Forensic Computer Examiner

Price: $ 3095.00 (USD)
Add to Cart

Click here for a demo of this course.

Have a question about this course? Contact a representative.

Course Description

The forensic computer examiner field has grown tremendously in the past few years. For many years, law enforcement officers have been the primary forensic computer examiners, however, as criminal defense attorneys, and later civil attorneys, encountered the law-enforcement examiners, the need for qualified civilian forensic computer examiners grew. Currently, there is a huge demand for certified, qualified forensic computer examiners. Some trained examiners have started their own businesses, some work for large companies, such as Deloitte and Touche, and others work for law-enforcement agencies, such as the FBI CART teams. This comprehensive online program prepares individuals for a career in this emerging field. Through this training, students learn to retrieve evidence and prepare reports, based on that evidence, which will stand up in a court of law. A section on the ethics of computer forensics and on the preparation and analysis of investigation results is also included. The primary certification for civilian forensic computer examiners is the Certified Computer Examiner (CCE®) certification. The online Forensic Computer Examiner program is an authorized CCE training course and thoroughly prepares students to take the CCE certification exam.
Back to Top

Course Outline

 

  • Module 1
    1. Overview of what types of crimes might be solved with computer evidence.
    2. Dealing with clients and employers.
    3. Initial determination of the scope of the examination.
    4. Determining what must be done and how to proceed in an examination.
    5. Overview of reasons to use trained forensic examiners and what they may expect to encounter.
    6. Software ethics.
    7. Forensic ethical standards.
    8. Forensic examination procedures.
    9. Preparing and verifying forensically sterile examination media.
    10. Note taking and report writing.
    11. Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
    12. A very broad overview of several operating systems including:
      1. Windows NT/2000
      2. Novell
      3. Unix/Linux
      4. DOS
      5. Windows 95/98
    13. Broad overview of networks.
    14. Acquisition, collection and seizure of magnetic media.
    15. Best method of acquiring, collecting, or seizing the various operating systems.
    16. Legal and privacy issues.
    17. Establishing a sound "chain of custody."
    18. Beginning logical structures of the Microsoft operating system FAT file system.
    19. Recovering simple deleted files.
    20. Four practical exercises in preparing and verifying forensically sterile media.
    21. Using a "carving" utility to recover data from unallocated space
    22. Manual recovery of simple deleted files.
    23. Written examination on the material covered in this module.

    •  


  • Module 2
    1. DOS and Windows boot process.
    2. Creating and storing files-continued.
    3. Recovering more complex deleted files.
    4. Determining the creation date.
    5. Significance of the creation date.
    6. Determining the last accessed date and the modification date and time.
    7. Significance of the last accessed date and the modification date and time.
    8. Storing Windows long file names.
    9. Consequences of deleting Windows long file names.
    10. Recovering Windows long file names.
    11. Storing sub-directories.
    12. Consequences of deleting sub-directories.
    13. Recovering a deleted sub-directory and its files.
    14. Consequences of formatting a diskette or hard disk drive.
    15. Recovering files, sub-directories and data from formatted disks.
    16. Determining which files had been deleted prior to formatting.
    17. Definition of file slack and recovering data from file slack.
    18. Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
    19. A written examination on the material covered in this module.

  • Module 3
    1. An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
      1. The partition table
      2. The boot record
      3. Bitmaps
      4. The root directory
      5. The MFT
      6. Headers
      7. Attributes
      8. Resident files
      9. Non-resident files
      10. Run lists, etc.
      11. Alternate data streams
      12. File storage
      13. The various dates and times stored in attributes
      14. File deletion
      15. File recovery
      16. Directory storage
      17. Tracing files/directories
      18. The NTFS registry "hive".
      19. Examining NTFS drives
    2. A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
    3. A written examination regarding the material covered in this module.

  • Module 4
    1. Making a Windows 98 forensic boot disk
    2. Making "exact" images of media-the various imaging methods
    3. Using Firewire write blockers
    4. The significance, location and recovering data from:
      1. Swap Files
      2. Temporary Files
      3. Internet Cache Files
      4. Email files
      5. Internet Cookies
      6. Internet Sites Visited
    5. Basic Internet issues. Doing a basic "whois" and similar Internet checks.
    6. Preserving the original media.
    7. Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
    8. Making bitstream (exact copies) of the original media.
    9. Safe handling of the media by the forensic examiner.
    10. The most common situations that an examiner may encounter during an examination.
    11. Finding and documenting normal data or graphical files.
    12. How people commonly try to hide data.
    13. Finding and documenting data and files in unallocated space.
    14. Finding hidden data.
    15. An overview of password protection and unlocking passwords.
    16. Accessing and interpreting "metadata" in MS Office documents.
    17. Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
    18. A written examination regarding the material covered in this module.

