• Course Overview/Description Course Objectives Course Outline Prerequisites/Audience PC Requirements/Materials Included Instructor Bio See a Demo

Forensic Computer Examiner

GES 305 -- 150 hours

Course Outline

    1. Module 1 - Introduction to Computer Forensics
         a. Recommended Machine Configurations
         b. What makes a good computer forensic examiner?
         c. Computer Forensics vs. E Discovery
         d. Dealing with clients or employers
              i. Work Product
              ii. Client Contracts
              iii. Legal and privacy issues
         e. Software Licensing
         f. Ethical Conduct Issues
         g. Cases that may include digital evidence
         h. Forensic Examination Procedures
         i. Determining Scope of Examinations
         j. Hardware and Imaging Issues
         k. Floppy Diskette, USB and Optical Media Examination
         l. Limited Examinations
         m. Forensically Sterile Examination Media
         n. Examination Documentation and Reports
         o. ASCII Table
         p. General Overview of Boot Process and Operating Systems
         q. Floppy Diskette Sides, FD Tracks, Hard Disk Drives
         r. BIOS History
         s. Networked Computers
         t. Media Acquisition
         u. Acquisition Documentation
         v. Chain of Custody

    2. Module 2 - Imaging and Introduction to SMART
         a. Imaging Theory and Process
         b. Imaging Methods
         c. Write Blocking
         d. Imaging Flash Drives
         e. SMART Introduction
         f. Wiping, Hashing, Validation, Image Restoration, Cloning, Unallocated Space
         g. Drive Partitioning
         h. One (1) Student Lab Practical Exercise

    3. Module 3 - File Signatures, Data Formats & Unallocated Space
         a. File Identification
         b. File Headers
         c. General File Types
         d. File Viewers
         e. Examination of Compressed Files
         f. Data Carving - Using Simple Carver
         g. One (1) Student Lab Practical Exercise


    4. Module 4 - FAT File System
         a. Logical structures of DOS, Windows 95, Windows 98
         b. Master Boot Record
         c. File Allocation Table
              i. 16 Bit FAT
              ii. 32 Bit FAT
         d. Directory Entries
         e. Clusters
         f. Unallocated Space
         g. Sub-Directories
         h. FORMAT
         i. Six (6) Student Lab Practical Exercises

    5. Module 5 - NTFS
         a. Introduction and Overview
         b. Basic Terms
         c. Basic Boot Record Information
         d. Time Stamps
         e. Root Directory
         f. Recycle Bin
         g. File Creation
         h. File Deletion
         i. Examining NTFS Drives
         j. Two (2) Student Lab Practical Exercises

    6. Module 6 - Registry & Artifacts
         a. Creating an Examination Boot Disk
         b. Data Recovery
         c. Windows Swap and Page Files
         d. Forensic Analysis of the Windows Registry
         e. Internet Cache Files, Cookies and Internet Sites
         f. Microsoft Outlook
         g. MSMAIL
         h. Logical Structures
         i. Tracking User Specific Computer Use
         j. Internet Explorer Cache Index
         k. VISTA
         l. Basic Mail Issues
         m. Basic Internet Issues
         n. Common Situations Encountered during Examinations
         o. Password Protection and Defeating Passwords
         p. Compound Documents
         q. Examining CDR Media
         r. FTK
         s. Three (3) Student Lab Practical Exercises

    7. Module 7 - Forensic Policy, Case Writing, Legal Process & Forensic Tool Kits
         a. Use of Policy and Checklists in Forensic Practice
         b. Data Presentation to Client
         c. Case Report Writing
         d. Legal Process
         e. Expert Admission
         f. Going to Court
         g. Use of Forensic Tools and Software
         h. One (1) Student Lab Practical Exercise - Hard drive examination