More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.
This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.
IT'S NOT JUST ABOUT USING TOOLS AND PUSHING BUTTONS
FOR308: Digital Forensics Essentials Course will help you understand:
- What digital forensics is
- What digital evidence is and where to find it
- How digital forensics can assist your organization or investigation
- Digital forensics principles and processes
- Incident response processes and procedures
- How to build and maintain a digital forensics capacity
- Some of the key challenges in digital forensics and incident response
- Some of the core legal issues impacting on digital evidence
Digital forensics has evolved from methods and techniques that were used by detectives in the 1990's to get digital evidence from computers, into a complex and comprehensive discipline. The sheer volume of digital devices and data that we could use in investigative ways meant that digital forensics was no longer just being used by police detectives. It was now being used as a full forensic science. It was being used in civil legal processes. It was being used in the military and intelligence services to gather intelligence and actionable data. It was being used to identify how people use and mis-use devices. It was being used to identify how information systems and networks were being compromised and how to better protect them. And that is just some of the current uses of digital forensics.
However digital forensics and incident response are still largely misunderstood outside of a very small and niche community, despite their uses in the much broader commercial, information security, legal, military, intelligence and law enforcement communities.
Many digital forensics and incident response courses focus on the techniques and methods used in these fields, which often do not address the core principles: what digital forensics and incident response are and how to actually make use of digital investigations and digital evidence. This course provides that. It serves to educate the users and potential users of digital forensics and incident response teams, so that they better understand what these teams do and how their services can be better leveraged. Such users include executives, managers, regulators, legal practitioners, military and intelligence operators and investigators. In addition, not only does this course serve as a foundation for prospective digital forensics practitioners and incident responders, but it also fills in the gaps in fundamental understanding for existing digital forensics practitioners who are looking to take their capabilities to a whole new level.
FOR308: Digital Forensics Essentials Course will prepare you team to:
- Effectively use digital forensics methodologies
- Ask the right questions in relation to digital evidence
- Understand how to conduct digital forensics engagements compliant with acceptable practice standards
- Develop and maintain a digital forensics capacity
- Understand incident response processes and procedures and when to call on the team
- Describe potential data recovery options in relation to deleted data
- Identify when digital forensics may be useful and understand how to escalate to an investigator
- If required, use the results of your digital forensics in court
FOR308: Digital Forensics Fundamentals Course Topics
- Introduction to digital investigation and evidence
- Where to find digital evidence
- Digital forensics principles
- Digital forensics and incident response processes
- Digital forensics acquisition
- Digital forensics examination and analysis
- Presenting your findings
- Understanding digital forensic reports
- Challenges in digital forensics
- Building and developing digital forensics capacity
- Legality of digital evidence
- How to testify in court
What You Will Receive With This Course
SANS Windows SIFT Workstation
- This course uses the SANS Windows DFIR Workstation to teach first responders and forensic analysts how to view, decode, acquire, and understand digital evidence.
- DFIR Workstation that contains many free and open-source tools, which we will demonstrate in class and use with many of the hands-on class exercises
- Windows 10
- VMWare Appliance ready to tackle the fundamentals of digital forensics
Fully working license for 120 days:
- Media loaded with reports, white papers and appropriate example forms and documentation.
SANS DFIR Exercise Workbook
- Exercise book with detailed step-by-step instructions and examples to help you master digital forensic fundamentals
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
You can use any 64-bit version of Windows or Mac OSX as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.
CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
MANDATORY FOR308 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
- 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory and minimum. For best experience 16GB of RAM is recommended)
- Wireless 802.11 Capability
- USB 3.0
- 250+ Gigabyte Host System Hard Drive minimum
- 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
- Additional USB Flash drive: We recommend a USB Flash drive that is smaller than 16GB.
- Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
- Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.
MANDATORY FOR308 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
- While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
- Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Do not bring a host system that has critical data you cannot afford to lose.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8GB+ RAM, 200GB free drive space) and operating system configuration
- Bring a supported host OS
- Install VMware (Workstation, Player, or Fusion) MS Office and 7zip and make sure these work before class.
- Bring a USB Flash drive that is smaller than 16GB.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"Digital Forensics sounds like a really cool and exciting specialist field of expertise, and whilst many people choose to build up their knowledge and experience over many years to become specialists, it is also very much applicable to everyone who uses a computer, or a smartphone, or owns a home assistant. The vast majority of jobs in the developed world now involve the use of some form of computer. It is tremendously beneficial for users to understand how their data is being stored on those systems, the fact that deleted files may be recoverable and steps they can take to improve their odds of successful recovery, as well as how to recognize and respond to any incidents they may encounter on their systems and understand when to call in the experts.
Whether you're interested in getting into the field of Digital Forensics, or you'd just like to understand more about the systems you use on a daily basis, without any prerequisite knowledge required, FOR308 will introduce you to data, how to find it, acquire it, preserve it and most importantly, how to understand it" - Kathryn Hedley
"I have been teaching digital forensics around the world for several years for the SANS Institute, and not a single class went by where I was not being asked questions by my students about areas that I considered essential digital forensic topics, such as how to structure an investigation, how core digital forensics processes work, how to write a digital forensics report, how to testify in court, the legal issues that impact on digital evidence, and so many more topics. These have not been topics we have traditionally covered within the SANS DFIR faculty. I realized that to develop fully rounded digital forensic practitioners we would need to cover these essential areas, to fill in the gaps, so to speak. This was also an opportunity to provide an introduction to digital forensics and digital evidence, not only people embarking on a digital forensics career, but to lawyers and investigators dealing with digital evidence, to managers managing digital forensics capacity in their organizations, and anyone interested in the field of digital forensics.
You can't build a house without a foundation, and this course provides that essential foundation for a career in digital forensics" - Jason Jordaan
"Digital forensics is a specialist skill the requires a solid understanding of the technical working of devices, operating systems, file systems, and applications. Typically, these examinations are going to be one component within a greater overall investigation which is where FOR308 comes in. At SANS we have trained some of the best and brightest for decades. Specifically, in digital forensics we teach students every day how to be amazing forensicators; how to understand the underlying data to process, parse, and present digital information for technical audiences. This class however will bring you right back to basics, because the fundamentals are key. The skills and processes taught in this course are applicable across the rest of the DFIR curriculum; whether you're managing a DFIR capability, getting into the field, or just need to understand how it all fits together. This class will set you up with the tools that you need to understand the processes and procedures involved from start to finish" - Phill Moore
"Kathryn and Phil are great instructors and the material was clearly presented. All this made an enjoyable experience for me." - FOR308 student