This course takes a multi-disciplinary approach to the investigation of incidents in which computers or computer technology play a significant role. Participants completing this course will be familiar with the core computer science theory and practical skills necessary to perform first level digital forensic investigations, understand the role of technology in investigating computer-related crimes, and be prepared to deal with law enforcement, judiciary and the attorneys involved in investigating cyber-crimes.
This course has 15 modules. After completing the 15 modules students may opt to undertake practical training in digital forensics to obtain the Certified Digital Forensics Professionals (CDFP) credentials. Practical training is covered in Module 16, which requires compulsory full time training for one week.
GOALS
Upon the successful completion of this course, participants will be able to:
- Identify pertinent electronic evidence in the context of violations of specific laws; those that deal with computer and related crimes, also referred to as cyber laws or technology crime laws.
- Locate and recover relevant electronic evidence from different platforms and Operating Systems using a variety of tools.
- Identify and articulate probable causes that may be necessary to obtain a warrant to search and seize electronic artifacts, and recognize the limits of such warrants
- Recognize and maintain a chain of custody of electronic evidence.
- Follow a documented forensics investigation process covering the end-to-end digital forensics life cycle.
LEARNING OUTCOMES
On successful completion of this unit, students will be able to:
- Describe the role of digital forensics in criminal investigations, corporate investigation and auditing, and IT security operation;
- Explain how data is stored on a local computer, remotely on the Internet and Cloud, and also the general structures of the LAN, WAN and the Internet;
- Apply current industry best-practices to the analysis of digital evidence in hypothetical and real-case scenarios;
- Undertake basic digital forensic investigation, from data acquisition and validation to evidence discovering, analyzing, validating, and presenting, by using a variety of digital forensics tools;
- Acquire important generic skills – communication skills involved in report writing and presentation, inquiry, analysis and interpretation, problem solving, independent and group working, professionalism and social responsibility.
OVERVIEW
This course will benefit business enterprises in multiple verticals, not-for-profit organizations, individuals and government agencies intent on pursuing any corrective action, litigation or establishing proof of guilt based on digital evidence.
A case in point could be the termination of an employee for a violation that may involve a digital artifact to support the allegation. The investigator must furnish irrefutable burden of proof derived from the digital artifact. If not, a lawyer who is knowledgeable about computers and its forensics dimension would convince the court to dismiss the case. Similarly, Government or investigative agencies need to be able to successfully prosecute or defend cases such as acts of fraud, computer misuse, pornography or counterfeiting and so forth.
WHAT WILL BE COVERED IN THE TRAINING?
This program will be delivered through 15 learning modules at the first level. Those who complete all these modules successfully have the option of continuing with the sixteenth module that has nine hands-on lab exercises to be done during a two-week intense internship. During the internship, participants will be guided by expert digital forensic investigators who bring with them rich practical experience in digital forensic investigation
MODULE 1: LEGAL ASPECTS OF DIGITAL FORENSICS & GLOBAL APPROACH
- Digital Forensics Overview
- Brief introduction to Forensic science
- Major legal systems
- Taxonomy of cyber-crimes
- Global Initiatives against cyber-crimes
- Commonwealth Cybercrime Initiative (CCI)
- Interpol
- Federal Bureau of Investigation
- OECD
- Council of Europe – Convention on Cybercrimes
- Global Cyber Security Index (GCI)
- Understanding threats to Information Assets
- Challenges in investigating cyber-crimes
MODULE 2: COMPUTER HARDWARE
- Computer Hardware Components
- The Boot Process
- Hard Disk Partitioning
- File System Overview
- How is a file stored (Media Creation, Modified, Accessed)
- The effects of deleting and un-deleting files
MODULE 3: FILE SYSTEMS
- Concept of computer file systems
- FAT (File Allocation Table) Basics
- Physical Layout of FAT
- Viewing FAT Entries
- The Function of FAT
- NTFS (New Technology File System)
- Clusters and Sectors
- Alternate Data Streams
- Linux Files Systems
- Slack Space
- Resilient File Systems (RfS)
MODULE 4: DISKS AND STORAGE MEDIA
- ISO9660
- UDF – Universal Disk Format
- Media Devices:
- HDD
- Magnetic Tapes
- Floppy Disk
- Compact Discs, DVD and Blue Ray
- Ipods, Flash Memory Cards, etc.
MODULE 5: DIGITAL EVIDENCE – FOUNDATIONS
- What is Digital Evidence?
- Computer “Incidents”
- Evidence Types
- Search & Seizure
- Voluntary Surrender
- Subpoena
- Search Warrant
- Planning for and gathering digital evidence
- The Physical Location
- Personnel
- Computer Systems
- What Equipment to take
- Search Authority
- Handling Evidence at the scene
- Securing the Scene
- Taking Photographs
- Seizing Electronic Evidence
- Bagging and Tagging
MODULE 6: MANAGING DIGITAL EVIDENCE
- Chain of Custody
- Definition
- Controls
- Documentation
- Evidence Admissibility in a Court
- Relevance and Admissibility
- Best Practices for Admissibility
- Hearsay Rule, Exculpatory and Inculpatory Evidence
MODULE 7: BOOT PROCESS: WINDOWS, LINUX AND MACINTOSH
- The Boot Process
- System Startup
- The relevance of Boot process for digital forensic investigator
- Loading MS-DOS
- Loading Windows OS
- Loading Windows 2003 Server
- Loading Linux
- Loading Linux Server
- Loading Macintosh
- When to Pull the Plug or Shutdown?
