What You Will Learn
More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.
This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.
IT'S NOT JUST ABOUT USING TOOLS AND PUSHING BUTTONS
FOR308: Digital Forensics Essentials Course will help you understand:
- What digital forensics is
- What digital evidence is and where to find it
- How digital forensics can assist your organization or investigation
- Digital forensics principles and processes
- Incident response processes and procedures
- How to build and maintain a digital forensics capacity
- Some of the key challenges in digital forensics and incident response
- Some of the core legal issues impacting on digital evidence
Syllabus (36 CPEs)Download PDF
The volume of digital information in the world is growing at a scarily fast rate. In fact, 90 percent of the digital data that exists worldwide today was created within the last two years and it's not slowing down with, 2.5 quintillion bytes of new data created each and every day.
If you are investigating any matter, whether it is a crime, an administrative or civil issue, or trying to figure out how your network was compromised, you need evidence. If you are gathering intelligence you need information. The simple reality is that these days the vast majority of potential evidence or information that we can use, whether it is for investigations, court, or intelligence purposes, is digital in nature. To effectively conduct digital investigations, one needs to understand exactly what digital evidence is, where to find it, the issues affecting digital evidence, and the unique challenges facing digital evidence. This will allow one to understand the crucial role that digital forensics plays with regards to digital evidence.
MODULE 1.1: Introduction to Digital Investigation
- Why we need to conduct investigations:
- Incident response and Threat Hunting
- Regulatory investigations
- Media Exploitation
- Military action
- Administrative investigations (HR/internal investigations)
- Law Enforcement investigations
- Civil and Criminal litigation
MODULE 1.2: Digital Forensics Fundamentals
- What is digital evidence?
- The difference between data and metadata
- File formats and extensions
- File system metadata and file metadata
- The nature of digital evidence
- Binary and hexadecimal
- Bits, nibbles, and bytes
- Converting data between binary, hex and ASCII
- Disk structures
- Data structures
- Slack space and keyword searching
- Memory data structures
- Network data structures
- Volatile and non-volatile data structures
- Allocated and unallocated data
- File deletion and recovery
- Data encoding
- ASCII and Unicode
- The fragility of digital evidence
- Understanding how easy it is to alter or change digital evidence
- The importance of minimizing changes to digital evidence
- Understanding when it is unavoidable to change digital evidence and how to address it
- General rules of acquisition
MODULE 1.3: Incident Response Fundamentals Response Fundamentals
- Computers and laptops
- Virtual machines
- Tablets and mobile devices
- Removable storage media
- Network devices and data
- Embedded/IoT devices
- Digital evidence in the Cloud
- Drones and vehicles
MODULE 1.4: Digital Forensics Management
- Device volumes
- Number of devices per person is increasing
- Data volumes
- The problem of increasing data volumes
- Do you really need to collect everything?
- Constantly updated operating systems/apps/services
- Device support/locked down devices
- Android and iOS uptake
- Data corruption and recovery
- IoT devices and acquisition
Digital forensics is the core set of principles and processes necessary to produce usable digital evidence and uncover critical intelligence
CSI and similar television shows has popularized forensics in the public consciousness and increased awareness of forensics. Digital forensics is the forensic discipline that deals with the preservation, examination and analysis of digital evidence. However, television and movies have created misunderstandings about exactly what digital forensics is and does. As a result, many people interested in forensics have no real understanding about what it entails.
These misperceptions have also seen lawyers that make use of digital evidence in court, investigators that need digital evidence to solve cases, information security practitioners responding to security incidents, and even people conducting digital forensics; making mistakes in relation to digital evidence, which can have negative consequences.
