Get an iPad Air w/ Smart KB, or Google Pixel 4A Smartphone, or Take $350 Off with ANY qualifying 5-6 Day Course through April 21.
For special codes to use during registration, view offer details.
Associated Certification: GIAC Battlefield Forensics and Acquisition (GBFA)
THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING. LET US SHOW YOU HOW
FOR498: Battlefield Forensics & Acquisition Course will help you to:
The first step in any investigation is the gathering of evidence. Digital forensic investigations are no different. The evidence used in this type of investigation is data, and this data can live in many varied formats and locations. You must be able to first identify the data that you might need, determine where that data resides, and, finally, formulate a plan and procedures for collecting that data.
With digital forensic acquisitions, you will typically have only one chance to collect data properly. If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation, but more importantly, destroying the very data that could have been used as evidence.
With the wide range of storage media in the marketplace today, any kind of standardized methodology for all media is simply untenable. Many mistakes are being made in digital evidence collection, and this can cause the guilty to go free and, more importantly, the innocent to be incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes that you are tasked with properly collecting and interpreting.
An examiner can no longer rely on "dead box" imaging of a single hard drive. In today's cyber sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a normal day. Compounding this issue is the expanding use of cloud storage and providers, and the proper collection of data from all these domains can become quite overwhelming.
This in-depth digital acquisition and data handling course will provide first responders and investigators alike with the advanced skills necessary to properly respond to, identify, collect, and preserve data from a wide range of storage devices and repositories, ensuring that the integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today's need for widespread knowledge and understanding of the challenges and techniques that investigators require when addressing real-world cases.
Numerous hands-on labs throughout the course will give first responders, investigators, and digital forensics teams practical experience needed when performing digital acquisition from hard drives, memory sticks, cellular phones, network storage areas, and everything in between.
During a digital forensics response and investigation, an organization needs the most skilled responders possible, lest the investigation end before it has begun. FOR498: Battlefield Forensics & Acquisition will train you and your team to respond, identify, collect, and preserve data no matter where that data hides or resides.
You Will Be Able To
FOR498: Battlefield Forensics & Acquisition Course Topics
What You Will Receive
SANS Windows SIFT Workstation
F-Response Consultant Covert
Fully working licenses for 90 days:
Digital Download Package
SANS DFIR Electronic Exercise Workbook
UltraDock Hardware Write Blocking Device
SANS DFIR Cheatsheets to Help Use the Tools in the Field
Notice:
Please plan to arrive 30 minutes early on Day 1 for lab preparation and set-up.
Any baker knows that if you bake with the wrong ingredients, the result will fail. The same holds true for digital evidence collection.
Investigators often respond in high-stress environments where many different entities are critically scrutinizing the collection process. Personnel need to be properly trained and equipped to work in less-than-optimal surroundings, and they must be confident that they have managed the scene, identified all necessary data, collected it in a properly defensible manner, and maintained its integrity.
One of the most common scenarios that can cause headaches is receiving an evidence file (usually an E01), and being expected to provide answers immediately. The common approach is to mount the image and then start running carving and other tools against it. These automated tasks can take many hours (and sometimes days) just by themselves!
CPE/CMU Credits: 6
SIFT Introduction
Introduction to Digital Forensic Acquisition
Understanding the Data
What types of critical data are needed for triage and quick-hit investigations?
Chat, email, phone calls, SMS
Where the individual was researching, reading, or accessing via Web apps
File system overview
How do different file systems achieve this?
Scene Management and Evidence Acquisition
Storage and maintenance of evidence
Device and Interface Identification
Storage device interface recognition
There is no second chance when seizing or acquiring data. Make sure you get it right the first time.
Portable devices bring their own set of challenges to the table. These devices are more ubiquitous than computers. Seldom is the case today that does not include a cellular device. Unfortunately, there is no standard for cellular operating systems. Even within brands, there can be vastly different data storage. This course section will introduce students to several devices and the tools that will acquire them.
Investigators and first responders should be armed with the latest tools, digital container access techniques, and enterprise methodologies to identify, access, and preserve evidence across a vast range of devices and repositories. They must also be able to scale their identification and collection across thousands of systems in their enterprise. Enterprise and cloud storage collection techniques are now a requirement to track activity that has been intentionally and unintentionally spread across many devices. Responding to these many systems cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will result in lost opportunities due to the time it takes to forensically image entire hard drives. Furthermore, investigators need actionable intelligence as quickly and responsibly as possible. This course section lays the foundation for evidence collection, from initial arrival on a scene to the fundamentals of understanding data at rest and properly identifying the devices, interfaces, and tools that will be needed to carry out collection successfully.
