SANS - Computer Forensics - Course Description

Day 1 | Day 2 | Day 3 | Day 4 | Day 5 |

Continuing from yesterday, the investigator will initially focus on key files found on the Windows operating system that contains evidence. These files could be especially important to an investigation, providing key evidentiary links to pictures, edited or printed office documents, or files that were saved to a removable device.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence that is created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect’s system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the day, the investigator will utilize their skills in real hands-on cases, exploring evidence create by Firefox and Internet Explorer and Windows OS artifacts discussed throughout the day.

Day 4 Topics
- Forensicating Files Containing Critical Evidence
  - Office Documents (2000-2007, doc, and .docx)
  - Adobe Files
  - Exif Data including GPS Coordinates
  - Link Files (.lnk)
  - XP Thumbs.db and Vista / Win7 Thumbscache Files
  - Internet Chat Programs (Skype)
  - Windows Prefetch Analysis (XP/Vista/Win7)
  - Windows Recycle Bin Analysis (XP/Vista/Win7)
- Browser Forensics
  - History
  - Cache
  - Searches
  - Downloads
  - Understanding of Browser Timestamps
  - Internet Explorer 6, 7, and 8
    - IE Key Forensic File Locations
    - History Index.dat (Master, Daily, Weekly) Timestamps
    - Cache Index.dat Timestamps
    - InPrivate Browsing
  - Firefox 2 and 3
    - FF2 and FF3 Key Forensic File Locations
    - Mork format and .sqlite files
  - Examination of Browser Artifacts
  - Tools Used
    - MANDIANT Inc.'s Web Historian
    - Access Data's FTK
    - FoxAnalysis

Day 4 Exercises
- Mine metadata out of the Office documents, pictures, and other files.
- Examine data recoverable from a Skype Chat.
- Discover the last previous locations of a Word document.
- Discover the camera model and time a picture was created.
- Track a suspect�s activity in browser history and cache files.
- Putting it all together. Draw conclusions based on multiple pieces of evidence.
- Write a factually based synopsis of the evidence gathered over the entire course.

SECURITY 408 Upcoming Events
Event	Location	Dates	Delivery Method
SANS vLive! - Security 408 - Rob Lee	SANS vLive! SEC408-200911, VA	Nov 30, 2009 - Feb 01, 2010
SANS CDI East 2009	Washington DC	Dec 11, 2009 - Dec 18, 2009	Live Event
SANS Security East 2010	New Orleans, LA	Jan 10, 2010 - Jan 18, 2010	Live Event
SANS 2010	Orlando, FL	Mar 06, 2010 - Mar 15, 2010	Live Event
SANS Security West 2010	San Diego, CA	May 07, 2010 - May 15, 2010	Live Event
SANS vLive! - SEC 408 - Rob Lee	SANS vLive! SEC408 - 201006, VA	Jun 08, 2010 - Aug 24, 2010

GIAC Certification

"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.

"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics

SANS Institute

SANS Institute

© 2008 - 2009 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans.org

SANS Press Room: www.sans.org/press / Policy On SANS Trademark Usage