SANS - Computer Forensics - Course Description

Day 1 | Day 2 | Day 3 | Day 4 | Day 5 |

Day 1 - Forensic and E-discovery Fundamentals

At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students will become familiarized with fundamental forensic topics that every investigator should know.

Starting with fundamental forensic technical and legal topics, the course will guide you through the must-know digital forensic topics. This day will introduce where electronically stored information (ESI) might be found across your infrastructure. Learning how to present and write computer forensic reports will also be taught in-depth that will focus on the industry best practices. Knowing how to present crucial data in court, judge, or to management is a key step in becoming a master computer forensic examiner.

Day 1 Topics
- Purpose of Forensics
  - Investigative Mindset
  - Focus on the Fundamentals
- Discussion Major Case Types
  - Industrial Espionage and Fraud
  - Hacker Intrusions
  - Inappropriate Use of Internet
  - Child Exploitation
  - E-discovery
  - Corporate Investigations
  - Civil and Criminal Litigation
- Types of Electronic Stored Information
  - E-mail
  - Web site Postings, Blogs/Wiki, Text Messaging, and Chat Room Content
  - Computer Stored Records and Databases
- Location of Electronically Stored Evidence (ESI)
  - Computer Based Network
  - Portable Electronic Storage Devices
  - Mobile
- Evidence Collection Order of Volatility
  - Live and Static Collection
- File System Basics
  - Partition, Data, Metadata, Filename

Day 1 Topics (Continued)
- Evidence Fundamentals
  - Admissibility
  - Authenticity
  - Threats against Authenticity
- Reporting and Presenting Evidence
  - Taking Notes
  - Report Writing Essentials
  - Best Practices for Presenting Evidence
- Forensic Methodology
  - Evidence Acquisition
  - Evidence Analysis
Day 1 Exercises
- Install Forensic Toolkits
- Where Will Evidence Exist?
  - Given a case description, describe places you might look for evidence.
- Reporting/Presenting/Documentation
  - Describe through writing and presentation a simple technical event for potential use in court.
- Challenging Evidence:
  - Given a set of circumstances surrounding a piece of evidence, describe several ways it could be challenged.

SECURITY 408 Upcoming Events
Event	Location	Dates	Delivery Method
SANS vLive! - Security 408 - Rob Lee	SANS vLive! SEC408-200911, VA	Nov 30, 2009 - Feb 01, 2010
SANS CDI East 2009	Washington DC	Dec 11, 2009 - Dec 18, 2009	Live Event
SANS Security East 2010	New Orleans, LA	Jan 10, 2010 - Jan 18, 2010	Live Event
SANS 2010	Orlando, FL	Mar 06, 2010 - Mar 15, 2010	Live Event
SANS Security West 2010	San Diego, CA	May 07, 2010 - May 15, 2010	Live Event
SANS vLive! - SEC 408 - Rob Lee	SANS vLive! SEC408 - 201006, VA	Jun 08, 2010 - Aug 24, 2010

GIAC Certification

"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.

"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics

SANS Institute

SANS Institute

© 2008 - 2009 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans.org

SANS Press Room: www.sans.org/press / Policy On SANS Trademark Usage