ENROLL NOW




See Who We Have Trained


Online Screening Test


Sample Practical Exercise


Brochure




Course Details


    This is not a "watered down" training course.  Not like other courses, we tell you in detail what we cover during the course and what our experience and expertise is.  We have a great training course, great material, experienced instructors and we truly want you to learn the material and to become good forensic examiners.  We want you to compare and decide what is best for you.    

    You will be provided well developed, detailed handouts of the course material.   The course contains a number of practical exercise problems in the form of specially prepared diskettes or a hard disk drive that must be examined.  The practical exercises will reinforce the material and teach "hands-on" skills.   A case scenario will be used where a fictional private investigator brings you, the examiner, each diskette or a hard disk drive for examination.  Each diskette will build to the next exercise, until finally a hard disk drive is examined and the case is concluded.  Real life computer forensic issues will be covered by the practical exercises.   

    Clear, concise, accurate reports that draw appropriate conclusions are a very important factor in presenting the results of a forensic examination.  We require reports detailing each "practical exercise" examination.  We critically review your reports as if we were the "other side" and will help you develop excellent report writing skills.  Your final reports can be used as your "template" for real examinations.

    Our instructors are all Certified Forensic Computer Examiners or Certified Computer Examiners (CCE)® who are currently involved in computer forensic examinations.  They will coach and tutor you through the practical exercises, your reports and through the test questions for each module.  Our instructors are highly qualified, experienced and understand forensic examinations far beyond the material in this course.  Your interaction with your instructor will normally be via email, but direct assistance is available.   We truly want you to learn the material and to become a good forensic examiner. 

    The on-line course is broken up into five modules.   The material is constantly being revised and is subject to change.  The current modules consist of:

    Module 1

    • An overview of what types of crimes computer evidence might be used in. 
    • How to deal with clients and employers.
    • How to initially determine the scope of the examination.
    • How to determine what must be done and how you should proceed in an examination.
    • An overview of why trained forensic examiners should be used and what they may expect to encounter. 
    • Software ethics. 
    • Forensic ethical standards. 
    • Forensic examination procedures. 
    • Preparing and verifying forensically sterile examination media.
    • Note taking and report writing.
    • Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and how they can effect forensic examinations.
    • A very broad overview of several operating systems including:
      •   Windows NT/2000
      •   Novell 
      •   Unix/Linux 
      •   DOS 
      •   Windows 95/98
    • A broad overview of networks.
    • Instruction on the acquisition, collection and seizure of magnetic media. 
    • How to best acquire, collect or seize the various operating systems.
    • Legal and privacy issues.
    • Establishing a sound "chain of custody".
    • Note  - we believe a sound understanding of the FAT file system is essential.  Flash media, such as "Thumb " Drives, flash cards in digital cameras, most cell phones, etc. are all stored on disk using the FAT file system.
    • The beginning logical structures of the Microsoft operating system FAT file system. -
    • How to recover simple deleted files.
    • There are four practical exercises in preparing and verifying forensically sterile media, using a "carving" utility to recover data from unallocated space and the manual recovery of simple deleted files.
    • A written examination regarding the material covered in this module.

    Module 2

    • The DOS and Windows boot process. 
    • A continuation of how files are created and stored. 
    • How to recover more complex deleted files. 
    • The significance and determination of the creation date and time.
    • The significance and determination of the last accessed date and the modification date and time. 
    • How Windows long file names are stored. 
    • What happens when Windows long file names are deleted.  
    • How to recover Windows long file names. 
    • How sub-directories are stored. 
    • What happens when sub-directories are deleted. 
    • How to recover a deleted sub-directory and it's files. 
    • What happens when a diskette or hard disk drive is formatted.  
    • How to recover files, sub-directories and data from formatted disks.  
    • How to determine which files had been deleted prior to formatting. 
    • What file slack is and how to recover data from file slack. 
    • There are five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks. 
    • A written examination regarding the material covered in this module.

    Module 3

    • An in-depth exploration of NTFS logical structures (nothing similar is available anywhere) , including:
      •   The partition table
      •   The boot record
      •   Bitmaps
      •   The root directory
      •   The MFT
      •   Headers
      •   Attributes
      •   Resident files
      •   Non-resident files
      •   Run lists, etc.
      •   Alternate data streams
      •   File storage
      •   The various dates and times stored in attributes
      •   File deletion
      •   File recovery
      •   Directory storage
      •   Tracing files/directories
      •   The NTFS registry "hive".
      •   Examining NTFS drives
    • A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS dive.  
    • A written examination regarding the material covered in this module.

    Module 4

    • How to make a Windows 98 forensic boot disk
    • How to make "exact" images of media - the various imaging methods
    • The use of Firewire write blockers
    • The significance, location and recovering data from: 
      •   Swap Files 
      •   Temporary Files 
      •   Internet Cache Files
      •   The various types of Email files
      •   Internet Cookies 
      •   Internet Sites Visited
    • Basic Internet issues.  Doing a basic "whois" and similar Internet checks.
    • How to preserve the original media.
    • How to prevent inadvertent writes to the original media, virus introduction to the original media, and activation of "booby" traps on the original media. 
    • How to make bitstream (exact copies) of the original media.
    • The safe handling of the media by the forensic examiner.
    • The most common situations that an examiner may encounter during an examination. 
    • Finding and documenting normal data or graphical files.
    • How people commonly try to hide data.
    • Finding and documenting data and files in unallocated space.
    • Finding hidden data. 
    • An overview of password protection and unlocking passwords.
    • Accessing and interpreting "metadata" in MS Office documents.
    • There are three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
    • A written examination regarding the material covered in this module.

      Module 5

    •   Data formats and types.
    •   Basic data format conversion. 
    •   Examining CDR media and accessing multiple unclosed sessions.
    •   Managing data. 
    •   Presenting the data to the client in a useful format. 
    •   Presenting data in court or other proceedings in a clear and understandable manner. 
    •   The marking, storage and transmittal of evidence.
    •   The basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
    •   A practical exercise where you examine a specially prepared hard disk drive.  This hard disk drive will contain many current "real life" issues covered in this course and will require you to conduct a complete examination of the media.  You must examine this hard drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable. 
    •   A written final examination will be given.  

    We will provide a detailed handout for each module covered.  The handouts can be used as a reference manual.  Sample reports, additional practical exercises, a DOS primer, Diskedit primer and other useful information and applications will be provided. You will be subscribed to our listservers that provide both administrative and technical information.  Even after you complete the course, as material is updated, you will be able to download the new material from our web site.

    We will provide some forensic software that was written specifically for forensic examiners, including:

    •   A fast and thorough wiping program
    •   A fast checksum program 
    •   A fast program that documents files (including deleted files) on a drive 
    •   A program that will allow examination of unallocated space
    •   A program that will make exact forensic copies of floppy diskettes
    •   An excellent forensic "carving" utility
    •   The Passware Kit from Lost Password.com  
    •   See our forensic software page for details on the software provided.

    You will be required to purchase:

    •   Norton Utilities
    •   Norton Ghost
    •   QuickView Plus (a viewing application) QuickView
    •   A good virus scanning utility
    •  You will be required to use your own USB  drive for the examinations.  We recommend a size no less than 32 MB.

     

    Contact us