Digital forensics is crucial to ensure accurate and usable digital evidence, but it is important to understand exactly what it is, what it can do, and how it can be used. If you are a user of digital forensics and digital evidence, understanding exactly how digital forensics works will enable you to better make use of digital forensics and digital evidence. If you are a manager or supervisor of a digital forensic capacity, this will help you understand exactly how it should be functioning and how to build and maintain it. Finally, if you are a prospective digital forensics practitioner or an existing one, this will equip you with the fundamental knowledge and skills that form the core of the digital forensic profession.
MODULE 2.1: Digital Forensics Management
- The history and evolution of digital forensics
- Defining digital forensics
- The purpose of digital forensics
- Asking the right questions
- Knowledge, skills and attributes of digital forensics practitioners
- First responders
- Digital forensic investigators
- Digital forensic analyst
- Digital Forensics vs Incident Response vs Threat Hunting
- Digital forensics tools
MODULE 2.2: Digital Evidence Acquisition Essentials
- ACPO guidelines
- SWGDE guidelines
- Locard's Exchange Principle
- The Inman-Rudin Paradigm
- Digital evidence categorization model
- Relational analysis
- Functional analysis
- Temporal analysis
- The philosophy of science and the scientific method
MODULE 2.3: Concepts of Digital Forensic Analysis
- The digital forensics process
- ISO 27043
- The scientific method in digital forensics
- Forensic process in practice
- Validation processes
- Quality assurance
MODULE 2.4: Digital Forensics Challenges
- Rapidly changing technology
- Moore's Law
- Koomey's Law
- Kryder's Law
- Over reliance on forensic tools
- Commercial vs free and open source tools
- Competency & motivation of practitioners
- Mental health issues
- Ongoing education
Incident Response is the core set of principles and processes necessary to allow an organization to successfully respond, react and remediate against potential attack scenarios
Digital forensics deals with the preservation, examination and analysis of digital evidence. However, Incident Response is often the preceding activity that leads to the requirement to conduct a forensic investigation. If not executed properly, the Incident Response processes and team have the ability to inadvertently disrupt or damage subsequent forensic activities. It is therefore a vitally important aspect of an investigation.
The Incident Response team must be adept at recognizing incidents and responding appropriately to collect and preserve evidence, whilst identifying and containing the incident. This same team are also usually involved in Forensic Readiness planning, which defines what evidence may be useful in a number of attack scenarios and ensures that systems are configured to collect and retain this evidence. Evidence that is collected in advance of an investigation can provide vital clues to a digital forensic investigator and when used in addition to subsequently acquired data, can provide insights into what data may have changed during specified periods of time that may be pertinent to the case.
Digital Forensics and Incident Response therefore go hand-in-hand and are often referred to by the acronym DFIR. If you are a prospective or current digital forensics practitioner, understanding exactly how incident response works will enable you better leverage these teams before, during and after investigations to obtain the best and most useful evidence and improve reporting. If you do not plan to build a career in digital forensics, understanding how the Incident Response teams and processes work will demonstrate when and how to engage if you suspect an incident may have occurred and the types of actions on your part that may assist (or impair) any potential investigation, to provide you with the best possible outcome.
MODULE 3.1: Documentation and Reporting in Digital Forensics
- Defining incident response
- Incident response processes and best practice
- Order of volatility
- Phases of incident response
- Knowledge, skills and attributes of an incident response team
- SOC analysts
- First responders
- Relationships and use of specialists
- Legal considerations
- Incident Response tools
MODULE 3.2: Legal Aspects of Digital Forensics
- ISO27035 - Security Incident management
- NIST Incident Handling Guide
- Government guidelines
- UK - NCSC / Crest
- IT Governance EU
- Templates for policies and plans
MODULE 3.3: Incident Response Challenges
- Lack of suitable preparation
- network diagrams, system details and access
- out-of-date documentation
- Over reliance on tools
- Malware, antivirus and anti-forensics
- What is malware?
- What is antivirus?
