SECURITY 508SECURITY 508


GIAC Certification Available
CCE Bootcamp Logo

Course PDF

From intellectual property theft and computer abuse to intrusions, this hands-on forensic course will arm you with the methods and tools to respond to and investigate any event in your workplace. This course is designed to provide a starting point for forensic investigators and fills in the gaps for more experienced security personnel.

Beginning the first day, you will learn the proper methodology of investigating a complex digital crime. Utilizing real-world scenarios, you will see how an investigation might begin in your organization and how to begin the investigative process. File systems are the core to your understanding of computer forensics. As every forensic tool utilizes this knowledge, you will learn how hard drives are used to store data from the partitioning to how file systems work. The day will conclude with discussion on the internals to the most common file systems encountered in forensics for Windows (NTFS and FAT) and Linux (Ext2/3).




  • Computer Forensic Core
    • Forensic Principles
    • Evidence Integrity
    • Data Loss Minimization
    • Evidence Volatility
    • Disk Image and Other Forensic Definitions
    • Forensic Methodology/Incident Response Process
    • Documentation, Reporting, and Presentation
  • Incident Response and Forensics
    • Investigative Mindset
    • Proper Evidence Collection
    • File System Timelines
    • String/Byte Searching
    • Media and Artifact Analysis
    • Recover Deleted or Unallocated Data
  • File System Essentials
    • File System Layer (Physical and Logical Disks)
    • Master Boot Record and MBR Partition Table
    • Allocated, Unallocated, and Slack Space
    • Metadata Layer Fundamentals
    • File Name Layer Fundamentals
  • Linux/Unix File System Fundamentals
    • Superblock
    • Block Groups
    • EXT2/EXT3 Timestamps
    • Unix Inodes
    • What happens when data is deleted from a Linux/Unix file system?
  • Windows FAT File System Fundamentals
    • FAT12/16/32 and exFAT/FAT64
    • FAT Boot Sector
    • File Allocation Table (FAT) Structure
    • Root Directory
    • FAT Timestamps
    • Directory Entries (Long/Short)
    • Cluster Chains
    • What happens when data is deleted from a FAT file system?
  • Windows NTFS File System Fundamentals
    • NTFS Overview
    • Master File Table
    • NTFS Metadata Attributes
    • NTFS Timestamps
    • NTFS Volume Metafiles
    • What happens when data is deleted from a NTFS file system?
  • Day 1 Exercises
    • Incident Verification Analysis
    • Master Boot Record Partition Analysis
    • Installing Forensic Analysis Workstation Laboratory
SECURITY 508 Upcoming Events
Event Location Dates Delivery Method
SANS SelfStudyBooks & MP3s OnlyAnytimeSelf Paced
SANS OnDemandOnlineAnytimeSelf Paced
SANS London 2009London, United KingdomNov 28, 2009 - Dec 06, 2009Live Event
Community SANS Tucson 2009Tucson, AZNov 30, 2009 - Dec 05, 2009Community SANS
Community SANS Colorado Springs 2009Colorado Springs, CONov 30, 2009 - Dec 05, 2009Community SANS
Mentor Session - SEC508Atlanta, GADec 02, 2009 - Feb 17, 2010Mentor
Mentor Session - SEC508Medellín, ColombiaDec 02, 2009 - Dec 04, 2009Mentor
SANS CDI East 2009Washington DCDec 11, 2009 - Dec 18, 2009Live Event
Mentor Session - Security 508Charlotte, NCJan 14, 2010 - Mar 18, 2010Mentor
Mentor Session - Security 508Denver, COJan 19, 2010 - Mar 23, 2010Mentor
Community SANS Lake Tahoe 2010Lake Tahoe, CAJan 25, 2010 - Jan 30, 2010Community SANS
SANS Phoenix 2010Phoenix, AZFeb 14, 2010 - Feb 20, 2010Live Event
SANS India 2010Bangalore, IndiaFeb 22, 2010 - Feb 27, 2010Live Event
SANS 2010Orlando, FLMar 06, 2010 - Mar 15, 2010Live Event
Mentor Session - SEC508Greeley, COMar 11, 2010 - May 13, 2010Mentor
Community SANS Boston 2010Boston, MAMar 15, 2010 - Mar 20, 2010Community SANS
SANS vLive! - SEC 508 - Rob LeeSANS vLive! SEC508 - 201003, VAMar 23, 2010 - Apr 29, 2010
SANS Northern Virginia Bootcamp 2010Reston, VAApr 06, 2010 - Apr 13, 2010Live Event
Mentor Session - SEC508Boise, IDSep 28, 2010 - Nov 30, 2010Mentor
"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.
"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics
SANS Institute