| |
Computer Forensics Training
Next scheduled classes in English for mixed
groups of attendees:
-
Kingston, ON, Canada, May 13-17, 2013
-
Chicago area, USA, May 20-24, 2013
-
Washington DC area, USA, July 9-12, 2013
-
Seattle, WA
area, USA, July 15-19, 2013
-
London,
England, Oct 14-18, 2013
-
More classes in the US, UK, and
Asia will be
added depending on demand.
Please drop us an
e-mail
message if you would like to be kept up to date
on classes in the USA, Europe, or Asia, or if you have any questions.
Please specify where you prefer to take the training (which continent,
country or city). Thank you! Classes in German: click
here
We offer the below courses internationally
also as
on-site training to law enforcement agencies and corporate customers
on request (in English or German, for reasonably sized groups). If you are interested, please
contact us by
e-mail and let us know the number
of prospective attendees and the address of your facilities, so that we can
provide you a special, individual quote.
List of some
of the trained users (currently not up to date)
|
X-Ways Forensics, 4 days
This course is focused on the systematic and efficient examination of
computer media using our integrated computer forensics software X-Ways
Forensics.
Complete and systematic coverage of all computer forensics features in
WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects
of the complete computer forensics process. Attendees are encouraged to
immediately try newly gained insights as provided by the instructor,
with sample image files. Many topics are explained along with their
theoretical background (slack: beyond the usual, how hash databases are
internally structured, how deleted partitions are found automatically,
with what methods X-Ways Forensics finds deleted files). Other topics
are forensically sound disk imaging and cloning, data recovery, search
functions, dynamic filtering, report creation, ... Emphasis can be put
on any aspect suggested by the participants. You will receive complete
printed training material for later repetition. Prerequisite: basic
knowledge of computer forensics.
The students will learn e.g. how to get the most thorough overview
conceivable of existing and deleted files on computer media, how to scan
for child pornography in the most efficient way, or how to manually
recover deleted files compressed by NTFS which would not even be found
by conventional file carving techniques.
Basic setup of
the software
Key
folder paths
Read-only vs Edit vs. In-Place mode - WinHex vs. X-Ways Forensics
Start-up options
Alternative disk access methods
Viewer programs
Learning the
user interface components
Menus and toolbars
Directory browser
Virtual files and directories
Case data window with directory tree
The
case root
Modes: Disk/Partition/Volume vs File; Preview, Gallery, Details,
Calendar
Info panel
Navigating
disks and file systems
Understanding offsets and sectors
Absolute, relative and backwards positioning
Directly navigating to specific file system structures (e.g. FILE
records in NTFS, inodes in ext*)
Understanding
the data interpreter
Available conversion options
How
to get the value you actually want
Creating disk
images
Raw
images and evidence files
Fast, adaptive compression
In-built encryption
Creating a
case/adding evidence objects
Hash
calculation and checking
Using the
gallery view and skin color detection efficiently
Detecting data
hiding methods like alternate data streams, host-protected areas (HPA),
misnamed files
Calendar view
usage (timeline)
Previewing file
contents
Registry Viewer
and Registry Reports, Registry Report definition files
Working with
the directory browser
Recursive listing of directories and entire drives
Column visibility and arrangements
Copying cell values
Selecting, tagging, hiding, viewing, opening files
Recovering/copying files
Identifying duplicates based on hash
Efficient navigation of the file systems' data structures
Filtering files
existing, previously existing
tagged, not tagged
viewed, not viewed
non-hidden, hidden
By
name, including multiples: by exact name, using wildcards, searching
within name, using GREP
By
path, including multiples
By
type - exact type, multiple types, entire category, multiple categories
By
size
By
one or more timestamps
By
attributes: ADS, compression, encryption, e-mail (unread, with
attachment), video still, ...
Creating report
tables and report table associations
Using report
tables for filtering and classification
Report
creation: Basic reports, report tables and activity log
Refining Volume
Snapshots:
File system specific thorough data structure search for previously
existing data
Signature search for previously existing data not identifiable via file
system metadata
Verifying file types based on signatures on algorithms
Extracting metadata from a variety of filetypes
Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome
Analyzing Windows Event Logs (evt and evtx)
Exploring ZIP, RAR, etc. archives
Extracting e-mails from PST, OST, EDB, DBX, mbox (Unix mailboxes, used
e.g. by Mozilla Thunderbird), AOL PFC, etc.
Finding pictures embedded in documents, etc.
Creating video stills from movie files
Skin color percentage calculation and black and white detection
Identifying file type specific encryption and running statistical
encryption tests
The Hash
Database
Importing single or multiple hash sets
Creating your own hash sets
Matching files against existing hash sets via Refine Volume Snapshot
Various methods
of file recovery
Customizing
file signatures
Finding and
analyzing deleted partitions
Using search
and index functions effectively
Practically unlimited numbers of keywords simultaneously
Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16,
UTF-8) simultaneously
The
many advantages of logical over physical search
Searching inside archives, e-mail archives, encoded data (e.g. PDF
documents)
GREP search
Logical combination of multiple keywords while evaluation results
Filtering keywords based on the files they are contained in
Data profiles
Decoding
Base64, Uuencode, etc.
