• Course Overview/Description Course Objectives Course Outline Prerequisites/Audience PC Requirements/Materials Included Instructor Bio See a Demo

Forensic Computer Examiner

GES 305 -- 150 hours

Course Objectives

    After successful completion of the Forensic Computer Examiner online program, students will:
    • Understand what makes an examiner a good examiner.
    • Be able to explain to clients why trained forensic examiners should be used.
    • Understand what a forensic examiner may expect to encounter during an examination.
    • Understand software licensing and how it affects forensic examiners.
    • Understand forensic ethical standards as they apply to forensic examiners.
    • Understand basic forensic examination procedures.
    • Be able to prepare and verify forensically sterile examination media.
    • Understand the importance and methodology of note taking and reports.
    • Understand basic PC hardware identification.
    • Have a basic understanding of the legal privacy issues relating to the examination of magnetic media.
    • Understand when a legal opinion may be necessary to prevent privacy issues from interfering with the examination or causing a valid lawsuit.
    • Have a basic understanding of how to properly acquire, collect, or seize magnetic media.
    • Understand how to properly establish and maintain the physical "chain of custody" of media and evidence.
    • Make exact forensic copies of original floppy-diskette media.
    • Understand the logical structures of DOS and Windows 95/98
    • Understand where the creation and modification dates and times are stored in a directory entry.
    • Understand the significance of the creation and modification dates and times.
    • Understand how to recover data from unallocated space.
    • Understand and explain how files are created.
    • Understand and explain what happens when a file is deleted.
    • Understand, explain and manually recover DOS legal single and multiple cluster deleted files.
    • Understand, explain and manually recover DOS legal multiple cluster fragmented deleted files.
    • Understand how to determine the Last Accessed Date and the Modification Date and Time, their significance and when they are modified.
    • Understand how Windows long file names are stored, what happens when they are deleted and how to restore long file names.
    • Understand how sub-directories are stored, what happens when they are deleted and how to recover deleted sub-directories.
    • Understand what happens when a diskette or hard-disk drive is formatted and how to recover files, sub-directories, and data from formatted disks.
    • Understand the NTFS partition table, boot record, and root directory.
    • Understand Bitmaps.
    • Understand the MFT.
    • Understand NTFS Headers and Attributes.
    • Understand Resident and Non-resident files.
    • Understand Run lists, etc.
    • Understand Alternate data streams.
    • Understand NTFS File storage.
    • Understand the various dates and times stored in attributes.
    • Understand File deletion and recovery.
    • Understand Directory storage.
    • Understand Tracing files/directories.
    • Understand the NTFS registry "hive."
    • Understand Examining NTFS drives.
    • Understand the basic imaging methods and how to make "exact copies" of media.
    • Understand the significance of, location of and how to recover data from swap files, temporary files, Internet cache files, Internet cookies, mail files and Internet sites visited.
    • Understand basic Internet issues such as, doing a basic "whois."
    • Understand how to preserve the original media.

    • Understand how to prevent inadvertent writes. • Understand how to prevent virus introduction and how to prevent activation of "booby traps." • Understand how to safely handle media. • Understand how to find and document normal data and graphical files. • Understand how people commonly try to hide data. • Understand how to find and document data in unallocated space. • Understand how to find hidden data. • Understand password protection schemes and how to lock and unlock many passwords. • Understand how to access MS Word metadata. • Understand the basic use of automated forensic suites (FTK). • Understand basic data formats and types. • Understand how to conduct basic data-format conversions. • Understand the basic issues in examining CDR media. • Understand how to present recovered and evidence data to the client in a useful format. • Understand how to manage data. • Understand how to present data in court or other proceedings in a clear and understandable manner. • Have conducted an examination of a hard disk drive that covers the full range of forensic issues found in this training course. • Be fully prepared to sit for the CCE Certification testing through the International Society of Forensic Computer Examiners.