SECURITY 408SECURITY 408


Course PDF

Securing or "Bagging and Tagging" digital evidence can be tricky. Each computer forensic examiner should be familiar with different methods of successfully acquiring it maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence handling procedures, you will learn firsthand the best methods for acquiring evidence in a case. You will utilize the Tableau write blocker, part of your SIFT Essentials kit, to obtain evidence from a hard drive using the most popular tools utilized in the field. You will learn how to utilize toolkits to obtain memory, hard disk images, or protected files from a computer system that is running or powered off.

Finally, the day will conclude with the beginning analysis of electronic evidence. You will learn how to recover deleted data from the evidence, perform string searches against it using a word list, and begin to piece together the events that shaped the case. Today's course is critical to anyone performing digital forensics to learn the most up-to-date techniques of acquiring and analyzing digital evidence.

This course is very hands-on driven. Each investigator will acquire a disk image and begin analysis on a case that will utilize the skills presented throughout the day. This course is necessary for anyone looking to put to practice the skills they are learning daily.




  • Day 2 Topics
    • Evidence Acquisition Basics
      • Tableau Write Blocker Utilization
      • Access Data's FTK Imager
      • Access Data's FTK Imager Lite
    • Preservation of Evidence
      • Chain of Custody
      • Evidence Handling
      • Evidence Integrity
    • Types of Acquisition
      • Logical vs. Physical
      • Basic Windows Memory Acquisition
      • Basic Disk Based Acquisition
      • E-discovery Acquisition
    • Forensic Field Kits
      • Adapters/Cables
      • Write Blockers
      • Laptops/Handheld Imagers
    • Full Disk Image Acquisition Tools and Techniques
      • Seize Evidentiary Image of a USB Device
      • Seize Evidentiary Image From a Hard Drive
  • Day 2 Topics (Continued)
    • Network Acquisition
    • Graphical Forensic Tools
      • Access Data’s Forensic Tool Kit (FTK)
      • Guidance Software’s EnCase
      • HELIX/Autopsy
    • Traditional Tasks Utilized Using the Forensic Tools
      • String/File Searches
      • Automated Forensics
      • Browsing Disks
    • Recover Deleted Files
      • Automated Recovery
      • String Searches
  • Day 2 Exercises
    • Search for files or e-mails containing specific words related to a case.
    • Image a hard drive for evidence using a Tableau Write Blocker.
    • Image a USB device for evidence.
    • Image system memory for evidence.
    • Fill out a chain of custody form.
    • Documenting evidence acquisition for reporting.
    • Recover Deleted Files
SECURITY 408 Upcoming Events
Event Location Dates Delivery Method
SANS vLive! - Security 408 - Rob LeeSANS vLive! SEC408-200911, VANov 30, 2009 - Feb 01, 2010
SANS CDI East 2009Washington DCDec 11, 2009 - Dec 18, 2009Live Event
SANS Security East 2010New Orleans, LAJan 10, 2010 - Jan 18, 2010Live Event
SANS 2010Orlando, FLMar 06, 2010 - Mar 15, 2010Live Event
SANS Security West 2010San Diego, CAMay 07, 2010 - May 15, 2010Live Event
SANS vLive! - SEC 408 - Rob LeeSANS vLive! SEC408 - 201006, VAJun 08, 2010 - Aug 24, 2010
"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.
"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics
SANS Institute