1. Module 1 - Introduction to Computer Forensics
a. Recommended Machine Configurations
b. What makes a good computer forensic examiner?
c. Computer Forensics vs. E Discovery
d. Dealing with clients or employers
i. Work Product
ii. Client Contracts
iii. Legal and privacy issues
e. Software Licensing
f. Ethical Conduct Issues
g. Cases that may include digital evidence
h. Forensic Examination Procedures
i. Determining Scope of Examinations
j. Hardware and Imaging Issues
k. Floppy Diskette, USB and Optical Media Examination
l. Limited Examinations
m. Forensically Sterile Examination Media
n. Examination Documentation and Reports
o. ASCII Table
p. General Overview of Boot Process and Operating Systems
q. Floppy Diskette Sides, FD Tracks, Hard Disk Drives
r. BIOS History
s. Networked Computers
t. Media Acquisition
u. Acquisition Documentation
v. Chain of Custody
2. Module 2 - Imaging and Introduction to SMART
a. Imaging Theory and Process
b. Imaging Methods
c. Write Blocking
d. Imaging Flash Drives
e. SMART Introduction
f. Wiping, Hashing, Validation, Image Restoration, Cloning, Unallocated Space
g. Drive Partitioning
h. One (1) Student Lab Practical Exercise
3. Module 3 - File Signatures, Data Formats & Unallocated Space
a. File Identification
b. File Headers
c. General File Types
d. File Viewers
e. Examination of Compressed Files
f. Data Carving - Using Simple Carver
g. One (1) Student Lab Practical Exercise
4. Module 4 - FAT File System
a. Logical structures of DOS, Windows 95, Windows 98
b. Master Boot Record
c. File Allocation Table
i. 16 Bit FAT
ii. 32 Bit FAT
d. Directory Entries
e. Clusters
f. Unallocated Space
g. Sub-Directories
h. FORMAT
i. Six (6) Student Lab Practical Exercises
5. Module 5 - NTFS
a. Introduction and Overview
b. Basic Terms
c. Basic Boot Record Information
d. Time Stamps
e. Root Directory
f. Recycle Bin
g. File Creation
h. File Deletion
i. Examining NTFS Drives
j. Two (2) Student Lab Practical Exercises
6. Module 6 - Registry & Artifacts
a. Creating an Examination Boot Disk
b. Data Recovery
c. Windows Swap and Page Files
d. Forensic Analysis of the Windows Registry
e. Internet Cache Files, Cookies and Internet Sites
f. Microsoft Outlook
g. MSMAIL
h. Logical Structures
i. Tracking User Specific Computer Use
j. Internet Explorer Cache Index
k. VISTA
l. Basic Mail Issues
m. Basic Internet Issues
n. Common Situations Encountered during Examinations
o. Password Protection and Defeating Passwords
p. Compound Documents
q. Examining CDR Media
r. FTK
s. Three (3) Student Lab Practical Exercises
7. Module 7 - Forensic Policy, Case Writing, Legal Process & Forensic Tool Kits
a. Use of Policy and Checklists in Forensic Practice
b. Data Presentation to Client
c. Case Report Writing
d. Legal Process
e. Expert Admission
f. Going to Court
g. Use of Forensic Tools and Software
h. One (1) Student Lab Practical Exercise - Hard drive examination
Forensic Computer Examiner
GES 305 -- 150 hours
Course Outline
1. Module 1 - Introduction to Computer Forensics
a. Recommended Machine Configurations
b. What makes a good computer forensic examiner?
c. Computer Forensics vs. E Discovery
d. Dealing with clients or employers
i. Work Product
ii. Client Contracts
iii. Legal and privacy issues
e. Software Licensing
f. Ethical Conduct Issues
g. Cases that may include digital evidence
h. Forensic Examination Procedures
i. Determining Scope of Examinations
j. Hardware and Imaging Issues
k. Floppy Diskette, USB and Optical Media Examination
l. Limited Examinations
m. Forensically Sterile Examination Media
n. Examination Documentation and Reports
o. ASCII Table
p. General Overview of Boot Process and Operating Systems
q. Floppy Diskette Sides, FD Tracks, Hard Disk Drives
r. BIOS History
s. Networked Computers
t. Media Acquisition
u. Acquisition Documentation
v. Chain of Custody
2. Module 2 - Imaging and Introduction to SMART
a. Imaging Theory and Process
b. Imaging Methods
c. Write Blocking
d. Imaging Flash Drives
e. SMART Introduction
f. Wiping, Hashing, Validation, Image Restoration, Cloning, Unallocated Space
g. Drive Partitioning
h. One (1) Student Lab Practical Exercise
3. Module 3 - File Signatures, Data Formats & Unallocated Space
a. File Identification
b. File Headers
c. General File Types
d. File Viewers
e. Examination of Compressed Files
f. Data Carving - Using Simple Carver
g. One (1) Student Lab Practical Exercise
4. Module 4 - FAT File System
a. Logical structures of DOS, Windows 95, Windows 98
b. Master Boot Record
c. File Allocation Table
i. 16 Bit FAT
ii. 32 Bit FAT
d. Directory Entries
e. Clusters
f. Unallocated Space
g. Sub-Directories
h. FORMAT
i. Six (6) Student Lab Practical Exercises
5. Module 5 - NTFS
a. Introduction and Overview
b. Basic Terms
c. Basic Boot Record Information
d. Time Stamps
e. Root Directory
f. Recycle Bin
g. File Creation
h. File Deletion
i. Examining NTFS Drives
j. Two (2) Student Lab Practical Exercises
6. Module 6 - Registry & Artifacts
a. Creating an Examination Boot Disk
b. Data Recovery
c. Windows Swap and Page Files
d. Forensic Analysis of the Windows Registry
e. Internet Cache Files, Cookies and Internet Sites
f. Microsoft Outlook
g. MSMAIL
h. Logical Structures
i. Tracking User Specific Computer Use
j. Internet Explorer Cache Index
k. VISTA
l. Basic Mail Issues
m. Basic Internet Issues
n. Common Situations Encountered during Examinations
o. Password Protection and Defeating Passwords
p. Compound Documents
q. Examining CDR Media
r. FTK
s. Three (3) Student Lab Practical Exercises
7. Module 7 - Forensic Policy, Case Writing, Legal Process & Forensic Tool Kits
a. Use of Policy and Checklists in Forensic Practice
b. Data Presentation to Client
c. Case Report Writing
d. Legal Process
e. Expert Admission
f. Going to Court
g. Use of Forensic Tools and Software
h. One (1) Student Lab Practical Exercise - Hard drive examination
