What You Will Learn
THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING. LET US SHOW YOU HOW.
FOR498A: Forensic Data Acquisition teaches the latest tools, digital container access techniques, and enterprise methodologies to identify, access, and preserve evidence across a vast range of devices, repositories, and non-traditional storage areas. You'll learn how to extract actionable intelligence in 90 minutes or less!
In this course you will learn how to effectively acquire data from:
- PCs, Microsoft Surface, and Tablet PCs
- Apple Devices, Macs, and Macbooks
- RAM and memory
- Smartphones and portable mobile devices
- Cloud storage and services
- Network storage repositories
Syllabus (18 CPEs)
There is no second chance when seizing or acquiring data, so you need to make sure you get it right the first time. Portable devices bring their own set of challenges to the table. These devices are more ubiquitous than computers. Seldom is the case today that does not include a cellular device. Unfortunately, there is no standard for cellular operating systems. Even within brands, there can be vastly different data storage. This course section will introduce students to several devices and the tools that will acquire them.
Investigators and first responders should be armed with the latest tools, digital container access techniques, and enterprise methodologies to identify, access, and preserve evidence across a vast range of devices and repositories. They must also be able to scale their identification and collection across thousands of systems in their enterprise. Enterprise and cloud storage collection techniques are now a requirement to track activity that has been intentionally and unintentionally spread across many devices. Responding to these many systems cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will result in lost opportunities due to the time it takes to forensically image entire hard drives. Furthermore, investigators need to access actionable intelligence as quickly and responsibly as possible. This course section lays the foundation for evidence collection, from initial arrival on a scene to the fundamentals of understanding data at rest and properly identifying the devices, interfaces, and tools that will be needed to carry out collection successfully.
We will also explore the myriad of acquisition hardware and software, not to mention adapters and identification, so that you can make the best decisions about the data.
- Portable Device Acquisition
- Portable Device Analysis
- Hard Drive Wiping and Formatting
- Write Blocking Methodologies
- Preparing the Analyst Machine
- Using Timeline Explorer
- Proper Device Handling Techniques
- Airplane Mode
- Network Isolation
- Acquisition Tools
SIM Card Acquisition
- How to Capture the Data and Why
- Regional Concerns
- Apple iOS
- Apple iOS Fundamentals and "Quick Win" Data
- Local and Cloud
- Android Fundamentals and "Quick Win" Data
- Android Backups
- Common Analysis Techniques
- Applications (Apps)
- Messaging Services
- iOS vs. Other Devices
Acquisition Hardware and Software
- Live Response
- FTK imager/X-Ways
- Dead Box: Write Blocking with Software Imagers
- Software-based Write Blocking
- Registry Key/Value Entries
- Hardware-based Write Blocking
- Physical Imaging Device (Ditto, Talon, etc.)
- UltraDock, Tableau, etc.
- Preparing Destination Media
- Formatting Destination Media
- Wiping Destination Media
- Is the Computer Off or Just Suspended?
- Hibernation vs. Sleep Mode
- Accessing a Device: Laptop vs. Desktop, etc.
- Recognizing Signs of Tampering
Be Aware of How the Data Are Stored
- JBOD vs. RAID vs. Network
- Acquisition Verification
- Hashing Source vs. Destination
- Special Case: SSD
Discovering and Interacting with Data
- Windows and Command Line Interface Basic Navigation and Usage
- PowerShell vs. cmd vs. Bash
Data Review Techniques
- Timeline Explorer
- Fundamental Artifacts
- Evidence of User Communications (Email, Social Media, Skype/Chat)
- Evidence of Geo-location
- Web Browsing History
Cloud computing and storage are becoming more and more common. Do you know how to collect these critical data? When we think about acquisition, it usually involves opening the side of the computer, removing the hard drive, connecting to a write blocker or imaging equipment, and completing the task. While this is not necessarily inaccurate, it does not address many of the access and acquisition questions surrounding so much data today. If full disk imaging is necessary, then it is certainly easier and quicker to do it directly from the storage itself. But what happens with devices such as iPads, Surface Books, and other equipment held together by glue instead of screws?
Volume Shadow copies contain a wealth of historic data that are of great use to investigators. Knowing how to access and collect data from these shadow copies is critical in cases involving the Windows operating system.
Battlefield Forensics is considered the bleeding edge of digital forensics. It requires in-depth knowledge of where the most valuable data reside on the computer and how to get the data as fast as possible. An effective battlefield forensicator needs to be extracting actionable intelligence in 90 minutes or less, but the clock does not start when the forensic imaging is done. Rather, it starts from the moment you lay your hands on the device.
This course section will teach you how to identify and access data in non-traditional storage areas. In today's world, much data live off site, and there are very few methods in place to access and properly acquire those data. We will identify these locations, including SharePoint, Exchange, webmail, network locations, cloud storage, and social media, not to mention Dropbox, Google Drive, and the Internet of Things. This also includes RAID storage and how to best collect these devices regardless of configuration. Moving to the forefront of most enterprise investigations, we will be examining vSphere and virtual machine collections as well!
