SANS - Computer Forensics - Course Description

Day 1 | Day 2 | Day 3 | Day 4 | Day 5 |

Day 5 - Forensic Challenge and Mock Trial

Nothing will prepare you more than a full hands-on challenge utilizing the skills and knowledge presented throughout the week. In the morning, you will have the option of working in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. Every team will work on the case for the majority of the day with the objective of discovering three critical pieces of evidence to present during the trial.

The case presented is a complex case based that will engage the individual to examine one of the most recent versions of the Windows Operating System released (Windows VISTA). The case took 3 weeks to create following a script that lays out the key parts of the case in correct time sequence to make for the most realistic training opportunity available. The case will utilize skills from each of the previous day's sections in order to solve the case.

The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

Day 5 Topics
- Forensic Case
  - Review Key Forensic Topics
  - Acquisition
    - Teams will have to fill out and follow chain of custody forms.
    - Data acquisition methods will need to be performed, described, and documented.
  - Analysis
    - Following evidence analysis methods discussed throughout the week, find critical evidence.
    - Teams will examine registry, e-mail, recovered files and more for use in the case.
  - Reporting
    - Focus and submit the top three pieces of evidence discovered, and discuss what they prove factually.
    - One of the submitted pieces of evidence will be documented for potential examination during the mock trial.

Day 5 Topics (Continued)
- Mock Trial
  - Each team would be asked to prepare an
    - Opening argument
    - Review of the Evidence and Techniques Used
    - Conclusion
  - The team with the best argument to prove their case will win the challenge.
Day 5 Exercises
- Windows VISTA Based Forensic Challenge
- Mock Trial

SECURITY 408 Upcoming Events
Event	Location	Dates	Delivery Method
SANS vLive! - Security 408 - Rob Lee	SANS vLive! SEC408-200911, VA	Nov 30, 2009 - Feb 01, 2010
SANS CDI East 2009	Washington DC	Dec 11, 2009 - Dec 18, 2009	Live Event
SANS Security East 2010	New Orleans, LA	Jan 10, 2010 - Jan 18, 2010	Live Event
SANS 2010	Orlando, FL	Mar 06, 2010 - Mar 15, 2010	Live Event
SANS Security West 2010	San Diego, CA	May 07, 2010 - May 15, 2010	Live Event
SANS vLive! - SEC 408 - Rob Lee	SANS vLive! SEC408 - 201006, VA	Jun 08, 2010 - Aug 24, 2010

GIAC Certification

"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.

"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics

SANS Institute

SANS Institute

© 2008 - 2009 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans.org

SANS Press Room: www.sans.org/press / Policy On SANS Trademark Usage