| FOR408.1: Digital Forensics Fundamentals and Evidence Acquisition
||Andres Velazquez ||
Wed Feb 13th, 2013
8:00 AM - 5:00 PM
Focus: Investigations begin with firm knowledge of proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.
At first, investigating a case appears to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence can prove a case. On day one, students become familiar with fundamental forensic topics that every investigator should know.
Securing or "bagging and tagging" digital evidence can be tricky. Each computer forensics examiner should be familiar with different methods of successfully acquiring and maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence-handling procedures, you will learn firsthand the best methods to obtain evidence in a case. You will use the Wiebetech Forensic Ultradock v5 Write Blocker, part of your Windows SIFTkit, to obtain evidence from a hard drive using the most popular tools in the field. You will learn how to use toolkits to obtain memory, encrypted or unencrypted hard disk images, and protected files from a computer system that is running or powered off.
- Purpose of Forensics
- Investigative Mindset
- Focus on the Fundamentals
- Evidence Fundamentals
- Threats against Authenticity
- Reporting and Presenting Evidence
- Taking Notes
- Report Writing Essentials
- Best Practices for Presenting Evidence
- Evidence Acquisition Basics
- Wiebetech Forensic Ultradock v5 Write Blocker Utilization
- Access Data's FTK Imager
- Access Data's FTK Imager Lite
- Preservation of Evidence
- Chain of Custody
- Evidence Handling
- Evidence Integrity
- Types of Acquisition
- Logical vs. Physical
- Basic Windows Memory Acquisition
- Basic Disk-Based Acquisition
- E-discovery Acquisition
- Forensic Field Kits
- Write Blockers
- Laptops/Handheld Imagers
- Full Disk Image Acquisition Tools and Techniques
- Seizing the Evidentiary Image of a USB Device
- Seizing the Evidentiary Image from a Hard Drive
| FOR408.2: Core Windows Forensics Part I: String Search, Data Carving, and E-mail Forensics
||Andres Velazquez ||
Thu Feb 14th, 2013
8:00 AM - 5:00 PM
Focus: Moving quickly from evidence acquisition, you will begin your investigation using the same cutting-edge tools used by the pros. You will learn how major forensic suites can facilitate and expedite the investigative process. In addition, you will learn how to recover and analyze e-mail, the most popular form of communication. Client-based, server-based, mobile, and web-based email forensic analysis is discussed in-depth and students use their knowledge to solve a realistic spam e-mail case.
The section begins with the analysis of electronic evidence using commercial and freely available tools packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from evidence, perform string searches using a word list, and begin to piece together the events that occurred. Today's course is critical to anyone performing digital forensics and provides the most up-to-date techniques to acquire and analyze digital evidence.
Forensics investigations involving e-mail occur every day. However, e-mail examinations require the investigator to pull data locally or from an e-mail server, or even recover web-based e-mail fragments from temporary files left by a web browser. Students will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes e-mail stores.
This course is very hands-on. Students will acquire a disk image and begin analysis of a case that will require them to use the skills presented throughout the section.
- Forensic Automated Tools
- Access Data's Forensic Tool Kit (FTK)
- Guidance Software's EnCase
- Freeware/Open-Source Capabilities
- Traditional Tasks Using Forensic Tools
- Triage Techniques
- String/File Searches
- Automated Forensics
- Browsing Disks
- Recovering Deleted Files
- Automated Recovery
- String Searches
- Keyword Searches
- E-Mail Forensics
- Evidence of User Communication
- How E-Mail Works
- Determining Sender's Geographic Locations
- Examination of E-Mail
- Types of E-Mail Formats
- Microsoft Outlook/Outlook Express
- Web-Based Mail
- Microsoft Exchange
- Lotus Notes
- Exchange Dumpster Forensics
- Recovering Deleted E-Mails
- E-Mail Analysis
- E-Mail Searching and Examination
| FOR408.3: Core Windows Forensics Part II - Registry and USB Device Analysis
||Andres Velazquez ||
Fri Feb 15th, 2013
8:00 AM - 5:00 PM
FOCUS: Focus on Windows XP, Windows 7, and Windows 8 Registry Analysis and USB Device Forensics.
