Tutorials

Tutorial 1-6: Forensic Fundamentals - Presented with the SANS Institute

March 24, 2010

10:00 AM - 6:00 PM

Prerequisite: None

Rob Lee

6 CPE Credits

Laptop Required

(Separate tutorial entry fee of $850 required)

At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students will become familiarized with fundamental forensic topics that every investigator should know.

Starting with fundamental forensic technical and legal topics, the course will guide you through the must-know digital forensic topics. This day will introduce where electronically stored information (ESI) might be found across your infrastructure. Learning how to present and write computer forensic reports will also be taught in-depth that will focus on the industry best practices. Knowing how to present crucial data in court, judge, or to management is a key step in becoming a master computer forensic examiner.

Topics:

  • Purpose of Forensics
    • Investigative Mindset
    • Focus on the Fundamentals
  • Discussion Major Case Types
    • Industrial Espionage and Fraud
    • Hacker Intrusions
    • Inappropriate Use of Internet
    • Child Exploitation
    • E-discovery
    • Corporate Investigations
    • Civil and Criminal Litigation
  • Types of Electronic Stored Information
    • E-mail
    • Web site Postings, Blogs/Wiki, Text Messaging, and Chat Room Content
    • Computer Stored Records and Databases
  • Location of Electronically Stored Evidence (ESI)
    • Computer Based Network
    • Portable Electronic Storage Devices
    • Mobile
  • Evidence Collection Order of Volatility
    • Live and Static Collection
  • File System Basics
    • Partition, Data, Metadata, Filename
  • Evidence Fundamentals
    • Admissibility
    • Authenticity
    • Threats against Authenticity
  • Reporting and Presenting Evidence
    • Taking Notes
    • Report Writing Essentials
    • Best Practices for Presenting Evidence
  • Forensic Methodology
    • Evidence Acquisition
    • Evidence Analysis

Day 1 Exercises

  • Install Forensic Toolkits
  • Where Will Evidence Exist?
    • Given a case description, describe places you might look for evidence.
  • Reporting/Presenting/Documentation
    • Describe through writing and presentation a simple technical event for potential use in court.
  • Challenging Evidence:
    • Given a set of circumstances surrounding a piece of evidence, describe several ways it could be challenge

Who Should Attend:

  • Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
  • Information technology professionals who wish to learn the core concepts in computer forensics investigations
  • Incident Response Team Members who are responding to security incidents and need to utilize computer forensics to help solve their cases
  • Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
  • Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
  • Anyone interested in computer forensic investigations with a background in information systems, information security, and computer

Here are also the laptop requirements for this course:

!! IMPORTANT! BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!

A properly configured computer system is required for each student participating in the workshop portion of this course. Before coming to class, download the forensic installation document from http://www.sans.org/training/ forensic_install_408.pdf that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to analyze the forensic images that we will hand out.

You will use VMware to simultaneously run a preconfigured forensic workstation built in a Windows XP environment that will enable you to perform hands-on analysis during class. You must have VMware Workstation 6.0, VMware Player 2.5, or VMware Fusion 2.0 or higher installed on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from http://www.vmware.com VMware will send you a time-limited serial number if you register for the trial at their Web site. V Mware Player is a free download.

Due to the hard drive space and processing requirements for the lab exercises, students should bring a laptop meeting the mandatory laptop requirements listed below in order to get the most of the course.

Mandatory License Requirements:

  • Very Important: Student must bring a Microsoft Windows XP Professional License Key with them to class at the beginning of the first day
  • The key will look like XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Corporate, Site, and Group Licenses are not acceptable as they fail the Windows Genuine Advantage Test.

Mandatory Laptop Hardware Requirements:

  • CPU: 1.5 GHz or higher is recommended
  • DVD/CD Combo Drive
  • Wireless 802.11 B/G Networking Capability
  • 1 Gigabyte of RAM minimum (2 or higher RAM is highly recommended)
  • 60 Gigabyte Hard Drive minimum (HARD DRIVE SIZE IS CRITICAL)
  • 40 Gigabytes of Free Space on your Hard Drive
  • Download and install WINZIP 12 or higher on your Windows Machine
  • The student should have the capability to have Local Administrator Access within the Windows OS
  • Bring your WINDOWS Installation CD-ROMS or DVDs to the course

Mandatory Additional Items:

  • One External USB 2.0 or Firewire Hard Drive ~40GB or higher in size
  • One USB Thumb Drive (2-8 GB in size)
  • One old, used, or out-of-computer IDE, SATA, or Laptop Hard Disk Drive from:
    • Hard Drive Purchased from EBAY or Craigslist
    • Hard Drive from USED PC at home/work
    • Local computer show
    • Hard Drive from any computer store

IN SUMMARY, BEFORE YOU ARRIVE AT THE TRAINING EVENT YOU SHOULD:

  • Write down and bring with you a MS Windows XP Pro License Key (XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
  • Bring the proper laptop hardware configuration
  • Download the forensics install document and follow it exactly http://www.sans.org/training/ forensic_install_408.pdf
  • Install VMware Workstation/Player/Fusion
  • Bring the proper mandatory additional items

This tutorial is being offered in association with the SANS Institute – This tutorial may be paid for through the SANS Voucher Program by adding your SANS Voucher number under the Purchase Order section during registration.