Introduction to Digital Forensics and Civil Litigation Matters:
This course is delivered as an intermediate level skills development practice course. Students should have mastery of the Windows GUI, be comfortable with file structures and meta-data concepts. The expectation is students will be positively engaged in a crawl-walk-run methodology to build skills professional tradecraft and confidence in dealing with increasingly difficult non-trivial - digital forensics challenges.
The material and current knowledge is intended to support and checkpoint each individual’s level of skills and practice as a professional digital forensics examiner. Little attention will be made to abstract theory or “hypothetical” abstractions not central to present-day digital forensics challenges.
Note that the proximate intent of the pedagogy is a practical means to both develop and verify your professional level of forensics tradecraft. The entire course materials, toolsets and cases are new the course is both intense in depth and fast-paced in materials. This particular intensive two-day course is only offered at Black Hat, Las Vegas 2004.
Preparing the forensics examiner with the appropriate knowledge, skills and experience to deal with conducting, reporting and defending a forensics investigation and report in a civil litigation setting. The following are summary descriptions of the course modules over the two full work-days (16 contact hours over two day).
- Introduction to Digital Forensics and Civil Matters: This is a summary introduction and review to the field of computer forensics and the basis for gathering digital artifacts in civil litigation matters. The setting is the US. Students are introduced to the prevailing laws, customs and practices will encounter while investigating a civil matters involving digital devices. We will review XP, Windows CE and email messaging as part of the hands-on case.
- Data and Media Storage Concepts: Digital systems have a systematic way of managing binary data. Representation and media hard drive storage are reviewed. Some attention is made to smaller types of emerging media devices. File management allocation and de-allocation are covered in this lesson.
- Forensic Acquisition and Examination: A selected set of differing techniques and protocols utilized by civil computer forensic examiners are discussed. A detailed protocol for standard civil forensics examination is critiqued. A proprietary alternative is presented for student critique.
- Advanced Examination: Time lines, meta-data and graphics analysis will be reviewed and practiced. Some information hiding and evidentiary analysis is presented. Cryptographic and compression technology in forensics context is reviewed.
- Reporting and Presentation of Digital Evidence: The necessary components of both a consulting and testifying forensics expert reports are described. Students are introduced to necessary and critical aspects of presenting digital evidence in civil litigation environments. Student reports are evaluated.
Review of US Civil Laws and Procedure:
Students are introduced to the prevailing civil laws, customs and procedures that they will encounter as a computer forensic expert in civil litigation matters. We will review an exemplary client platform and a small server.
Advanced Labs and Case materials:
Two distinct cases are presented and two evidence files are used for supporting in class practical labs. To maximize the lab experience all students should bring a functioning XP notebook with a floppy and CD device. There will be pre-class materials which students are expected to read before the class meeting. Verification of mastery of these pre-class readings and concepts in our “grand-rounds clinical questioning” format.
To insure your knowledge and practice is validated there is a competency based examination in this course. The exam is two-part: (1) written questions and (2) a practical examination portion. This examination is optional. Those student forensics examiners who attain a score of 75% for both parts will be awarded a Certificate of Completion which attests to the mastery of the instructional material.
This "crawl-walk-run" methodology runs for two days during which the student will progress, step-by-step, through two increasingly difficult types of forensics examinations.
What You Will Learn:
This course will teach you by means of cases forensics examples, clinical practice, tradecraft and hands-on exercises as to how to conduct a proper civil forensic investigation involving a computer system. At the end of the course each student will receive a set of CD’s which contain a set of supporting documents, certain trial versions of software, evidence files and a set of supporting checklists. A special binder is offered at extra-cost.
Who Should Attend:
Information security officers, system and network administrators, security consultants, government agencies and private investigators will all benefit from the valuable insights provided by this class.
For those particular students who successfully complete the examinations, will be provided one-year access to a special internet listserv that contains a digital forensics discussion board, checklists and certain course materials. You should note that this is a restricted access professional forensics examiner information portal that is intended to offer:
- A “high-signal to low noise communications” forensics communications
- Vendor agnostic - forensics tool assessments
- A non-law-enforcement centric commentary
- A set of professional forensics examiner communication threads.
- The Listserv content is intended to develop a community of practice and currency of professional communications among qualified, expert digital forensics professional.
- The expectation is that the exchanges of communication in his setting should support development of skills, critical tools, more robust processes and verifiable metrics to support forensics examiner development.
- Increasing levels of forensics professional tradecraft.
- The Listserv is only available for certain qualified examiners who have attended training and have passed the combined examinations. Access is limited to one-year.
Course Length: 2 days
Cost: US $1800 before July 1, 2004 or US $2000 after July 1, 2004
NOTE: this is a two day course. A Certificate of Completion will be offered.