- Sophisticated attacks
DIGITAL FORENSICS MANAGEMENT
Good management of a digital forensic or incident response team is key in allowing an organization to successfully respond to potential attack scenarios and investigate digital evidence
Management of a DFIR team is crucial to the success or failure of investigations. This includes suitably preparing the team and environment, providing support throughout each case, escalating issues as required, as well as conducting reviews and providing regular feedback. If sufficient management support is not in place at any stage in the lifecycle of an investigation, it may not be possible to proceed, or insufficient analysis may be conducted. Understanding how to build, manage and prepare a DFIR capability is essential.
Digital Forensic Readiness is the key element in preparation to allow an organization to successfully respond to potential attack scenarios and investigate digital evidence. Digital forensic readiness acknowledges and defines the tools, processes and resources that must be in place to allow an organization to suitably deal with Digital Forensic investigations and Incident Response cases. If Readiness policies and processes are not defined properly, digital evidence may be unsuitable or may not be available when required, which can hinder or entirely prevent an investigation. It is therefore a vitally important aspect of pre-investigation planning.
MODULE 4.1: Introduction to Forensic Readiness
- Defining forensic readiness
- Differences between forensic readiness and incident response
MODULE 4.2: The need for Forensic Readiness
- Use of digital evidence in organizations
- Forensic readiness and ISO standards
- Legislation and regulation
- Benefits of forensic readiness
MODULE 4.3: Building and Managing a DFIR Capacity
- Building a business case for digital forensics and incident response
- DFIR service models
- Building a DFIR capacity
- Selecting team members
- Skill sets
- Complementary Skills
- Specialist skills to be able to call upon when required
- Managing a DFIR capacity
The acquisition of digital evidence is the most critical part of the digital forensics process and as such it must be done right
Acquiring digital evidence is a crucial component in any investigation. Digital forensics is about finding answers, and if we cannot get to the evidence that we need, which is often stored on devices, in memory, on the wire or wireless, or in the Cloud, then we will never be able to get the answers we seek. Getting the digital evidence and selecting the appropriate method to obtain it can mean the difference between success and failure in an investigation.
The acquisition of digital evidence has evolved over the years and the old way of doing it may not always be the best or most effective way of getting the evidence and may actually compromise an investigation. By understanding the various strategies and methods that we have available to us to acquire digital evidence means that informed decisions can be made as to the best method to use to acquire evidence in a given situation or environment.
MODULE 5.1: Forensic Acquisition Principles and Standards
- Preserving the integrity of digital data
- Minimizing the alteration of digital data
- Copying versus imaging
- Forensic imaging methods
- Live imaging versus "dead" imaging
- Triage image, sparse image, full logical images and physical images
- Write blocking
- Software based write blocking
- Hardware write blocking
- Data verification and integrity preservation
- The forensic acquisition processes
- ISO 27037 forensic acquisition processes
- SWGDE forensic acquisition guidelines
- ACPO guidelines
MODULE 5.2: Understanding Forensic Images
- Physical and logical images
- Forensic image formats
- Raw image versus forensic image
MODULE 5.3: Forensic Acquisition Processes
- Handling and controlling physical evidence
- Addressing encryption
- Acquisition types
- Live acquisitions
- "Deadbox" acquisitions
- Network acquisitions
- Remote acquisitions
- Cloud acquisitions
- Mobile acquisition
- Advanced Extraction Techniques
- Chip off acquisitions
MODULE 5.4: Acquisition Challenges
- Available space vs. drive size
- Speed of acquisition vs. available time
- Operating System security
- Types of encryption
- Full Disk Encryption
- File Based Encryption
- Single File Encryption
- Encryption methods
- Encryption tools
- Decryption options
- Acquiring data from the Cloud
- Damage devices
- Unsupported devices
- Legal authority
- Obtaining evidence in other jurisdictions - mutual legal assistance treaty
- Data sovereignty
The only way to get answers is to ask questions, and the only way to get the right answers is to ask the right questions
The key purpose of digital forensics is to find answers, and it is through the analysis process that digital forensics transforms raw data into either evidence or intelligence that we can use to answer the questions that we need answered. The use of technology is so integral to our day to day activities that it allows us an unprecedented opportunity to reconstruct what has happened in the past, to learn what is happening in the present, and even predict what may happen in the future, all based on the data available to us.