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed key word searches, ran specific programs, opened and saved files, perused folders, and used removable devices.
Removable storage device investigations are often a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 8, Windows 7, Vista, and Windows XP machines. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
Throughout the section, investigators will use their skills in a real hands-on case, exploring evidence and analyzing evidence.
- Employ best-of-breed forensic tools to search for relevant e-mail and file attachments in large data sets
- Understand key concepts like e-mail object filtering, de-duplication, and message similarity
- Learn to use Nuix, a world-class e-mail forensics and e-discovery tool
- Use forensic software to recover deleted objects from e-mail archives
- Perform data visualization and timeline analysis
- Attribute e-mail evidence and geo-locate senders via header analysis
- Analyze document meta-data present in e-mail archives
- Registry Forensics In-Depth
- Registry Basics
- Hives, Keys, and Values
- Registry Last Write Time
- MRU Lists
- Profile Users and Groups
- Discover Usernames and the SID mapped to them
- Last Login
- Last Failed Login
- Logon Count
- Password Policy
- Core System Information
- Identify Current Control Set
- System Name and Version
- Local IP Address Information
- Wireless/Wired/3G Networks
- Geo-location using Wireless Networks
- Network Shares
- Last Shutdown Time
- User Forensic Data
- Evidence of Program Execution
- Evidence of File Downloads
- Evidence of File and Folder Access (Shellbag)
- XP, Win7, Win8 Search History
- Typed Paths and Directories
- Recent Documents (RecentDocs)
- Open-> Save/Run Dialog Boxes Evidence
- Application Execution History (UserAssist)
- External and BYOD Device Forensic Examinations
- Unique Serial Number
- Last Drive Letter
- MountPoints2 - Last Drive Mapping Per User
- Volume Name and Serial Number
- Username that Used the USB Device
- Time of First Use of USB Device
- Time of Last Use of USB Device
- BYOD Device Forensics
- Tools Utilized
- Regripper and Regripper plugins
- Access Data Registry Viewer
- YARU (Yet Another Registry Utility)
| FOR408.4: Core Windows Forensics Part III - Artifact and Log File Analysis
||Andres Velazquez ||
Mon Feb 18th, 2013
8:00 AM - 5:00 PM
Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, Windows prefetch, pagefile/system memory, and more. The latter part of the section centers on examining Windows log files, demonstrating their usefulness in both simple and complex cases.
Continuing from the previous section, the investigator will focus on key files found on the Windows operating system containing evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult-to-access locations that can offer the critical data for your case. Examine key evidentiary links to pictures, printed office documents, and files copied to a removable device.
Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many investigators overlook these files because they do not have adequate knowledge or tools to get the job done. The last part of the section will arm each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.
- Memory, Pagefile, and Unallocated Space Analysis
- Artifact Recovery and Examination
- Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
- IE8/IE9 InPrivate/Recovery URLs
- Yahoo, Hotmail, G-Mail, Webmail, E-Mail
- Forensicating Files Containing Critical Digital Forensic Evidence
- Office Documents (2000-2007, doc, and .docx)
- Adobe Files
- EXIF Data including GPS Coordinates
- Link/Shortcut Files (.lnk)
- Win7/Win8 Jump Lists
- XP Thumbs.db and Vista/Win7/Win8 Thumbscache Files
- Internet Chat Programs (Skype/AIM/MSN)
- Windows Prefetch Analysis (XP/Vista/Win7/Win8)
- Windows Recycle Bin Analysis (XP/Vista/Win7/Win8)
- Windows Event Log Digital Forensic Analysis
- Which Windows Events Matter to a Digital Forensic Investigator
- EVT Log Files
EVTX Log Files
- Finding Evidence of User Logins, Remote Desktop Usage, Malware Execution, and More
| FOR408.5: Core Windows Forensics Part IV: Web Browser Forensics- Firefox, Internet Explorer, and Chrome
||Andres Velazquez ||
Tue Feb 19th, 2013
8:00 AM - 5:00 PM
Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.
With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect's system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.
Throughout the section, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.