- Volume Shadow Copy Acquisition
- Using the KAPE Tool for Battlefield Forensics
- Network Acquisition
File Systems Revisited
- Timestamp Metadata
- Alternate Data Streams
- Volume Shadow Copies
- Acquiring Volume Shadow Copies
Battlefield Forensics with KAPE
- Introduction to the KAPE Tool
- Using KAPE to Rapidly Collect Critical Artifacts
- Processing Data Using KAPE
- Analyzing KAPE Output
- Challenges in Imaging Multi-drive Arrays
- JBOD (Just a Bunch Of Disks)
- RAID Acquisition Concerns
- Logical vs. Physical
- Accessing RAID Volumes and Choosing Methods to Image
- Physical Access
- Image Directly to External Storage
- Using a Network Connection When Only USB 2.0 Is Available
- Using F-Response
- Acquiring Storage through the Network
Acquiring RAM through the Network
- Cloud Storage Acquisition
- Email (IMAP)
- Cloud Storage
- Google Takeout
Apple must be approached entirely differently from traditional devices. This course section will explore the fundamentals of acquiring data from Apple devices. Compared to Windows, there are very few tools and techniques available when it comes to acquisition of Apple products. The tools that exist can be quite expensive, and free tools are simply few and far between. In this course section, we will acquire memory and identify systems that are running CoreStorage technology and full disk encryption. We will also visit the challenges posed by APFS. Many of the Apple systems are closed systems, in that you simply cannot remove the hard drive because it is soldered directly to the motherboard. The uniqueness of the data storage demands alternative methods of acquisition.
In this course section, you'll learn how to access and forensically image iPads, MacBooks, and other HFS+ devices working at the command line. You'll also learn how to build a free acquisition boot disk to image even the latest macOS versions on current hardware.
Not to be left out, the pervasive Internet of Things is controlling our fridges, thermostats, security cameras, and door locks. It is listening passively and waiting patiently for instructions to perform. In this course section, you will learn how these devices communicate and, more importantly, who is controlling them.
- PCAP Collection
- PCAP Graphical Tools
- PCAP Command Line Tools
Apple MacOS Device Overview and Acquisition
- File Vault
- Core Storage
- APFS Imaging
- Fusion Drives
- Acquiring RAM
- Latest Apple Security Layers
- T2 Security Chip
Collecting Drive Metadata
- Live or Single User Mode
- Accessing Storage on Apple MacOS Devices
- "Must Know" Apple Keyboard Combinations
- Single User Mode
- Repair Mode
- Target Disk Mode
- Options Mode
- Target Disk Mode
- Command Line Imaging
- Creating a macOS GUI Boot Device
- Using Macquisition to Collect a Forensically Sound Image
Internet of Things (IoT)
Determining Devices on the Network
- Internal Devices on a LAN
- Methods for Collecting Network Traffic
- Network Tap
- Port Mirror
- Pen Register
- The Need to Coordinate with Network Admins
- Logistic/Procedural/Legal Considerations for Network Data Collection
- Potential Communication Destinations
- Which External Resources Are Being Accessed in the Cloud?
- What Company Holds These Data?
- Determining Internet of Things (IoT) Communication with Portable Devices
- Tying IoT Activity to the Devices Controlling It
- Mobile Device Accessing Cameras, Doors, and Other IoT
- Understanding the PCAP to Find Co-conspirators
- Collection of Network Traffic
- IoT Collection Considerations
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
- Do not bring a system that has critical data you cannot afford to lose. You do so at your own risk.
- SANS and its instructors are not responsible for any damage caused to student systems.
- Many of the activities involved in this course will be performed on your host computer, and not inside the virtual machine.
- You will risk damaging or destroying data on your host computer if you fail to follow lab directions exactly as specified.
- Apple Mac Note: While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
MANDATORY FOR498 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class
- BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
- 16 GB (Gigabytes) of RAM or higher is required for this class to run two VMs at the same time. Systems with 8 GB of RAM may still permit labs to function but will be significantly slow and severely limited.
- Wireless 802.11 Capability
- USB 3.0
- 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
- Additional Non-SSD Hard Drive: Students must provide a minimum 500 GB (can be larger) spinning hard drive (no SSD), 2.5" SATA, 7200 RPM. We recommend a bare hard drive similar to the one that can be viewed HERE.
- Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
- Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.
MANDATORY FOR498 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
- While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
- Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Do not bring a host system that has critical data you cannot afford to lose.
FOR498 CELLULAR DEVICE CONFIGURATION (OPTIONAL):
- Apple iPhone or Android phone.
- Must have full access to the device. If the device is controlled through Mobile Device Management (MDM), the student will not be able to perform the exercise.
- One exercise with the student cellular device is live on the device. As a result, the student is strongly recommended to have a current backup of the device.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Please download and install VMware Workstation 16.0, VMware Fusion 12.0, or VMware Workstation Player 16.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
- Install 7Zip on your host OS
- Some version of Microsoft Office (2013 or newer) to include Word and Excel. Viewer is NOT acceptable
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8 GB+ ram, 200GB free drive space) and operating system configuration
- Bring a supported host OS
- Install VMware (Workstation, Player, or Fusion) and 7zip
- Install Microsoft Office 2013 version or newer
- Bring iPhone or Android cellular device (optional)
- Bring 500GB (or larger) BARE 2.5" SATA spinning hard drive
Your course media will be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.