Overview
The Advanced Computer
Forensic Techniques (ACFT) Course is designed to train corporate IT
personnel as well as law enforcement and military investigators in
the advanced elements of computer forensics. ACFT is taught in a
hands-on, interactive training environment where students gain a
comprehensive understanding of advanced investigative techniques.
This Course is designed for computer forensic-savvy investigators
and recent graduates of Mile2’s Computer Forensics and Electronic Discovery (CFED) training course who wish to take their skill set to the next level. Students
attending this class must have a firm understanding of conducting a
computer forensic examination.
The benefits to law enforcement and the military are obvious. On
the other hand, corporate IT personnel will use the skills gained to
identify and remedy vulnerabilities that have been exploited so as
to eliminate the problem. Additionally in many cases the techniques
used may help identify the perpetrator for referral to law
enforcement for prosecution. There are many job descriptions that
will benefit from this training depending on industry segment –
general network administration, law enforcement, insurance
investigations, litigation support and criminal defense to name a
few.
A 5-day DFED
& ADFT bootcamp is also available.
Prerequisites
tudent should have experience conducting computer forensic
examinations or have completed the Computer
Forensics & Electronic Discovery Course.
The “Advanced Computer Forensic Techniques” Course is
specifically designed for corporate and government personnel who in
the performance of their duties may be asked to conduct an advanced
Computer Forensic investigation. Students attending the “Advanced
Computer Forensic Techniques” Course must be certified graduates of
the M2 Computer Forensics “Computer Forensics and Electronic
Discovery” Course or a similar course of instruction within the past
24 months. Additionally, the student must possess some sound
knowledge of how to use e-mail, word-processing, spreadsheet and MS
PowerPoint® software programs as well as the popular automated
forensic software tools (EnCase™ and Forensic Tool Kit™). A basic
working knowledge of the Linux operating system would also be
helpful, but is not a requirement. Upon completion of this Course,
the student will receive the knowledge necessary to properly conduct
an advanced Computer Forensic investigation and execute advanced
reporting procedures.
Certification
Upon completion of the Advanced
Computer Forensic Techniques course or the CFED/ACFT
bootcamp, students will be able to attempt the following
exams:
General Public or Law
Enforcement
Certified
Computer Examiner (CCE)® through ISFCE - (This Examination can
be taken after the course as an option.)
Law Enforcement Only
External Certified Forensic Computer Examiner process (CFCE) through the International Association of Computer
Investigative Specialists.
Student Materials
Students will receive the following items during the training
program:
- A 350-page comprehensive computer forensic student guide and
investigative resource materials.
- A CD-ROM containing GUI-based Windows data examination
software with a " live" casefile.
- A CD-ROM containing GUI-based Linux data examination software.
- Upon passing practical and written examinations, a Certificate
of Completion
Our curriculum was developed by John A. Sgromolo, former Course
Director for the Computer Crime curriculum at the Institute of
Police Technology and Management at the University of North Florida,
located in Jacksonville. Mr. Sgromolo, a pioneer in computer
forensics, is a former Special Agent with the Naval Criminal
Investigative Service. He was responsible for coordinating all
computer crime general investigations at the Norfolk Field Office.
In his capacity as Course Director for IPTM, Mr. Sgromolo was
responsible for teaching hundreds of law enforcement officers
nationwide the intricacies of computer crime investigations.
Outline
The following lessons are covered during this course.
Electronic Discovery and Digital
Evidence
An overview of different operating systems and
file structures that are encountered during a computer forensic
examination. Knowing the basics of the digital media you are working
on and recalling the fundamentals to help you properly begin your
forensic examination of the media.
Forensic Examination
This
covers the advanced procedures necessary to conduct an accurate and
carefully documented computer forensic examination. Advanced methods
of computer forensic protocols are implemented, including physical
evidence recovery.
Hardware Utilities
Students
are introduced to numerous innovative hardware tools available for
conducting a computer forensic examination. Students will utilize
these advanced tools during practical application exercises to
investigate digital media.
Specialized Examination
Tools
This is an introduction to a variety of “state of
the art” and unique software tools for use in a computer forensic
examination. Students utilize advanced software and participate in
practical exercises to gain a clear understanding of the tools
available to them. This is a hands-on laboratory where innovation
and knowledge play key roles.
Advanced Artifact
Recovery
This is a hands-on laboratory where students
conduct an advanced forensic examination of digital media. The focus
of this lesson is to utilize advanced automated tools for the
recovery of digital artifacts that are unattainable by conventional
methods. There are several practical exercises that challenge even
the senior cybercrime investigator. Focus is placed on using the
advanced tools and thinking “outside the box” to try to discover
incriminating digital evidence on a live case file.
Crypto and Password
Recovery
This covers digital encryption file structures
and password-protected data that an investigator may encounter while
conducting and examining. Students are exposed to methods to decode
and crack passwords that are used to protect potential evidence.
They also learn techniques for gaining access to encrypted files
that may reside within the information.
Specialized Digital Media Analysis and
Recovery
This covers state of the art software whereby
students are required to examine digital media in an attempt to
recover data pertaining to a civil or criminal offense. The students
will present their findings to the class during an evidence
presentation exercise. Students will compete to see who completes
the most thorough investigation. This exercise is very in-depth and
competitive.
Electronic Discovery and Recovery
Lab
Students will conduct a proper “seizure and search”
for digital evidence. This is a hands-on, practical exercise where
students will use their newly attained skills to find evidence that
cannot be detected by normal computer forensic investigative
methods.
Documenting and Reporting Digital
Evidence
This lesson reviews and analyzes the methods used
to document and report the results of a computer forensic
examination. Students will present their findings and electronic
discoveries in an exercise to demonstrate their abilities to create
an effective presentation.
Presentation of Digital
Evidence
This is the final exercise where students are
faced with the challenge of presenting their findings in a low-tech
format whereby non-technical personnel are able to decipher and
understand the results. The students will physically present their
findings in “layman’s terms,” which is critical during any
investigation. Getting the audience to gain a clear understanding of
what occurred on a computer system is sometimes the biggest hurdle
in completing an effective investigation.
What non experts should do first in a computer crime
investigation |
