The course
On this 3 day practical computer forensics training course, gain an understanding of static computer forensics analysis by learning about forensic principles, evidence continuity and methodology to employ when conducting a forensic investigation. Using practical case scenarios, you will be guided through the process of conducting a computer forensics investigation, and will learn the principles surrounding the collection of evidence, together with the forensic tools associated with forensic analysis. Delegates who successfully complete the exam included at the end of the training course will be awarded the Certified Forensic Investigation Practitioner (CFIP) qualification.
1. Introduction to Computer Forensics
a. Define the term ‘computer forensics’
b. Define the term ‘forensic investigations’
c. List some legal considerations that apply to forensic investigations
2. Introduction to Investigations
a. List the five areas involved in a forensic investigation
b. Describe the investigation awareness phase of a forensic investigation
c. Define the four principles of forensic computing as described in the ACPO Good Practice Guidelines
d. Explain the ‘Chain of Custody’ process
e. Explain how the chain of custody process can be applied to any given object
3. Identification and Seizure
a. List devices that are common in the home environment and are capable of containing electronic evidence
b. List devices that are common in an office environment and are capable of containing electronic evidence
c. Explain the seizure process of electronic evidence
d. List evidential items of interest from a given scenario
e. Explain how actions performed on an electronic device can be associated to an individual
4. Understanding Electronic Data
a. Define the term ‘bit’ and list the different terms associated with multiple bits
b. Define the term ‘byte’ and list the different terms associated with large quantities of bytes in data storage
c. Explain the relationship between the following: Decimal, Hexadecimal, ASCII, Unicode
5. Storage and File Systems
a. Explain the process of preparing a hard drive for data storage
b. Explain the difference between a physical disk and a logical drive.
c. Explain the difference between data and metadata
d. List common file system metadata
e. Explain the purpose of file systems
f. Explain various file systems’ features
g. Define the three terms; Live Data, Deleted Data, Unallocated Data
6. Forensic Acquisition
a. Explain the difference between a forensic image and a clone
b. Explain the purpose of hashing within the forensic acquisition process
c. List common tools and hardware used during the data acquisition process
d. Demonstrate the forensic acquisition and verification of an electronic device
7. Data Management
a. Explain the purpose of data backups of electronic evidence
b. Discuss logistical issues associated with data backups
c. Explain the purpose of working copies of electronic evidence
d. Discuss the issues surrounding data retention periods of electronic evidence
8. Forensic Analysis Techniques
a. Explain the five possible analysis environments
b. Explain how data carving recovers data from an electronic device
c. Discuss advantages and disadvantages of keyword searching
d. Explain potential issues associated with data extraction
e. Identify strengths and weaknesses of hash analysis
f. List common file type specific metadata
g. Discuss the reliability of date and time analysis
9. Recovering Forensic Artefacts
a. Explain the basic structure of the Vista registry
b. Demonstrate evidence recovery from the Internet history
10. Data Reduction Techniques
a. Explain how filtering data can be used for data reduction
b. Explain how hash analysis can be used for data reduction
c. Discuss the interpretation of advice and guidance to assist the data interpretation process
d. Discuss the dangers of data reduction during a forensic investigation
e. List issues associated with filtering using date and time stamps
f. Demonstrate the use of data reduction techniques
11. Forensic Challenges
a. Explain how data wiping can become a challenge during a forensic investigation
b. Explain how data encryption can become a challenge during a forensic investigation
c. Explain how malicious software can become a challenge during a forensic investigation
12. Reporting
a. Explain the purpose of forensic reporting
b. Define the expected outcome of a forensic investigation
c. Explain how the target audience can alter the reporting phase
d. Explain reporting methods that can be utilized
e. Discuss possible defence statements that may be raised during a forensic investigation
- The principles and guidelines for computer forensic investigations
- The process of evidence continuity
- The fundamentals of the complete forensic investigation process
- The forensic acquisition of an electronic devices
- How to store data on electronic media
- How to work with key forensic investigation products
- How to identify Windows based OS forensic artefacts
Download
PDF
|
Course outline
Read the computer forensics training course outline to find
out more about the many topics covered in CFIP Forensic Investigation: Hands-On |
Frequently Asked Questions (FAQ)