  • Module 5
    1. Data formats and types.
    2. Basic data format conversion.
    3. Examining CDR media and accessing multiple unclosed sessions.
    4. Managing data.
    5. Presenting the data to the client in a useful format.
    6. Presenting data in court or other proceedings in a clear and understandable manner.
    7. Marking, storage, and transmittal of evidence.
    8. Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
    9. A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
    10. A written examination regarding the material covered in this module.

  • Additional resources provided
    1. Detailed handout for each module covered-usable as a reference manual.
    2. Sample reports
    3. Additional practical exercises.
    4. DOS primer
    5. Diskedit primer and other useful information and applications.
    6. Subscription to a forensic listserver that provide both administrative and technical information.
    7. Continuing access to updated material via the GES website, even after course completion.
    • Back to Top

    More Information

    Language English
    Course Length 150.00 hours
    Duration of Access 12 months
    Instructor John Mellon
    Vendor Gatlin Education
    Prerequisites/Audience Students must have no criminal record. Basic computer skills, including the ability or desire to work outside the Windows GUI interface, are necessary. The ability or desire to remove hard-disk drives from computers and change jumpers is required.

    Note: Students who plan to pursue the Certified Computer Examiner (CCE®) credential must have attended a course like this course or have documented experience in forensic computer examinations or have documented self study.
    Requirements/Materials Included

    This course is compatible with Windows Vista Operating System.

    This course must be taken from a PC. Students should have a computer capable of booting to Windows 98 and must have Internet access.

    Students will be provided with some forensic software that was written specifically for forensic examiners. Each registered student will receive:

    • A fast and thorough wiping program.
    • A fast checksum program.
    • A fast program that documents files (including deleted files) on a drive.
    • A program that allows examination of unallocated space.
    • A program that makes exact forensic copies of floppy diskettes.
    • An excellent forensic "carving" utility.
    • The Passware Kit from Lost Password.com.

    Students will be required to purchase:

  • Norton Utilities
  • Norton Ghost
  • QuickView Plus (a viewing application)
  • A good virus-scanning utility

    Why do I need a computer capable of booting to Windows 98?

    The material used in this course is based on the concept of teaching computer forensics from a vendor neutral perspective. This course teaches the low level mechanics of commonly encountered file systems. Computer forensics is not a point and click process, neither is the Key Computer approach to training. If a student can gain a solid understanding of one file system and how it functions at a low level then that student will be prepared to learn other file systems as well.

    This course material will teach low level mechanics and functions of both the FAT file system and the New Technology File System (NTFS). Although the FAT file system is not available on new computers, it is the default file system on floppy diskettes and USB devices. Many computer forensic incidents involve USB devices and will continue to involve these devices for years to come. Consequently, students studying to become successful forensic computer examiners must understand the FAT file system which is why it is necessary to use a computer that can boot to Windows 98.

    Windows 98 is based on the FAT file system, and a computer formatted with Windows 2000 may be formatted with the FAT file system or NTFS.

    NTFS is the native file system for Windows XP and Vista.

    The completion of several practical exercises is a requirement of this course. Some include floppy diskettes. Although the floppy diskette is no longer commonly encountered in the field, it is the exercise that is significant and any action taken on a floppy diskette can be replicated on a hard drive.

    The CCE BootCamp will train you to not only thoroughly examine digital media, but also clearly document, control, prepare and present examination results.

    The CCE BootCamp includes instruction on conducting thorough examinations, identifying where and how data is stored, recovering and interpreting data and drawing appropriate conclusions based on the data.

    A sound understanding of the FAT and NTSF file systems is critical to forensic examination. These file systems are important because they are the base of Windows operating systems, portable flash media, storage devices and other digital media in use everywhere today. USB drives, mobile phones, laptops, desktops and cameras are examples of common equipment that use these systems. FAT file system logical structures are utilized by DOS and Windows 9.x. NTFS logical structures are utilized by Windows NT, 2000, XP and Vista.
    		•
    Price: $ 3095.00 (USD)
    Add to Cart

    Categories