• Module 1
    1. Overview of what types of crimes might be solved with computer evidence.
    2. Dealing with clients and employers.
    3. Initial determination of the scope of the examination.
    4. Determining what must be done and how to proceed in an examination.
    5. Overview of reasons to use trained forensic examiners and what they may expect to encounter.
    6. Software ethics.
    7. Forensic ethical standards.
    8. Forensic examination procedures.
    9. Preparing and verifying forensically sterile examination media.
    10. Note taking and report writing.
    11. Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
    12. A very broad overview of several operating systems including:
      1. Windows NT/2000
      2. Novell
      3. Unix/Linux
      4. DOS
      5. Windows 95/98
    13. Broad overview of networks.
    14. Acquisition, collection and seizure of magnetic media.
    15. Best method of acquiring, collecting, or seizing the various operating systems.
    16. Legal and privacy issues.
    17. Establishing a sound "chain of custody."
    18. Beginning logical structures of the Microsoft operating system FAT file system.
    19. Recovering simple deleted files.
    20. Four practical exercises in preparing and verifying forensically sterile media.
    21. Using a "carving" utility to recover data from unallocated space
    22. Manual recovery of simple deleted files.
    23. Written examination on the material covered in this module.

  • Module 2
    1. DOS and Windows boot process.
    2. Creating and storing files-continued.
    3. Recovering more complex deleted files.
    4. Determining the creation date.
    5. Significance of the creation date.
    6. Determining the last accessed date and the modification date and time.
    7. Significance of the last accessed date and the modification date and time.
    8. Storing Windows long file names.
    9. Consequences of deleting Windows long file names.
    10. Recovering Windows long file names.
    11. Storing sub-directories.
    12. Consequences of deleting sub-directories.
    13. Recovering a deleted sub-directory and its files.
    14. Consequences of formatting a diskette or hard disk drive.
    15. Recovering files, sub-directories and data from formatted disks.
    16. Determining which files had been deleted prior to formatting.
    17. Definition of file slack and recovering data from file slack.
    18. Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
    19. A written examination on the material covered in this module.

  • Module 3
    1. An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
      1. The partition table
      2. The boot record
      3. Bitmaps
      4. The root directory
      5. The MFT
      6. Headers
      7. Attributes
      8. Resident files
      9. Non-resident files
      10. Run lists, etc.
      11. Alternate data streams
      12. File storage
      13. The various dates and times stored in attributes
      14. File deletion
      15. File recovery
      16. Directory storage
      17. Tracing files/directories
      18. The NTFS registry "hive".
      19. Examining NTFS drives
    2. A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
    3. A written examination regarding the material covered in this module.

  • Module 4
    1. Making a Windows 98 forensic boot disk
    2. Making "exact" images of media-the various imaging methods
    3. Using Firewire write blockers
    4. The significance, location and recovering data from:
      1. Swap Files
      2. Temporary Files
      3. Internet Cache Files
      4. Email files
      5. Internet Cookies
      6. Internet Sites Visited
    5. Basic Internet issues. Doing a basic "whois" and similar Internet checks.
    6. Preserving the original media.
    7. Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
    8. Making bitstream (exact copies) of the original media.
    9. Safe handling of the media by the forensic examiner.
    10. The most common situations that an examiner may encounter during an examination.
    11. Finding and documenting normal data or graphical files.
    12. How people commonly try to hide data.
    13. Finding and documenting data and files in unallocated space.
    14. Finding hidden data.
    15. An overview of password protection and unlocking passwords.
    16. Accessing and interpreting "metadata" in MS Office documents.
    17. Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
    18. A written examination regarding the material covered in this module.

  • Module 5
    1. Data formats and types.
    2. Basic data format conversion.
    3. Examining CDR media and accessing multiple unclosed sessions.
    4. Managing data.
    5. Presenting the data to the client in a useful format.
    6. Presenting data in court or other proceedings in a clear and understandable manner.
    7. Marking, storage, and transmittal of evidence.
    8. Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
    9. A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
    10. A written examination regarding the material covered in this module.

  • Additional resources provided
    1. Detailed handout for each module covered-usable as a reference manual.
    2. Sample reports
    3. Additional practical exercises.
    4. DOS primer
    5. Diskedit primer and other useful information and applications.
    6. Subscription to a forensic listserver that provide both administrative and technical information.
    7. Continuing access to updated material via the GES website, even after course completion.


      • Course Overview/Description Course Objectives Course Outline Prerequisites/Audience PC Requirements/Materials Included Instructor Bio FAQs See a Demo
    •  
    • 3ds max
    • Administrative Professional with Microsoft Certified Application Specialist Training
    • Administrative Professional with Microsoft Office Specialist
    • ASP.NET Training
    • AutoCAD 2007
    • AutoCAD 2009
    • Cisco® CCENT™ Authorized Certification Training
    • Cisco® CCNA® Authorized Certification Training
    • CompTIA™ A+ Certification Training
    • CompTIA™ Linux+/LPI Level One Certification Training
    • CompTIA™ Network+/Server+ Certification Training
    • CompTIA™ Security+ Certification Training
    • eBusiness Certificate
    • English as a Second Language - Global English
    • Help Desk Analyst: Tier 1 Support Specialist
    • Microsoft Access 2007
    • Microsoft Certified Application Specialist Training (MCAS)
    • Microsoft Certified Database Administrator (MCDBA)
    • Microsoft Certified Desktop Support Technician (MCDST)
    • Microsoft Certified System Administrator 2003 (MCSA)
    • Microsoft Certified System Administrator Plus 2003 (MCSA+)
    • Microsoft Certified System Engineer 2003 (MCSE)
    • Microsoft Certified Technology Specialist: SQL Server 2005 (MCTS)
    • Microsoft Excel 2007
    • Microsoft Office Specialist 2003 (MOS)
    • Microsoft Outlook 2007
    • Microsoft PowerPoint 2007
    • Microsoft Vista Business
    • Microsoft Word 2007
    • Pay Per Click Marketing
    • RFID (Radio Frequency Identification) on the Web™
    • Search Engine Marketing
    • Search Engine Optimization
    • Web Database Developer
    • Webmaster