MODULE 8: MOBILE DEVICES FORENSICS
- Mobile device forensics
- Mobile Operating Systems
- Data acquisition on mobile / hand held devices
- Investigative options available to crack password-protected file
MODULE 9: ACQUIRING, PROCESSING AND PRESENTATION OF DIGITAL EVIDENCE
- Using Live Forensics Boot CD’s
- Boot Disks
- Viewing the Invisible HPA and DCO data
- Drive-to-Drive DOS acquisition
- Forensics Image Files
- Data Compression
- Image File Forensics Tools
- Copy Right Issues – Graphic Files
- Network Evidence acquisition
- Why Network acquisition?
- Network Cables
- FastBloc
- LinEn
- Mounting a File System as Read Only
MODULE 10: FORENSIC INVESTIGATION THEORY
- Locard’s Exchange Principle
- Reconstructing the crime scene
- Classification
- Comparison
- Individualization
- Behavioral Evidence Analysis
- Equivocal Forensic Analysis
- Basics of Criminology
- Basics of Victimology
- Incident Scene Characteristics
MODULE 11: PROCESSING EVIDENCE
- Windows Registry
- System identifiers
- Sources of unique identification within OS
- Aspects of OS data files, to include Index.dat and other system files
- “Recycle” folder and deleted files.
- Image metadata
MODULE 12: PRESENTING EVIDENCE
- Dcumenting and Reporting Digital Evidence
- Review and analyze the methods used to document and report the results of a computer forensic examination.
- Program participants will present their finding and electronic discoveries in an exercise that demonstrates their abilities to create an effective presentation.
- The students will present their findings in “layman’s terms,” which is critical during any investigation, using the following fundamental approaches to evidence presentation:
- “Best evidence” concept
- “Hearsay” concept
- “Authenticity” and “Alteration of Computer Records” concepts
- “Layman’s analogies” available to the Computer Forensic practitioner
- Admissibility of digital evidence in a court of law
MODULE 13: FORENSIC MODELS, APPLIANCES AND PROTOCOLS
- Four Cardinal Rules
- Alpha 5
- Best Practices
- Software Licensing Types
- Free Software
- Industry Accepted Software
- Forensics Hardware Devices:
- Disk Duplicators
- Write Blockers
MODULE 14: CRYPTOGRAPHY, PASSWORD CRACKING AND STEGANOGRAPHY
- Basics of cryptology and cryptography
- Cryptography and cryptanalysis Processes
- Hash Types
- Pre-Computed Hash Tables
- Types of encryption concepts
- Investigative options available to crack password-protected files
MODULE 15: LAB PROTOCOLS
- Quality Assurance
- Standard Operating Procedures
- Peer Review
- Administrator Review
- Annual Review
- Deviations from the SOP
- Lab Intake and what you must receive
- Tracking Digital Evidence in the Lab
- Storage Requirements
- Proficiency Tests
- Code of Ethics
WHAT YOU RECEIVE
Certificate of Course Participation
PROFESSIONAL LEVEL
MODULE 16 – DIGITAL FORENSICS PRACTICALS
This level is 100% hands-on and mandatory for those the students that wish to upgrade to full professional accreditation in digital forensics, after successful completion of the first 15 modules. The students must spend 5 days on full time residential practical training secessions and the take an exam that has two components; viz.,
• 100 multiple choice questions exam and
• Interpretation of two scenarios that will be presented.
Lab Exercise -1
• Network Forensics
• Network Traffic analysis
• Understanding TCP/IP packets and their structure
• Detecting and tracing the route
Lab Exercise – 2
• Network Scanning
• TCP 3-way handshake process
• Dynamic Host Configuration Protocol
• DNS Structure and error code analysis
Lab Exercise – 3
• Abnormal / unusual network communication
• FTP and http: protocols analysis
• Reconstructing browsed images
Lab Exercise – 4
• Windows Forensics
• Win UFO – Ultimate Forensic Outflow
• OS Forensics
Lab Exercise – 5
• FTK Imager and FTK Toolkit
• Creating disk image using FTK Imager
• Creating and using hash lists
• EnCase Imager and using EnCase for forensic analysis
Lab Exercise – 6
• Hex Editor
• Hex Workshop
• Capturing Volatile RAM
• Memory Dump file analysis
Lab Exercise – 7
• SQLite Database viewer
• Data Carving
• Forensic Analysis of Skype
• Social Media digital evidence – acquisition and interpretation
Lab Exercise – 8
• Mobile Forensics
• E-mail forensics
• Windows registry analysis
Lab Exercise – 9
Presentation of Digital Evidence
Program participants are introduced to aspects of presenting digital evidence in a courtroom environment. They will be exposed to the tools necessary to effectively create and present the results of a cybercrime investigation to an administrative body or court of law. Both civil and criminal incidents are covered during the program. This is the final exercise where students will work, in small groups, on a case study that is a sanitized version of a real-life case. They will address and overcome the challenge of presenting their findings in a low-tech format where non-technical personnel can decipher and understand the results.