- Understanding of browser timestamps
- Internet Explorer 6, 7, 8, and 9
IE Key forensic file locations
- History Index.dat (master, daily, weekly) timestamps
- Cache Index.dat timestamps
- InPrivate browsing
- IE8/IE9 recovery folder analysis
- FF2 and FF3-5 key forensic file locations
- Mork format and .sqlite files
- Download history
- Cache examinations
- Typed URLs
- FF3+ recovery data analysis
- Private browsing
- Session Recovery
Examination of browser artifacts
- Flash cookie files
- DOM objects
- Super cookies
- MANDIANT Inc.'s Web Historian
- Access Data's FTK
Day 5 exercises
- Track a suspect's activity in browser history and cache files
- Examine which files a suspect downloaded
- Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing
| FOR408.6: Windows Digital Forensic Challenge and Mock Trial
||Andres Velazquez ||
Wed Feb 20th, 2013
8:00 AM - 5:00 PM
Focus: This section revolves around the Windows Vista/7-based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. The section is a capstone for every artifact discussed in the class. You will use this section to consolidate the skills that you have learned over the past week.
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. All the teams will work on the case with the objective of discovering critical pieces of evidence to present during the trial.
The complex case presented will involve an investigation of one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use the skills from each of the previous sections.
The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge...and the case!
The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.
- Following evidence analysis methods discussed throughout the week, find critical evidence.
- Examine registry, e-mail, recovered files, and more.
- Focus and submit the top three pieces of evidence discovered and discuss what they prove factually.
- One of the submitted pieces of evidence will be documented for potential examination during the mock trial.
- Mock Trial
- Each team will be asked to prepare an
- Executive Summary
- Short Presentation
- The team voted to have the best argument and presentation proving their case will win the challenge.
| Laptop Required
!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.
VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR408 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel® x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
- 8 GB (Gigabytes) of RAM minimum (We strongly recommend 8 GB of RAM or higher to get the most out of the course)
- Ethernet CAT5 Networking Capability Recommended or Wireless 802.11 B/G/N
- DVD/CD Combo Drive
- USB 2.0 or higher Port(s)
- 200 Gigabyte Host System Hard Drive minimum
- 100 Gigabytes of Free Space on your System Hard Drive
- The student should have the capability to have Local Administrator Access within their host operating system
MANDATORY FOR408 SYSTEM SOFTWARE REQUIREMENTS:
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 60 days)
- Install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 (higher versions are ok) )
- Download and install Winzip or 7Zip
MANDATORY FOR408 ADDITIONAL ITEMS:
- One USB Thumb Drive (2-4 GB in size)
- One External USB 2.0 or Firewire Hard Drive (Formatted NTFS)
- One 3.5 inch IDE or SATA hard disk drive from:
- Hard drive purchased from EBAY or craigslist
- Hard drive from used PC at home/work
- Local computer show
- New/Old hard drive from any computer store
- During an image acquisition exercise, we use the used drive for imaging only
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/6GB Ram) and operating system configuration
- Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip
- Bring the proper mandatory additional items
If you have additional questions about the laptop specifications, please contact email@example.com.
| Who Should Attend
- Information technology professionals who wish to learn the core concepts of computer forensics investigations.
- Incident response team members who are new to responding to security incidents and need to use computer forensics to help solve their cases.
- Law enforcement officers, federal agents, or detectives who want to become a subject matter expert on computer forensics for Windows-based operating systems.
- Media exploitation analysts who need to master tactical exploitation and document and media exploitation (DOMEX) operations on systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
- Information technology lawyers and paralegals who want to a formal education in digital forensic investigations.
- Anyone interested in computer forensic investigations who has a background in information systems, information security, and computers
| Why Take This Course?
What you will learn
- Perform proper windows forensics analysis, determine how and who placed an artifact on the system by applying key analysis techniques covering Windows XP through Windows 8
- Using full scale forensic analysis tools and analysis methods detail every action a suspect accomplished on a Windows system - determine program execution, file/folder opening, geo-location, browser history, USB devices, and more.
- Uncover the exact time that a specific user last executed a program over time that is key to proving intent in many cases such as intellectual property theft, hacker breached systems, and traditional crimes through registry analysis, windows artifact analysis, and email analysis.