Viewing RAM
Assembling RAID
systems
Practical examples for RAID0 and RAID5
Explanation of underlying data arrangements
Clues towards finding the right parameters
Recovering
deleted NTFS-compressed files manually
Working with
Containers
Creating containers, understanding the available options
Adding files to containers from various sources
Closing containers, optionally converting them
Using containers as evidence objects
Optionally
other topics like templates
It is the goal to be able to draw sustainable conclusions from the data
and metadata stored on or seemingly deleted from media to answer to
specific problems while documenting the proceedings in a manner
acceptable in court.
Examples:
"What documents were altered on the evening of January 12, 2012?"
"What pictures were hidden with what method, where and by whom?"
"Who viewed which web pages on what day?"
"Which MS Excel documents saved by Alan Smith contain the word
'invoice'?"
"Which USB sticks were attached to the computer at what time?" |
Memory Forensics, 1 day
Essentials of virtual memory management (Intel, AMD; 32 Bit, 64 Bit)
Page Tables
PFN Database
Pagefile
Windows Object Management in context
Processes, Threads, Sockets, Files, Tokens, ...
Active drivers
Registered storage media
Plug-and-Play device management
Using templates to navigate to kernel objects (major topic)
Types of and working with object references
How to navigate a process's address space
Process Environment Block (PEB)
Open handles
Mapped memory areas
Loaded modules
Heaps, Stack
Creating RAM images
hiberfil.sys
Special issues when searching memory areas
Alignment
Endianness
Memory Pools
Malware Analysis (hidden processes, hidden connections, DKOM, rootkits)
Identifying suspicious references by address range comparison
Network Forensics (incident analysis)
Ethernet packets by signature search
Analysing traces of connections in RAM (major topic)
The course deals mostly with Windows systems.
|
File Systems Revealed
Variable combination of file system courses, with
extensive introduction to file system basics (binary data storage
concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4
(1/2 day). See below for file system courses that are available.
By fully
understanding the on-disk structures of the file system, you are able
to recover data manually in many severe data loss scenarios, where automated recovery software fails,
and to verify
the correct function of computer forensics software and to collect meta information beyond what is reported
automatically, which might yield clues for the given case. In general,
this also leads to a better understanding of the data presented by
forensic software, of how computer forensics software works and of its
limitations.
Immediate application of newly gained knowledge by examining data structures on a practical example
with WinHex. These exercises will ensure you will remember what you have learned.
Explanation of the effects of file deletion and potentials for file
recovery. By the
end you will be able to navigate almost intuitively on a hard disk and to identify various
sources of information with relevance to forensics. You will be enabled
to recover data manually in several cases even where automated software
fails and to verify the results computer forensics software reports
automatically. You will receive a complete
documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite:
general
computer science knowledge recommended (not just computer knowledge). |
FAT12, FAT16, FAT32, 1/2 day
• Structure of FAT file systems
• Boot record
• File Allocation Table (FAT)
• Directory entries
Effects of file deletion and potentials for file recovery
... |
NTFS, 1 day
Boot sector
Master File Table (MFT)
FILE records structure
FILE record attributes
Data runs
Data compression
Attribute lists
Directory organisation in NTFS
INDX record structure
NTFS system files
Consistency in NTFS
Alternate data streams
Encrypting File System: NTFS encryption
... |
Ext2/Ext3/Ext4, 1/2 day
File system basics
Block Group
layout
Superblock and Group Descriptor backups
Superblock data structure
Feature flags
ext2
revisions
Layout and function of the Group Descriptors
Block and Inode Bitmaps
Inode structures
File Mode
Block Addressing
Reserved Inodes
Directory Management
Ext4 extents
Ext4 extension of file system limits
Ext4 timestamp refinement and other improvements
... |
XFS, 1/2 day (requires knowledge of Ext2/Ext3/Ext4)
IRIX heritage vs. current Linux file
system
Big Endian
Similarities and differences with ext*
Allocation Group Layout
Superblock structure
Allocation Group info sectors
Free Space + Free List
Inode Info
Free Space B+Trees
XFS-specific Inode and Block number formats
XFS Inodes
File Mode
Attribute fork
Inode Formats and their respective structures and uses
Device
Local
Extents
B+Tree
XFS Directory structures
small and long entries for local directories
Single and Multiple Block directories |
ReiserFS, Reiser4, 1 day
ReiserFS:
ReiserFS block formats
Superblock structure
The Reiser Tree
Tree organisation
Keys
Internal tree node structure
Leaf node structure
Stat items
Directory structures
Direct vs. Indirect items
File system navigation
Hans Reiser's own criticism
Reiser4:
Extents instead of block listing
ReiserFS vs Reiser4 trees
Reiser4 Superblock
The Reiser4 tree
Tree organisation
Keys
Tree node structure: Branches, twigs, leaves
Plugin IDs for node items
Stat items
Directory structures |
exFAT, 1/2 day
Partition layout
Boot sector
File allocation table
Directory entries
Root-only entry types
Metadata entries
Stream extensions
Filenames
Time zone offsets |
XWFS2, 45 min-1 day
on request |
training trainings course courses class classes
seminar seminars education lecture exercise teaching computer forensic forensics
electronic evidence acquisition data recovery electronic digital examine examination IT
security analysis analyze software tool tools
|
|
