Digital Forensic Analysis and Investigation

Duration: 3 days

A well-knit training on forensic investigation procedures and electronic evidence of unauthorized activities and on fundamental steps carried out immediately after the identification of a security issue.

This training is designed for professionals working in the field of computer security and scientists who are interested in this subject matter. The forensic investigation methodology in this area has undergone many changes in recent years and this course offers you a summary of current trends in the areas of trace documentation and of investigation and analysis of incidents.

During this course, the participants learn to obtain evidence material in accordance with international rules applicable in this area, gain general knowledge of forensic analysis procedures and tools used in this process. They will also learn about steps that they should undertake immediately after the identification of a security incident in order to prevent further spreading of damage and to obtain as precise information on its development as possible.

Target Group

This training is primarily intended for computer professionals working in the field of computer networks and information systems security, legal experts called in to lawsuits in relation to computer crimes, scientists or enthusiasts for this subject matter who would like to gain general knowledge of the course of security intrusion investigation, as well as of the prevention of such events.

Expected Range of Participants' Knowledge

This expert training presupposes a certain level of participants' knowledge. In order to maximize the amount of practical information gained from this training, we expect you to have a general knowledge of computer systems and networks architecture (TCP/IP), of Windows and Unix / Linux operating systems functioning and basic knowledge of FAT/32, NTFS, EXT2/3 file systems operation. Basic knowledge of memory administration within the above-mentioned systems is also highly welcomed.

Day 1
Day 2
Day 3

08:30 a.m. − 09:00 a.m. Presentation of participants

09:00 a.m. − 11:00 a.m. Introduction to Forensic Sciences

1. Overview of forensic sciences and types of crimes that can be proved by computer evidence
2. Work with clients – companies, governments, employers
3. Identification of the case scope and preliminary steps necessary for evidence documentation
4. Preparation of forensic strategies used in investigation
5. Ethical code of conduct of a forensic investigator
6. Preparation and sanitation of storage media
7. Scene documentation, picture-taking and data collection
8. Computer architecture, BIOS, date and time, storage devices.Process of operating systems starting

11:00 a.m. − 12:00 a.m. Practice part 1

Sanitation of storage media. Setting of date and time on forensic tools. Scene picture-taking

Noon − 1:00 p.m. Lunch

1:00 p.m. − 3:00 p.m. Obtaining of forensic data, File systems

1. Overview of operating systems (Windows 95 / 98 / NT / 2000 / XP / Vista / 7, Novell, Unix / Linux, DOS)
2. Obtaining, collection and documentation of magnetic media
3. Record of documentation and media image creation
4. Best practices for obtaining, collection and documentation of data in environments of various operating and file systems
5. Used tools – hardware and software, protection against modification of data being obtained ("write blockers").
6. Overview of the FAT system, its structure and procedures for data rescue and recovery

3:30 p.m. − 4:15 p.m. Practice part 2

Collection of evidence material using copying and creation of mirror entries (dd, eo1, ad1, etc.)

4:15 p.m. − 5:00 p.m. Practice part 3

Application of procedures in the FAT file system

09:00 a.m. − noon File systems

1. NTFS overview Structure and recovery of files.
2. Partition table, boot record, bitmaps, root directory, MFT, headers, attributes, hidden entries, dates and times, deletion of files and their recovery, directory entries, registry hives, examination of NTFS discs
3. Overview of the EXT2 and EXT3 systems Data structure and data rescue

Noon − 1:00 p.m. Lunch

1:00 p.m. − 1:45 p.m. Practice part 1

Application of procedures in the NTFS file system

1:45 p.m. − 4:00 p.m. Data rescue

1. Setting of date and time for file creation, last visit, modification, etc. and their meaning
2. Anti-forensic approach to date and time.
3. Data hiding, anti-forensic activities, steganography
4. Allocated and non-allocated storage space "Cutting" of files.
5. Analysis and recovery of formatted media

4:00 p.m. − 5:00 p.m. Practice part 2

Rescue of a deleted file, "cutting" of file from the non-allocated space

09:00 a.m. − 11:15 a.m. Forensic artifacts

1. Page file (swap), temporary files, e-mail, cookies, history in the Internet browser, references, "spool" files, USB devices.
2. Deleted files in the Recycle Bin.
3. Searching digital media by key words, grep and regular expressions Code pages

11:15 a.m. − noon Practice part 1

Searching (grep), deleted files, history of the Internet browser, "prefetch" files

Noon − 1:00 p.m. Lunch

1:00 p.m. − 3:30 pm. Immediate response to an incident

1. How to react in case of an incident, immediate response, work with volatile data (memory, processes, artifacts)
2. Introduction to various tools and approaches designed for immediate response
3. Obtaining and collection of volatile data
4. Analysis of memory and processes
5. Overview of service records (logs) of operating systems

3:30 p.m. − 4:30 p.m. Practice part 2

Obtaining of memory content, analysis over a "live" system, OS records (logs)

4:30 p.m. − 5:00 p.m. Conclusion, Questions & Answers