5 days

About this Cyber Security Training Course

Digital Forensics is the investigation and recovery of data contained in digital devices. This data is often the subject of investigations in litigation, proof of guilt, and corrective action in an organization. When the time comes that you need to investigate your organization, will you have the skill set necessary to gather the digital data that you need? The Certified Digital Forensics Examiner Cyber Security Training Course will benefit organizations, individuals, government offices, and law enforcement agencies in performing these investigations and reporting their findings.

To illustrate, lets say an employee needs to be terminated for a violation of computer usage rules. To do so the organization must furnish an irrefutable burden of proof based on digital evidence. If not irrefutable, an attorney knowledgeable about Digital Forensics could have the case thrown out of court. Government and investigative agencies need proper training to succeed in cases like the above as well as those including acts of fraud, computer misuse, illegal pornography, counterfeiting, and so forth. A C)DFE is aptly prepared to handle these types of situations.


C)SS: Security Sentinel
C)ISSO: Information Systems
Security Officer
Or equivalent experience

Target Student:

Forensic Auditor
IT Auditor
Law Enforcement
Internal Auditor
Cyber Security Training Course Objective

Upon completion, students will:

Have knowledge to perform digital forensic examinations
Have knowledge to accurately report on their findings from examinations
Be ready to sit for the C)DFE Exam

Course Outline

Module 1 – Introduction

Lesson Objectives
Introductions (Instructor)
Introductions (Students)
Cyber Security Training Course Schedule
Student Guide (Layout)
Introduction to Computer Forensics
Cyber Security Training Course Objectives

Module 2 Computer Forensic Incidents

Lesson Objectives
The Legal System
Criminal Incidents
Civil Incidents
Computer Fraud
Internal Threats
Investigative Challenges
Common Frame of Reference
Media Volume

Module 3 – Investigation Process

Lesson Objectives
Investigating Computer Crimes
Prior to the Investigation
Forensics Workstation
Building Your Team of Investigators
Preparing for an Investigation
Search Warrant
Forensic Photography
Preliminary Information
First Responder
Collecting Physical Evidence
Collecting Electronic Evidence
Guideline for Acquiring Electronic Evidence
Securing the Evidence
Managing the Evidence
Chain of Custody
Duplicate the Data
Verify the Integrity of the Image
Who is involved in Computer Forensics?
Decision Makers and Authorization
Risk Assessment
Forensic Investigation Toolkit
Investigation Methodology
Recover Last Data
Data Analysis
Data Analysis Tools
Assessing the Evidence
Assessing the Case
Location Assessment
Best Practices
Gathering and Organizing Information
Writing the Report
Expert Witness
Closing the Case

Module 4 – OS Disk Storage Concepts

Lesson Objectives
Disk Based Operating Systems
OS / File Storage Concepts
Disk Storage Concepts

Module 5 Digital Acquisition and Analysis

Lesson Objectives
Digital Acquisition
Digital Acquisition Procedures
Digital Forensic Analysis Tools

Module 6 – Forensic Examination Protocols

Lesson Objectives
Forensic Examination Protocols
Forensic Examination

Module 7 – Digital Evidence Protocols

Lesson Objectives
Digital Evidence Concepts
Digital Evidence Categories
Digital Evidence: Admissibility

Module 8 Computer Forensic Investigative

Lesson Objectives
Computer Forensic Investigative Theory

Module 9 – Digital Evidence Presentation

Lesson Objectives
Digital Evidence Presentation
Digital Evidence
Digital Evidence: Hearsay
Digital Evidence: Summary

Module 10 – Computer Forensics Lab

Lesson Objectives
Peer Review
Who should review?
Peer Review
Quality Assurance
Standard Operating Procedures
Peer Review
Annual Review
Lab Intake

Module 11 – Computer Forensics Processing

Lesson Objectives
Computer Forensic Processing Techniques

Module 12 – Digital Forensics Reporting

Lesson Objectives
Analysis Report
Computer Sciences
Ten Laws of Good Report Writing
Summary of Findings
Forensic Examination
Cover Page
Table of Contents
Examination Report
Items of Evidence

Module 13 – Specialized Artifact Recovery

Lesson Objectives
Prep System Stage
Lesson Objectives
Prep System Stage
Windows File Date/Time Stamps
File Signatures
Image File Databases
The Windows OS
Windows Registry
Alternate Data Streams
Windows Unique ID Numbers
Decode GUID’s
Historical Files
Windows Recycle Bin
Copy out INFO2 for Analysis
Web E-mail

