- Overview of what types of crimes might be solved with computer evidence.
- Dealing with clients and employers.
- Initial determination of the scope of the examination.
- Determining what must be done and how to proceed in an examination.
- Overview of reasons to use trained forensic examiners and what they may expect to encounter.
- Software ethics.
- Forensic ethical standards.
- Forensic examination procedures.
- Preparing and verifying forensically sterile examination media.
- Note taking and report writing.
- Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
- A very broad overview of several operating systems including:
- Windows NT/2000
- Novell
- Unix/Linux
- DOS
- Windows 95/98
- Broad overview of networks.
- Acquisition, collection and seizure of magnetic media.
- Best method of acquiring, collecting, or seizing the various operating systems.
- Legal and privacy issues.
- Establishing a sound "chain of custody."
- Beginning logical structures of the Microsoft operating system FAT file system.
- Recovering simple deleted files.
- Four practical exercises in preparing and verifying forensically sterile media.
- Using a "carving" utility to recover data from unallocated space
- Manual recovery of simple deleted files.
- Written examination on the material covered in this module.
- DOS and Windows boot process.
- Creating and storing files-continued.
- Recovering more complex deleted files.
- Determining the creation date.
- Significance of the creation date.
- Determining the last accessed date and the modification date and time.
- Significance of the last accessed date and the modification date and time.
- Storing Windows long file names.
- Consequences of deleting Windows long file names.
- Recovering Windows long file names.
- Storing sub-directories.
- Consequences of deleting sub-directories.
- Recovering a deleted sub-directory and its files.
- Consequences of formatting a diskette or hard disk drive.
- Recovering files, sub-directories and data from formatted disks.
- Determining which files had been deleted prior to formatting.
- Definition of file slack and recovering data from file slack.
- Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
- A written examination on the material covered in this module.
- An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
- The partition table
- The boot record
- Bitmaps
- The root directory
- The MFT
- Headers
- Attributes
- Resident files
- Non-resident files
- Run lists, etc.
- Alternate data streams
- File storage
- The various dates and times stored in attributes
- File deletion
- File recovery
- Directory storage
- Tracing files/directories
- The NTFS registry "hive".
- Examining NTFS drives
- A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
- A written examination regarding the material covered in this module.
- Making a Windows 98 forensic boot disk
- Making "exact" images of media-the various imaging methods
- Using Firewire write blockers
- The significance, location and recovering data from:
- Swap Files
- Temporary Files
- Internet Cache Files
- Email files
- Internet Cookies
- Internet Sites Visited
- Basic Internet issues. Doing a basic "whois" and similar Internet checks.
- Preserving the original media.
- Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
- Making bitstream (exact copies) of the original media.
- Safe handling of the media by the forensic examiner.
- The most common situations that an examiner may encounter during an examination.
- Finding and documenting normal data or graphical files.
- How people commonly try to hide data.
- Finding and documenting data and files in unallocated space.
- Finding hidden data.
- An overview of password protection and unlocking passwords.
- Accessing and interpreting "metadata" in MS Office documents.
- Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
- A written examination regarding the material covered in this module.
- Data formats and types.
- Basic data format conversion.
- Examining CDR media and accessing multiple unclosed sessions.
- Managing data.
- Presenting the data to the client in a useful format.
- Presenting data in court or other proceedings in a clear and understandable manner.
- Marking, storage, and transmittal of evidence.
- Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
- A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
- A written examination regarding the material covered in this module.
- Detailed handout for each module covered-usable as a reference manual.
- Sample reports
- Additional practical exercises.
- DOS primer
- Diskedit primer and other useful information and applications.
- Subscription to a forensic listserver that provide both administrative and technical information.
- Continuing access to updated material via the GES website, even after course completion.
Forensic Computer Examiner
GES 305 -- 150 hours
Course Outline
- Module 1
- Overview of what types of crimes might be solved with computer evidence.
- Dealing with clients and employers.
- Initial determination of the scope of the examination.
- Determining what must be done and how to proceed in an examination.
- Overview of reasons to use trained forensic examiners and what they may expect to encounter.
- Software ethics.
- Forensic ethical standards.
- Forensic examination procedures.
- Preparing and verifying forensically sterile examination media.
- Note taking and report writing.
- Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
- A very broad overview of several operating systems including:
- Windows NT/2000
- Novell
- Unix/Linux
- DOS
- Windows 95/98
- Broad overview of networks.
- Acquisition, collection and seizure of magnetic media.
- Best method of acquiring, collecting, or seizing the various operating systems.
- Legal and privacy issues.
- Establishing a sound "chain of custody."
- Beginning logical structures of the Microsoft operating system FAT file system.
- Recovering simple deleted files.
- Four practical exercises in preparing and verifying forensically sterile media.
- Using a "carving" utility to recover data from unallocated space
- Manual recovery of simple deleted files.
- Written examination on the material covered in this module.
- Module 2
- DOS and Windows boot process.
- Creating and storing files-continued.
- Recovering more complex deleted files.
- Determining the creation date.
- Significance of the creation date.
- Determining the last accessed date and the modification date and time.
- Significance of the last accessed date and the modification date and time.
- Storing Windows long file names.
- Consequences of deleting Windows long file names.
- Recovering Windows long file names.
- Storing sub-directories.
- Consequences of deleting sub-directories.
- Recovering a deleted sub-directory and its files.
- Consequences of formatting a diskette or hard disk drive.
- Recovering files, sub-directories and data from formatted disks.
- Determining which files had been deleted prior to formatting.
- Definition of file slack and recovering data from file slack.
- Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
- A written examination on the material covered in this module.
- Module 3
- An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
- The partition table
- The boot record
- Bitmaps
- The root directory
- The MFT
- Headers
- Attributes
- Resident files
- Non-resident files
- Run lists, etc.
- Alternate data streams
- File storage
- The various dates and times stored in attributes
- File deletion
- File recovery
- Directory storage
- Tracing files/directories
- The NTFS registry "hive".
- Examining NTFS drives
- A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
- A written examination regarding the material covered in this module.
- An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
- Module 4
- Making a Windows 98 forensic boot disk
- Making "exact" images of media-the various imaging methods
- Using Firewire write blockers
- The significance, location and recovering data from:
- Swap Files
- Temporary Files
- Internet Cache Files
- Email files
- Internet Cookies
- Internet Sites Visited
- Basic Internet issues. Doing a basic "whois" and similar Internet checks.
- Preserving the original media.
- Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
- Making bitstream (exact copies) of the original media.
- Safe handling of the media by the forensic examiner.
- The most common situations that an examiner may encounter during an examination.
- Finding and documenting normal data or graphical files.
- How people commonly try to hide data.
- Finding and documenting data and files in unallocated space.
- Finding hidden data.
- An overview of password protection and unlocking passwords.
- Accessing and interpreting "metadata" in MS Office documents.
- Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
- A written examination regarding the material covered in this module.
- Module 5
- Data formats and types.
- Basic data format conversion.
- Examining CDR media and accessing multiple unclosed sessions.
- Managing data.
- Presenting the data to the client in a useful format.
- Presenting data in court or other proceedings in a clear and understandable manner.
- Marking, storage, and transmittal of evidence.
- Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
- A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
- A written examination regarding the material covered in this module.
- Additional resources provided
- Detailed handout for each module covered-usable as a reference manual.
- Sample reports
- Additional practical exercises.
- DOS primer
- Diskedit primer and other useful information and applications.
- Subscription to a forensic listserver that provide both administrative and technical information.
- Continuing access to updated material via the GES website, even after course completion.












