By understanding digital forensic analysis, we can see how we can ask the right questions in our investigations and intelligence efforts, how we can critically examine and analyze the data at hand in a manner that can withstand scrutiny and finally, understand the types of answers we can get.
MODULE 6.1: What Can Forensic Analysis Prove
- What are the questions that forensic analysis can provide answers for
- User attribution
- Assessing alibis and statements
- Location information
- Determining intent
MODULE 6.2: Planning the Examination
- Understanding what you are investigating
- Identify what artefacts can answer your questions
- Types and examples of artefacts and techniques
- Kitchen sink vs targeted approach (include triage)
MODULE 6.3: The Art and Science of Forensic Analysis
- Understanding and applying critical thinking in an investigation
- Applying the scientific method to forensic analysis
- Gather information and make observations
- Form a hypothesis to explain observations
- Evaluate the hypothesis
- Draw conclusions
- Hypothesis formulation
- Evaluating hypotheses
MODULE 6.4: Forensic Examination and Analysis Standards
- SWGDE standards
- ISO 27042 guidelines for the analysis and interpretation of digital evidence
MODULE 6.5: Forensic Examination and Analysis Challenges
- Breadth and depth of required knowledge
- Forensic artifact documentation challenges
- Tool capability variation
- Identifying data of interest
- Stakeholder expectations
- Analysis scoping and planning
- Ongoing documentation and notetaking
DOCUMENTING AND REPORTING IN DIGITAL FORENSICS
It doesn't matter how good your technical skills are, if you are not able to effectively document what you have done and report on your findings in a manner that non-technical people understand, your investigation is on shaky ground
Digital forensics is at its core about getting answers to questions, whether as evidence or intelligence. So, it is important that we can get the answers that we find in our investigations to the right people so that they can make decisions and act on what is found in the digital forensics process.
It is crucial that we are able to effectively communicate these answers to those people who need them, in a manner that is useful to them, and to be able to effectively support our answers. Not only must we be able to effectively communicate, but it is important that the users of these answers understand what our various reports means and how they can use them effectively. Without effective communication and understanding of what is communicated, all effort expended in the digital forensic process is lost.
MODULE 7.1: Ongoing Documentation
- Understanding the need for documentation
- Making contemporaneous notes
- Supporting your documentation with evidence
- Maintaining the integrity of your documentation
- Types of documentation
- Investigation authorization and mandates
- Case notes
- Quality assurance documentation
- Tool validation documentation
MODULE 7.2: Presenting your Findings
- How to communicate technical concepts to non-technical audiences
- Educating your audience
- Telling the story
- Supporting your narrative with evidence
- Written reports
- Verbal presentations
GOING TO COURT
While not all digital forensics matters end up going to court, some do, and when that is the case it is important to at least have some understanding of the law of evidence and going to court
Digital investigations can often end up in court. In certain instances, a criminal prosecution may be desired where your digital evidence will be used in a criminal court to prosecute an offender using the digital evidence you have gathered and analyzed. In other instances, you may use your digital evidence in a civil court claiming damages or other relief or defending your organization against claims for damages arising from a breach or other incident.
While laws differ around the world, there are some common principles that apply which digital forensic practitioners need to know. They need to understand the legal requirements for evidence to be acceptable for a court to use. They also need to understand how to present that evidence if they are called upon to testify in court. These two fundamentals can mean the difference between success and failure.
