Table of Contents
1) Course Introduction
1.1 Disclaimers
1.2 What are digital forensics?
1.3 Course objectives
2) Computer Forensics Incidents
2.1 Introduction
2.2 The legal system
2.3 Criminal incidents
2.4 Internal threats
2.5 External threats
2.6 Investigative challenges
3) Digital Incident Response
3.1 Digital incident assessment
3.2 Initial assessment
3.3 Types of incidents
3.4 Parties involved
3.5 Incident/equipment location
3.6 Available response resources
3.7 Securing digital evidence
3.8 Chain of custody
3.9 Potential digital evidence
3.10 Review
4) OS/Disk Storage Concepts
4.1 Disk-based operating systems
4.2 OS/File storage concepts
4.3 Demo FAT/NTFS
4.5 Disk storage concepts
4.6 Slack space
4.7 File management
4.8 File formats
4.9 Demo: Quickview Plus
5) Digital Acquisition and Analysis Tools
5.1 Digital acquisition
5.2 Terminology
5.3 Digital acquisition
5.4 Digital forensic analysis tools
5.5 Review
6) Forensic Examination Protocol
6.1 Forensic science
6.2 The four cardinal rules
6.3 The Alpha Five
6.4 Demo: data recovery
6.5 The 20 basic steps
6.6 Exercise on file carving
7) Digital Evidence Protocols
7.1 Digital evidence definition
7.2 Classification of digital data
7.3 Digital evidence admissibility
7.4 Demo: viewing metadata of a graphic file
7.5 Demo: viewing metadata of an MS Word file
7.6 Case exercise
7.7 Review
8) Digital Evidence Presentation
8.1 What is digital evidence?
8.2 The best evidence rule
8.3 Digital evidence: hearsay
8.4 Authenticity and alteration
8.5 Layman's analogies
8.6 Review
8.7 Overall Demo: digital evidence presentation
9) Computer Forensics Investigative Theory
9.1 History of digital forensics
9.2 Digital evidence concepts
9.3 Three main aspects to digital evidence reconstruction
9.4 Behavioral evidence analysis (BEA)
9.5 Case exercise
9.6 Review
10) Computer Forensics Laboratory Protocols
10.1 Overview
10.2 Quality assurance
10.3 Standard operating procedure
10.4 Notes
10.5 Reports
10.6 Peer review
10.7 Admin review
10.8 Annual review
10.9 Deviation
10.10 Lab intake
10.11 Tracking
10.12 Storage
10.13 Discovery
10.14 Demo: life response investigation
11) Computer Forensics Processing Techniques
11.1 Overview of digital evidence processing
11.2 Demo: Logical review with FTK
11.3 Duplication
11.4 Documenting and identifying
11.5 Disassembling the device
11.6 Disconnecting the device
11.7 Document the boot sequence
11.8 Removing and attaching the storage device to duplication system
11.9 Duplicating
11.10 Demo: hashing and duplicating a drive
11.11 Preparing duplication for evidence examination
11.12 Recording the logical drive structure
11.13 Logical processes
11.14 Eliminating known files
11.15 Reference lists
11.16 Examining files
11.17 Demo: FTK overview
11.18 Regular expressions
11.19 Examine system logs and correlate files
11.20 Demo: using regular expressions
11.21 File signatures
11.22 Binary encoded data
11.23 Final investigative report
11.24 Demo: hex workshop analysis of graphic files
11.25 Review
12) Crypto and Password Recovery
12.1 Crypto and password background
12.2 Crypto and password history
12.3 Encryption and decryption
12.5 Demo: cracking a Windows hashed password
12.6 Symmetric and asymmetric encryption
12.7 Diffusion and confusion
12.8 Crypto and password recovery options
12.9 Demo: password recovery
12.10 Demo: password recovery with rainbow tables
12.11 Review
13) Specialized Artifact Recovery
13.1 Background
13.2 Introduction
13.3 Exam preparation stage
13.4 Windows file date/time stamps
13.5 File signatures
13.6 Image file databases
13.7 Windows COM and OLE
13.8 Windows registry
13.9 Windows alternate data streams
13.10 Windows unique ID numbers
13.11 Other unique IDs
13.12 Historical files 1
13.13 Windows recycle bin
13.14 Outlook Email
13.15 Review