We will also explore the myriad of acquisition hardware and software, not to mention adapters and identification, so that you can make the best decisions about the data.
CPE/CMU Credits: 6
Smartphone Acquisition
Smartphone Analysis
iOS backups
Android
Acquisition Hardware and Software
Physical imaging device (Ditto, Talon, etc.)
Acquisition Methodology
Be aware of how the data are stored
Discovering and Interacting with Data
Data review techniques
Quick Win Forensics prioritizes locating, extracting, and processing the 1 percent of digital evidence you need to move a case forward.
Given that 99 percent of the necessary evidence typically will exist in 1-2 percent of the data acquired, it is easy to see how a great deal of time can be wasted following the normal procedures in today's digital forensics world. Instead, let's focus on this 1-2 percent and perform a very rapid triage collection that can be used to start our investigation sooner!
Far too often, computers are seized in an "on" state, and immediately powered down because, "that is how we've always done it." With today's computers, this means you are throwing away (essentially destroying) many gigabytes of data. The RAM in a computer holds a treasure trove of data, from keystrokes to network connections, running services, and, quite importantly, passwords and decryption keys. With the vastly increasing spread of file-less malware, in many cases the only place that evidence will exist is in memory. Another often-overlooked factor is full disk encryption. In cases like this, "live" acquisition will be your only hope.
CPE/CMU Credits: 6
Beginning the Collection Process
Mounting Evidence
Triage Acquisition
Memory Acquisition and Encryption Checking
Host-based Live Acquisition
Dead Box Acquisition
Cloud computing and storage is becoming more and more common. Do you know how to collect these critical data?
When we think about acquisition, it usually involves opening the side of the computer, removing the hard drive, connecting to a write blocker or imaging equipment, and completing the task. While this does not necessarily result in an inaccurate assessment, it does not address a great deal of the access and acquisition questions surrounding so much data today. If full disk imaging is necessary, then it is certainly easier and quicker to do it directly from the storage itself. But what happens with devices such as iPads, Surface Books, and other equipment held together by glue instead of screws?
Volume Shadow Copies contains a wealth of historic data that are of great use to investigators. Knowing how to access and collect data from these shadow copies is critical in cases involving the Windows operating system.
Battlefield Forensics is considered the bleeding edge of digital forensics. It requires in-depth knowledge of where the most valuable data reside on the computer and how to get at them as fast as possible. An effective battlefield forensicator needs to be extracting actionable intelligence in 90 minutes or less, but the clock does not start when the forensic imaging is done. Rather, it starts from the moment you lay your hands on the device.
This course section will teach you how to identify and access data in non-traditional storage areas. In today's world, so much data live off site, and there are very few methods in place to access and properly acquire those data. We will identify these locations, including SharePoint, Exchange, webmail, network locations, cloud storage, and social media, not to mention Dropbox, Google Drive, and the Internet of Things. This also includes RAID storage and how to best collect these devices regardless of configuration. Moving to the forefront of most Enterprise investigations, we will be examining vSphere and virtual machine collections as well!
CPE/CMU Credits: 6
File Systems Revisited
Battlefield Forensics with KAPE
Multi-Drive Storage
EMC/non-traditional formats
Remote Acquisition
Apple must be approached entirely differently from traditional devices.
This course section will explore the fundamentals of acquiring data from Apple devices. Compared to Windows, there are very few tools and techniques available when it comes to acquisition of Apple products. The tools that exist can be quite expensive, and free tools are simply few and far between. In this course section, will acquire memory and identify systems that are running CoreStorage technology and full disk encryption. We will also visit the challenges posed by APFS. Many of the Apple systems are closed systems, in that you simply cannot remove the hard drive because it is soldered directly to the motherboard. The uniqueness of the data storage demands alternative methods of acquisition.
In this course section, you'll learn how to access and forensically image iPads, MacBooks, and other HFS+ devices, working at the command line, as well as how to build a free acquisition boot disk to image even the latest macOS versions on current hardware.
Not to be left out, the pervasive Internet of Things is controlling our fridges, thermostats, security cameras, and door locks. It is listening passively and waiting patiently for an instruction to perform. In this course section, you will learn how these devices communicate, and more importantly, who is controlling them.
CPE/CMU Credits: 6
Apple MacOS Device Overview and Acquisition
Apple encryption
Collecting drive metadata
Internet of Things (IoT)
Determining devices on the network
The need to coordinate with network admins
Tools fail, techniques become outdated, but do not let that hold you back.