    Forensic Computer Examiner

    GES 305 -- 150 hours

    Course Outline

    • Module 1
      1. Overview of what types of crimes might be solved with computer evidence.
      2. Dealing with clients and employers.
      3. Initial determination of the scope of the examination.
      4. Determining what must be done and how to proceed in an examination.
      5. Overview of reasons to use trained forensic examiners and what they may expect to encounter.
      6. Software ethics.
      7. Forensic ethical standards.
      8. Forensic examination procedures.
      9. Preparing and verifying forensically sterile examination media.
      10. Note taking and report writing.
      11. Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
      12. A very broad overview of several operating systems including:
        1. Windows NT/2000
        2. Novell
        3. Unix/Linux
        4. DOS
        5. Windows 95/98
      13. Broad overview of networks.
      14. Acquisition, collection and seizure of magnetic media.
      15. Best method of acquiring, collecting, or seizing the various operating systems.
      16. Legal and privacy issues.
      17. Establishing a sound "chain of custody."
      18. Beginning logical structures of the Microsoft operating system FAT file system.
      19. Recovering simple deleted files.
      20. Four practical exercises in preparing and verifying forensically sterile media.
      21. Using a "carving" utility to recover data from unallocated space
      22. Manual recovery of simple deleted files.
      23. Written examination on the material covered in this module.

    • Module 2
      1. DOS and Windows boot process.
      2. Creating and storing files-continued.
      3. Recovering more complex deleted files.
      4. Determining the creation date.
      5. Significance of the creation date.
      6. Determining the last accessed date and the modification date and time.
      7. Significance of the last accessed date and the modification date and time.
      8. Storing Windows long file names.
      9. Consequences of deleting Windows long file names.
      10. Recovering Windows long file names.
      11. Storing sub-directories.
      12. Consequences of deleting sub-directories.
      13. Recovering a deleted sub-directory and its files.
      14. Consequences of formatting a diskette or hard disk drive.
      15. Recovering files, sub-directories and data from formatted disks.
      16. Determining which files had been deleted prior to formatting.
      17. Definition of file slack and recovering data from file slack.
      18. Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
      19. A written examination on the material covered in this module.

    • Module 3
      1. An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
        1. The partition table
        2. The boot record
        3. Bitmaps
        4. The root directory
        5. The MFT
        6. Headers
        7. Attributes
        8. Resident files
        9. Non-resident files
        10. Run lists, etc.
        11. Alternate data streams
        12. File storage
        13. The various dates and times stored in attributes
        14. File deletion
        15. File recovery
        16. Directory storage
        17. Tracing files/directories
        18. The NTFS registry "hive".
        19. Examining NTFS drives
      2. A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
      3. A written examination regarding the material covered in this module.

    • Module 4
      1. Making a Windows 98 forensic boot disk
      2. Making "exact" images of media-the various imaging methods
      3. Using Firewire write blockers
      4. The significance, location and recovering data from:
        1. Swap Files
        2. Temporary Files
        3. Internet Cache Files
        4. Email files
        5. Internet Cookies
        6. Internet Sites Visited
      5. Basic Internet issues. Doing a basic "whois" and similar Internet checks.
      6. Preserving the original media.
      7. Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
      8. Making bitstream (exact copies) of the original media.
      9. Safe handling of the media by the forensic examiner.
      10. The most common situations that an examiner may encounter during an examination.
      11. Finding and documenting normal data or graphical files.
      12. How people commonly try to hide data.
      13. Finding and documenting data and files in unallocated space.
      14. Finding hidden data.
      15. An overview of password protection and unlocking passwords.
      16. Accessing and interpreting "metadata" in MS Office documents.
      17. Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
      18. A written examination regarding the material covered in this module.

    • Module 5
      1. Data formats and types.
      2. Basic data format conversion.
      3. Examining CDR media and accessing multiple unclosed sessions.
      4. Managing data.
      5. Presenting the data to the client in a useful format.
      6. Presenting data in court or other proceedings in a clear and understandable manner.
      7. Marking, storage, and transmittal of evidence.
      8. Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
      9. A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
      10. A written examination regarding the material covered in this module.

    • Additional resources provided
      1. Detailed handout for each module covered-usable as a reference manual.
      2. Sample reports
      3. Additional practical exercises.
      4. DOS primer
      5. Diskedit primer and other useful information and applications.
      6. Subscription to a forensic listserver that provide both administrative and technical information.
      7. Continuing access to updated material via the GES website, even after course completion.


    Find a School