SECURITY 508SECURITY 508


GIAC Certification Available
CCE Bootcamp Logo

Course PDF

Computer Forensic Investigators should be conversant with network and file system forensics in addition to being armed with the latest in incident response tools and methodologies. The day starts with learning how to acquire system memory, volatile data, and the hard drive as evidence from a compromised machine. You will learn how to acquire evidence across a network, from a live machine, and even from a hard drive that is sent to you for examination. The latter part of the day will focus on file system timeline analysis where you will be able to track the intruder through the file system by examining file system time stamps.

You will analyze live machines that will put you personally in charge of investigating an incident. Part of the courseware DVD includes a compromised VMware machine that was suspended immediately after being hacked remotely for you to test your incident response and evidence collection skills. You will learn how to minimize damage to the evidence of the live machine while learning how to acquire volatile evidence from the machine. Finally, you will learn how to image a hard drive as evidence and maintain evidence integrity through a variety of methods using the SIFT kit.

You are encouraged to bring a used hard drive from your organization or from home to practice on during the evidence acquisition section, but this is not required. The instructor will demonstrate the skills discussed in the course and the manuals will include numerous screen shots.




  • Key Forensic Acquisition/Analysis Concepts
    • Using the Right Tools
    • Forensic Toolkits
    • Key Windows and Linux Acquisition/Analysis Tools
  • Volatile Evidence Gathering and Analysis
    • Acquisition of System Memory for both Windows/Linux
    • Memory Analysis Techniques
    • Obtain Process/Network Information
  • Evidence Integrity
    • Cryptographic Hashes
    • MD5 and SHA-1 Algorithms
    • Chain of Custody
  • Forensic Evidence Acquisition and Imaging
    • Physical vs. Logical Acquisition
    • Types of Forensic Images
    • Write-Blockers and Host-Protected Area
    • Using dd for Forensic Acquisitions
    • Secure Wiping
    • Mounting Forensic Images to Browse Files
  • File System Timeline Analysis
    • Timeline Benefits
    • Timeline Variations (FAT/NTFS/UNIX)
    • Timeline Generation and Interpretation
  • Forensic Analysis Key Methods
    • File Headers/Footers
    • ASCII and UNICODE String Searches
    • Determine the Location of Key Data
    • Performing Dirty Word Searches
  • Day 2 Exercises
    • Acquiring and Analyzing System Memory of a Windows Machine
    • System Verification and Evidence Gathering of a Live Compromised System
    • Acquiring a Live Image and a Powered-Off Machine
    • Timeline Creation on a Live System
    • Performing a Dirty Word Search Against a Disk Image
    • Mounting a Disk Image For Examination
    • Using Helix Pro Bootable Forensics/IR CD-ROM
SECURITY 508 Upcoming Events
Event Location Dates Delivery Method
SANS SelfStudyBooks & MP3s OnlyAnytimeSelf Paced
SANS OnDemandOnlineAnytimeSelf Paced
SANS London 2009London, United KingdomNov 28, 2009 - Dec 06, 2009Live Event
Community SANS Tucson 2009Tucson, AZNov 30, 2009 - Dec 05, 2009Community SANS
Community SANS Colorado Springs 2009Colorado Springs, CONov 30, 2009 - Dec 05, 2009Community SANS
Mentor Session - SEC508Atlanta, GADec 02, 2009 - Feb 17, 2010Mentor
Mentor Session - SEC508Medellín, ColombiaDec 02, 2009 - Dec 04, 2009Mentor
SANS CDI East 2009Washington DCDec 11, 2009 - Dec 18, 2009Live Event
Mentor Session - Security 508Charlotte, NCJan 14, 2010 - Mar 18, 2010Mentor
Mentor Session - Security 508Denver, COJan 19, 2010 - Mar 23, 2010Mentor
Community SANS Lake Tahoe 2010Lake Tahoe, CAJan 25, 2010 - Jan 30, 2010Community SANS
SANS Phoenix 2010Phoenix, AZFeb 14, 2010 - Feb 20, 2010Live Event
SANS India 2010Bangalore, IndiaFeb 22, 2010 - Feb 27, 2010Live Event
SANS 2010Orlando, FLMar 06, 2010 - Mar 15, 2010Live Event
Mentor Session - SEC508Greeley, COMar 11, 2010 - May 13, 2010Mentor
Community SANS Boston 2010Boston, MAMar 15, 2010 - Mar 20, 2010Community SANS
SANS vLive! - SEC 508 - Rob LeeSANS vLive! SEC508 - 201003, VAMar 23, 2010 - Apr 29, 2010
SANS Northern Virginia Bootcamp 2010Reston, VAApr 06, 2010 - Apr 13, 2010Live Event
Mentor Session - SEC508Boise, IDSep 28, 2010 - Nov 30, 2010Mentor
"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.
"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics
SANS Institute