hardware (64bit/8 GB+ ram, 200GB free drive space) and operating system configuration
Bring a supported host OS
Install VMware (Workstation, Player, or Fusion) and 7zip
Install Microsoft Office 2013 version or newer
Bring iPhone or Android cellular device (optional)
Bring 500GB (or larger) BARE 2.5" SATA spinning hard drive

Your course media will be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"During my time as a Special Agent with the FBI, it became evident that the digital forensics community needed better methods to look at large amounts of data in an efficient manner to be able to get to answers quickly. As storage capacities increased, more traditional means began to take longer from a collection and analytical perspective. For this reason, I began creating triage software for use by the law enforcement community (and beyond). This problem has not changed since I left the FBI; in fact it has only continued to grow. For this reason, I decided to take a new approach to this problem, but this time in a way that could be given away to everyone in the digital forensics community. The result of this work is KAPE, which allows for rapid collection and analysis as determined by an incident responder. Of course, processing the data is only part of the equation, so this course spends a significant amount of time talking about acquisition--that is, how to get digital data from the devices we encounter. We not only talk about specific techniques for specific devices and situations, but for many of the topics covered, we provide the framework for how you can be successful when you encounter new devices. This course will focus on two key areas: getting the data that have the answers and extracting the answers from the data. We look forward to seeing you in class!" --Eric Zimmerman

"My digital forensics experience started in the mid 1990s. Back then, a hex editor was the most important tool that an examiner had. You had to understand data at rest in its most fundamental levels if you wanted to be effective at forensics. Fast forward to today and there is a myriad of tools to perform most any task that a forensic examiner might want to do. The by-product of this is that an examiner can be overwhelmed with not only the amount of tools available, but the amount of data that needs review. We recognized that the industry needed a more focused approach at the most important information on a hard drive, to the exclusion of the vast amounts of unnecessary noise. We also recognized that examiners need a better understanding of deleted data and how to extract some of the most important information that we have been missing. Finally, in recent years we have taken notice of the number of devices in use today that contain storage that cannot be removed from the machine. Couple this with live response and data that is encrypted at rest and we must recognize that certain approaches have to change. Thus FOR498 was born. We certainly hope you enjoy taking this class is much as we've enjoyed writing it, and our sincere hope is that this information allows you to become more effective at your craft." --Kevin Ripa

"FOR498 is an excellent course! I learned a lot of new skills that I can't wait to develop further, and Kevin Ripa did an outstanding job delivering the content and making it interesting. His personal stories and examples kept the course engaging and rooted in reality." - Christopher Coy, Microsoft

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (6 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend FOR498?

Federal agents and law enforcement personnel who want to master proper acquisition methodologies and ensure that all data are collected properly and in a defensible manner.
First responders who attend to a scene where digital equipment seizure may take place. It is crucial at this point to perform proper scene management, identification, preservation, and acquisition.
Digital forensic analysts who want to consolidate and expand their understanding of data storage and acquisition in today's digital storage world.
Information security professionals who want to learn the acquisition and triage skills needed to begin Windows digital forensics investigations.
Incident response team members who need to preserve indicated computers for digital forensics to help solve their Windows data breach and intrusion cases.
Media exploitation analysts who need to collect and preserve systems in Document and Media Exploitation (DOMEX) operations on systems used by an individual.
Department of Defense and intelligence community professionals tasked with rapid collection and triage of systems.
Anyone interested in an understanding of the proper preservation of systems and who has a background in information systems, information security, and computers.

"FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course." - Jennifer Welsh, CNO Financial Group

See prerequisites

FOR498: Battlefield Forensics & Data Acquisition

GIAC Battlefield Forensics and Acquisition (GBFA)

Course Authors:

Kevin Ripa

Eric Zimmerman

What You Will Learn

Syllabus (36 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Battlefield Forensics and Acquisition

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR498?

Reviews

Find ways to take this course