SECURITY 508SECURITY 508


GIAC Certification Available
CCE Bootcamp Logo

Course PDF

This course will provide an in-depth look at The Sleuth Kit and Foremost. These two complementary software packages are a reliable set of tools useful for analyzing forensic evidence from multiple file systems, including Windows- (NTFS and FAT) and Linux-based (EXT2 and EXT3) file systems.

As a forensic investigator, it is important to understand multiple ways to find and recover data from collected evidence. You will learn how to perform string searches looking for an e-mail address or bytes found at the beginning of a zip file in order to recover the pertinent data from your evidence and determine the filename that contains that data. Additionally, you will learn how to accomplish data recovery using the data layer and the meta-data layer of the file system.

Performing hash database comparisons and file type sorting is also a very powerful way to help narrow the focus of an investigator. You will learn how to create a forensic hash database and use it to identify known and potentially malicious data in your evidence.

Finally, you will learn how an automated toolkit works to help you speed up the process of an investigation using the Autopsy Forensic Browser and discuss how similar commercial tools perform the same functionality.

The techniques covered in the course today utilize similar techniques that will successfully analyze Windows NTFS/FAT file systems as well as Unix-based file system variations, such as Ext2/3, UFS, and FFS.




  • File System and Data Layer Examination
    • Extract Key Data From File System Partition
    • Determine Cluster/Block Size
    • Extract Unallocated and Slack Space
    • Determine Location of Data
    • Extract Files Using File Headers
  • Metadata Layer Examination
    • Locating Metadata Structures
    • Extracting Data Using Inode/MTFS/FAT Directory Entry
    • Data Pointers/Timestamps/Security Information
    • Filename
  • File Name Layer Examination
    • Directory Hierarchy
    • File Name Pointers
    • Importance of File Location
    • Recover Deleted From File system
  • File Sorting and Hash Comparisons
    • File Sorting Based on Data Type (documents, pictures, archives)
    • Using Hash Comparison to Solve Cases
    • Hash Databases and How to Use Them
    • Creating Known Good and Known Bad Databases
    • Fuzzy Hashing and How to Use Them
  • Automated GUI Based Forensic Toolkits
    • Forensic Toolkits Basics
    • How Are Different Images Imported into a GUI Tool
    • Utilize GUI Toolkit to Follow Forensic Methodology
    • Identifying and Recovering Deleted Information
    • Searching for Keywords, Dates, and Other Relevant Information
  • Day 3 Exercises
    • Follow Forensic Methodologies to Analyze a Case End to End
    • Determine the Deleted Filename that Contains a Piece of Critical Data – BY HAND
    • Recovering Artifacts from Unallocated Space
    • Creating a Complete File System Timeline
    • Performing Hash Comparisons Using Hash Databases
    • Using Autopsy Forensic Browser to Analyze a Case
SECURITY 508 Upcoming Events
Event Location Dates Delivery Method
SANS SelfStudyBooks & MP3s OnlyAnytimeSelf Paced
SANS OnDemandOnlineAnytimeSelf Paced
SANS London 2009London, United KingdomNov 28, 2009 - Dec 06, 2009Live Event
Community SANS Tucson 2009Tucson, AZNov 30, 2009 - Dec 05, 2009Community SANS
Community SANS Colorado Springs 2009Colorado Springs, CONov 30, 2009 - Dec 05, 2009Community SANS
Mentor Session - SEC508Atlanta, GADec 02, 2009 - Feb 17, 2010Mentor
Mentor Session - SEC508Medellín, ColombiaDec 02, 2009 - Dec 04, 2009Mentor
SANS CDI East 2009Washington DCDec 11, 2009 - Dec 18, 2009Live Event
Mentor Session - Security 508Charlotte, NCJan 14, 2010 - Mar 18, 2010Mentor
Mentor Session - Security 508Denver, COJan 19, 2010 - Mar 23, 2010Mentor
Community SANS Lake Tahoe 2010Lake Tahoe, CAJan 25, 2010 - Jan 30, 2010Community SANS
SANS Phoenix 2010Phoenix, AZFeb 14, 2010 - Feb 20, 2010Live Event
SANS India 2010Bangalore, IndiaFeb 22, 2010 - Feb 27, 2010Live Event
SANS 2010Orlando, FLMar 06, 2010 - Mar 15, 2010Live Event
Mentor Session - SEC508Greeley, COMar 11, 2010 - May 13, 2010Mentor
Community SANS Boston 2010Boston, MAMar 15, 2010 - Mar 20, 2010Community SANS
SANS vLive! - SEC 508 - Rob LeeSANS vLive! SEC508 - 201003, VAMar 23, 2010 - Apr 29, 2010
SANS Northern Virginia Bootcamp 2010Reston, VAApr 06, 2010 - Apr 13, 2010Live Event
Mentor Session - SEC508Boise, IDSep 28, 2010 - Nov 30, 2010Mentor
"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.
"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics
SANS Institute