MODULE 8.1: Legal Evidence
- What is evidence
- The legal requirements for court directed evidence
- Chain of custody
- Legal processes to secure evidence
- Organizational policy and contractual frameworks
- Reliability of the evidence
- Proving legal elements
- Exculpatory evidence
MODULE 8.2: Testifying in Court
- Understanding the court process
- Technical versus expert witnesses
- The responsibility of a witness
- The testifying process
- How to be an effective witness
FOR308 is an introductory digital forensics course that addresses core digital forensics principles, processes and knowledge.
If you wish to become a digital forensics or incident response practitioner, we recommend that you follow up this course with one or more of the following SANS courses: FOR500, FOR508, FOR518, FOR585, FOR526 or FOR572.
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows or Mac OSX as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
MANDATORY FOR308 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
- 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory and minimum. For best experience 16GB of RAM is recommended)
- Wireless 802.11 Capability
- USB 3.0
- 250+ Gigabyte Host System Hard Drive minimum
- 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
- Additional USB Flash drive: We recommend a USB Flash drive that is smaller than 16GB.
- Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
- Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.
MANDATORY FOR308 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
- While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
- Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Do not bring a host system that has critical data you cannot afford to lose.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Please download and install VMware Workstation 15.5, VMware Fusion 11.5, or VMware Workstation Player 15.5 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
- Install 7Zip on your host OS
- Microsoft Office (version 2013 or newer) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 30 days). Viewer is NOT acceptable
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8GB+ RAM, 200GB free drive space) and operating system configuration
- Bring a supported host OS
- Install VMware (Workstation, Player, or Fusion) MS Office and 7zip and make sure these work before class.
- Bring a USB Flash drive that is smaller than 16GB.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"Digital Forensics sounds like a really cool and exciting specialist field of expertise, and whilst many people choose to build up their knowledge and experience over many years to become specialists, it is also very much applicable to everyone who uses a computer, or a smartphone, or owns a home assistant. The vast majority of jobs in the developed world now involve the use of some form of computer. It is tremendously beneficial for users to understand how their data is being stored on those systems, the fact that deleted files may be recoverable and steps they can take to improve their odds of successful recovery, as well as how to recognize and respond to any incidents they may encounter on their systems and understand when to call in the experts.
Whether you're interested in getting into the field of Digital Forensics, or you'd just like to understand more about the systems you use on a daily basis, without any prerequisite knowledge required, FOR308 will introduce you to data, how to find it, acquire it, preserve it and most importantly, how to understand it" - Kathryn Hedley
"I have been teaching digital forensics around the world for several years for the SANS Institute, and not a single class went by where I was not being asked questions by my students about areas that I considered essential digital forensic topics, such as how to structure an investigation, how core digital forensics processes work, how to write a digital forensics report, how to testify in court, the legal issues that impact on digital evidence, and so many more topics. These have not been topics we have traditionally covered within the SANS DFIR faculty. I realized that to develop fully rounded digital forensic practitioners we would need to cover these essential areas, to fill in the gaps, so to speak. This was also an opportunity to provide an introduction to digital forensics and digital evidence, not only people embarking on a digital forensics career, but to lawyers and investigators dealing with digital evidence, to managers managing digital forensics capacity in their organizations, and anyone interested in the field of digital forensics.
You can't build a house without a foundation, and this course provides that essential foundation for a career in digital forensics" - Jason Jordaan
"Digital forensics is a specialist skill the requires a solid understanding of the technical working of devices, operating systems, file systems, and applications. Typically, these examinations are going to be one component within a greater overall investigation which is where FOR308 comes in. At SANS we have trained some of the best and brightest for decades. Specifically, in digital forensics we teach students every day how to be amazing forensicators; how to understand the underlying data to process, parse, and present digital information for technical audiences. This class however will bring you right back to basics, because the fundamentals are key. The skills and processes taught in this course are applicable across the rest of the DFIR curriculum; whether you're managing a DFIR capability, getting into the field, or just need to understand how it all fits together. This class will set you up with the tools that you need to understand the processes and procedures involved from start to finish" - Phill Moore