- Demonstrate every time a file has been opened by a suspect through IE browser forensics, shortcut file analysis (LNK), email analysis and registry parsing using regripper.
- Using automated analysis techniques via AccessData's Forensic ToolKit (FTK), identify key words searched for by a specific user on a Windows system that can be used to identify files that the suspect was interested in finding.
- Using shellbags analysis tools, articulate every folder and directory that a user opened up while he was browsing through their hard drive
- Determine each time a unique and specific USB device is attached to the Windows system, the files and folders that were accessed on it, and who plugged it in via tools parsing key windows artifacts such as the registry and log files.
- Using the Win8 SIFT Workstation, examine how a user logged into a Windows system through a remote session, at the keyboard, or simply unlocking their screensaver by viewing the logon types in the Windows security event logs.
- Using FTK Registry Viewer, pinpoint geo-location of a windows system through the examination of the networks they have connected to, browser search terms, and cookie data to determine where a crime was committed.
- Using Webhistorian recover browser history of a suspect who has attempted to clear their trail using in-private browsing through the recovery of session restore points and flash cookies
| What You Will Receive
| You Will Be Able To
- Perform proper Windows forensic analysis by applying key analysis techniques covering Windows XP through Windows 8
- Use full-scale forensic tools and analysis methods to detail every action a suspect accomplished on a Windows system, including how and who placed an artifact on the system, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
- Uncover the exact time that a specific user last executed a program through Registry analysis, Windows artifact analysis, and e-mail analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker breached systems, and traditional crimes
- Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing
- Use automated analysis techniques via AccessData's Forensic ToolKit (FTK)
- Identify keywords searched by a specific user on a Windows system in order to pinpoint the files and information that the suspect was interested in finding and to accomplish damage assessments
- Use shellbags analysis tools to articulate every folder and directory that a user opened up while browsing the hard drive
- Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing key Windows artifacts such as the Registry and log files
- Learn event log analysis techniques and use them to determine when and how users logged into a Windows system via a remote session, at the keyboard, or simply by unlocking their screensaver
- Determine where a crime was committed using FTK Registry Viewer to pinpoint the geo-location of a system by examining connected networks, browser search terms, and cookie data
- Use Mandiant Web Historian, parse raw SQLite databases, and leverage browser session recovery artifacts and flash cookies to identify web activity of suspects, even if privacy cleaners and in-private browsing are used.
| Press & Reviews
"This is a very high intensity course with extremely current course material that is not available anywhere else in my experience." -Alexander Applegate, Auburn University
"Best forensics class I've had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det Det. Juan C. Marquez Prince William County Police Dept
"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days!" -Jason Jones, USAF
Course Review: SANS FOR408 Computer Forensic Investigations - Windows In-Depth - www.ethicalhacker.net/content/view/459/24/
"I took SANS FOR408 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell - Information Security Architect, Airlines Reporting Corporation (ARC)
"As a member of the IR team, this course will aid in investing compromised hosts". - Mike Piclher, URS Corp
"FOR408 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence
"Best forensics course I've taken to date. Vast amounts of information." - Ellen Clark, FBI
"Call me a geek, but this is FUN!" - Frank Dixon, The Babcock & Wilcox Company
"Overall the course continues to be chockfull of megalicious forensicness. Thank a bunch for the key knowledge." - Vincent Bryant, Blue Cross Blue Shield of Tennessee
"If you weren't interested in forensics before, you will be after this class. For those who already love it, its reassurance that you're doing the right thing with your life." - Cleora Madison, Walt Disney Theme Parks and Resorts
"The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks!" - Michael Mimo, JP Morgan
"I was really looking forward to Windows in-depth and that's exactly what we're getting!" - Joshua Hoover, Charles Schwab
"I have been using forensics tools for years. I never professed to 'know it all'; however, I did not expect to learn as much as I did." - Jody Hawkins, Cook Children's Health Care System
"I really appreciate the prebuilt and configured SIFT workstation. The For 408 class materials and instruction were outstanding." Clint Modesitt, LSUHSC
"FOR408 is absolutely necessary for any computer forensic type career. Excellent information!" - Rebecca Passmore, FBI