You have traced an artifact back to an IP, email, or web address. Now what? In this course section you'll learn the best methods to determine attribution, from proper collection to legal documentation.
The usefulness of file and stream carving cannot be overstated. Some data simply do not live in the defined file space that can be readily accessed by a viewer. From partially overwritten to deleted data, we will explore techniques you can employ when traditional tools fail.
Data carving is an increasingly important skill. Once the reference to a file is destroyed, how can the data still be recovered? File carving tools will assist in this, but examiners must understand the limitations of their tools. Without the proper pieces of the original file, a carver is useless.
CPE/CMU Credits: 6
Identifying Online Asset Ownership
File and Stream Recovery
Advanced Data Carving and Rebuilding
Where Do We Go From Here
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
MANDATORY FOR498 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY FOR498 HOST OPERATING SYSTEM REQUIREMENTS:
FOR498 CELLULAR DEVICE CONFIGURATION (OPTIONAL):
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
Your course media will be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
"FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course." - Jennifer Welsh, CNO Financial Group
FOR498 is an introductory-to-intermediate response and acquisition course that focuses on recognizing a wide range of electronic evidence, and the various ways to collect it. We do not cover in-depth digital forensic analysis in this course.
We recommend that you follow up this course with one of the following SANS courses: FOR500: Windows Forensics Analysis, FOR508: Advanced Digital Forensics, Incident Response & threat Hunting, FOR518: Mac and iOS Forensic Analysis & Incident Response , FOR585: Smartphone Forensics Analysis In-Depth, FOR572 Advanced Network Forensics: Threat Hunting, Analysis & Incident Response, SEC487: Open-Source Intelligence (OSINT) Gathering & Analysis
"I have taken other SANS forensic courses, and getting more training about acquisition is very helpful. Also, KAPE is a game changer." - C. McAllister, USMC
"In DFIR, things rarely go as planned. This course teaches you about the options to control when things aren't working as expected." - J-Michael Roberts, Corvus Forensics
"This is a great course & would be especially beneficial for people just starting in the field." - S. Lewis, USAF
"This course provided information I can take back to my company & begin using immediately; will be very easy to show leadership the ROI." - Jennifer Welsh, CNO Financial Group
"During my time as a Special Agent with the FBI, it became evident that the digital forensics community needed better methods to look at large amounts of data in an efficient manner to be able to get to answers quickly. As storage capacities increased, more traditional means began to take longer from a collection and analytical perspective. For this reason, I began creating triage software for use by the law enforcement community (and beyond). This problem has not changed since I left the FBI; in fact it has only continued to grow. For this reason, I decided to take a new approach to this problem, but this time in a way that could be given away to everyone in the digital forensics community. The result of this work is KAPE, which allows for rapid collection and analysis as determined by an incident responder. Of course, processing the data is only part of the equation, so this course spends a significant amount of time talking about acquisition--that is, how to get digital data from the devices we encounter. We not only talk about specific techniques for specific devices and situations, but for many of the topics covered, we provide the framework for how you can be successful when you encounter new devices. This course will focus on two key areas: getting the data that have the answers and extracting the answers from the data. We look forward to seeing you in class!" --Eric Zimmerman
"My digital forensics experience started in the mid 1990s. Back then, a hex editor was the most important tool that an examiner had. You had to understand data at rest in its most fundamental levels if you wanted to be effective at forensics. Fast forward to today and there is a myriad of tools to perform most any task that a forensic examiner might want to do. The by-product of this is that an examiner can be overwhelmed with not only the amount of tools available, but the amount of data that needs review. We recognized that the industry needed a more focused approach at the most important information on a hard drive, to the exclusion of the vast amounts of unnecessary noise. We also recognized that examiners need a better understanding of deleted data and how to extract some of the most important information that we have been missing. Finally, in recent years we have taken notice of the number of devices in use today that contain storage that cannot be removed from the machine. Couple this with live response and data that is encrypted at rest and we must recognize that certain approaches have to change. Thus FOR498 was born. We certainly hope you enjoy taking this class is much as we've enjoyed writing it, and our sincere hope is that this information allows you to become more effective at your craft." --Kevin Ripa
"FOR498 is an excellent course! I learned a lot of new skills that I can't wait to develop further, and Kevin Ripa did an outstanding job delivering the content and making it interesting. His personal stories and examples kept the course engaging and rooted in reality." - Christopher Coy, Microsoft