Module 14 – eDiscovery and ESI

Lesson Objectives
Discoverable ESI Material
eDiscovery Notification
Required Disclosure
eDiscovery Conference
Preserving Information
eDiscovery Liaison
eDiscovery Products
What is Metadata?
Data Retention Architecture
“Safe Harbor” Rule 37(f)
eDiscovery Spoliation
Tools for eDiscovery

Module 15 – Cell Phone Forensics

Lesson Objectives
Cell Phones
Types of Cell Networks
What can a criminal do with Cell Phones?
Cell Phone Forensics
Forensics Information in Cell Phones
Subscriber Identity Module (SIM)
Integrated Circuit Card Identification (ICCID)
International Mobile Equipment Identifier (IMEI)
Electronic Seal Number (ESN)
Helpful Hints for the Investigation
Things to Remember when Collecting Evidence
Acquire Data from SIM Cards
SIM Cards
Cell Phone Memory
Analyze Information
Cell Phone Forensic Tools
Device and SIM Card Seizure
Cell Phone Analyzer
Forensic Card Reader
ForensicSIM Tool
Forensic Challenges
Paraben Forensics Hardware
Paraben: Remote Charger
Paraben: Device Seizure Toolbox
Paraben: Wireless Stronghold Tent
Paraben: Passport Stronghold Bag
Paraben: Project-a-phone
Paraben: SATA Adapter
Paraben: Lockdown
Paraben: SIM Card Reader
Paraben: Sony Clie
Paraben: CSI Stick
Paraben: USB Serial DB9 Adapter
Paraben: P2 Commander

Module 16 – USB Forensics

Lesson Objectives
USB Components
USB Forensics
USB Forensics Investigation
Determine USB Device Connected
Tools for USB Imaging

Module 17 – Incident Handling

Lesson Objectives
Incident Handling Defined
What is a security event?
Common Security Events of Interest
What is a security incident?
What is an incident response plan?
When does the plan get initiated?
Common Goals of Incident Response Management
Incident Handling Steps
Be Prepared
The Incident Response Plan
Incident Handling
Incident Response Plan
Roles of the Incident Response Team
Incident Response Team Makeup
Challenges of building an IRT
Incident Response Training and Awareness
Jump Kit
Restore System(s) to Operation
Report Findings
Restore System

Appendix 1 – PDA Forensics

Lesson Objectives
Personal Digital Assistants
Palm OS
Palm OS Architecture
Pocket PC
Windows Mobile Architecture
Linux-based PDAs
Linux OS for PDAs-Architecture
Typical PDA State
Security Issues
ActiveSync and HotSync
PDA Forensic Steps
Tips for Conducting the Investigation
PDA Forensic Tools

Appendix 2- Investigating Harassment

Lesson Objectives
Sexual Harassment Overview
Examples of Sexual Harassment
What it is not?
Approach of General Investigation
Conduct Your Investigation
Preventative Action
Labs 1-4 Objective Summary

Recovering electronically stored data for civil litigation
Recovering, categorizing and analyzing data
Hiding and discovering potential evidence
Investigating a misappropriations of proprietary information complaints
Bit-by-bit imaging digital media and preserving the integrity of the image
Identifying and reconstructing information within various file systems
Conducting an investigation into a complaint of sexual harassment
Understanding anti-forensics and steganography
Discover how a computer has been used and learn:
What websites have been visited?
What data has been deleted, and why?
What data is stored on the hard drive?
What e-mails have been sent and received?
Has data been copied off of the computer?
Lab 1 – Preparing Forensic Workstations

AccessData FTK Imager Installation
AccessData FTK Installation
KFF Library Database Installation
AccessData Registry Viewer Installation
AccessData Password Recovery Toolkit
Lab 2 – Chain of Custody

Chain of Custody Search and Seizure
Chain of Custody Forensic Imaging
Lab 3 – Imaging Case Evidence / FTK Imager

Lab 4 – Reviewing Evidence / AccessData Tools

Creating a Case in AccessData Forensic Toolkit
Review Evidence in AccessData FTK Imager
Review Software File in AccessData Registry View
Review System File in AccessData Registry Viewer
Review SAM File in AccessData Registry Viewer