Friday, June 15, 2012 0 comments
Computer Forensics is the branch of information security which deals with the data stored in digital media. It is used in the investigation of computer crimes and identifies, preserve, recover, analyze and present facts and opinions about the information. As we know that cyber crime is increasing day by day. So the rate by which cyber crime is increasing, need for the professionals who can do computer forensics duties is also increasing. This field of computer security is the best for the career.
Recently I found the best training course which help students better in learning computer forensics. In this post, I am writing about the Infosec Institute's online course on Computer Forensics.
This is an online course on which you can study. Once sign up for the course, you will be given the login and password for the online study portal of the infosec institute. In this portal, you will be able to access all the training videos.
About the course: This course is divided into 31 modules. These modules cover all the topics of computer forensics step by step. These modules covers topics like Role of a Computer Forensics Examiner, Legal issues, file structure, hidden files, password and encryption, network forensics, cell phone forensics, Data recovery techniques etc.
About the instructor: If you want to learn better, you need to search a good instructor. Infosec Institute has assigned Jeremy Martin as the instructor of this course. Jeremy Martin is an experienced Information Security Researcher based and consultant. He has good experience of teaching Ethical Hacking / Penetration Testing / Red Teaming, Computer Forensics, Security Management, and other subjects of Information Assurance.
Detail analysis of course modules:
Module 1: This is the basic introductory module in which instructor tells about the computer forensic and examination. This module tells about the CCFE exam and its format.
Module 2: This module mainly focuses on the Role of a Computer Forensic Examiner (CFE). We learn the responsibilities and roles of CFE in cyber cases. Then instructor explains the scope of authorities under which CFE works. Instructor also explains four steps to be a successful CFE. This module further explains how CFE works and what things he should follow.
Module 3: Module 3 mainly focuses on creating reports. Instructor tells all the things which are really necessary for the generation of an impressive report. He also explains the qualities and type of reports. Instructor also tells us about some automatic report generation tools.. He tells that report should only have few pages and must have images for better understanding.
Module 4: Module 4 of the course is called legal issues. In this module instructor tells about the legal issues while performing the task as CFE. He also tells us that all evidence gathering methods must not be performed without the court order. This module covers some interesting things like Daubert rules, Stored electronics communication act.
Module 5: This module deals with the workstation for Forensics. From this module, you will get some practical and technical knowledge which is really interesting. Instructor explains main aspects of a good forensics workstation. He also discussed many forensics tools such as Encase, Helix, AccessData FTK, Foremost etc. He also tells that we must not rely on few tools. We should try to bring more and more tools to the lab. Hence the more number of tools we have, the better chances we have of getting more evidence. At the end of the module, we also have a lab in which instructor explains many things.
Module 6: This module is called Computer evidence recovery concepts. Instructor explains difference between live and post mortem forensics methods. He also explains when to use which forensics method. He also discussed the methodology of gathering, searching, marking and transporting evidence.
Module 7: In this module instructor explains few things which must be taken care while transporting the evidence. He explains the method for Storing, packing and transporting evidence with complying with the organization's regulations.
Module 8: This module shows some live forensics in which instructor explain what to do when evidence is only the volatile memory of the system. He also discussed the famous forensics tool Helix in this module. We also learn about RAM and some windows utilities.
Module 9: In Module 9, instructor explains about hard disk and its physical components. He explains each hard disk components and then boot process. He also tells how data is stored in sectors and file allocation tablets.
Module 10: In this module, instructor explains the methods to make disk write protected to prevent evidence changes. In this module we learn how to write software blocker and hardware blockers for disk write protection. This module includes 2 demo.
Module 11: Module 11 covers the techniques which must be followed in disk image recovery process. He also tells that destination disk should be forensically clean which is used in the restoring process. He also suggest to check the hash value of restored data with original evidence.
Module 12: This module tells the difference between a physical or bitstream copy and a logical copy. Instructor explains some linux commands, Linux dd and the linux dcfl dd and their application. He also show some demo at the end of module.
Module 13: In this module, we learn ASCII string search and tools used in this process. We also learn that all the tools used in this search are only different in their parsing mechanisms. Then instructor explains limitations of these tools. At the end of module instructor demonstrate FDK Imager which is used to perform automatic data carving.
Module 14: Module 14 discusses about Graphic file and different graphic files extensions. Some of the file viewing software and some of the issues while finding graphic files are also discussed.
Module 15: This is really an interesting module which explains file formats and its storage on various media. Instructor explains how to identify deleted file and folders and then method for recovery. He also explains some cases where file recovery is easy. He tells that heavily fragmented disks is harder to recover. Higher activity across a disk, the more difficult it is to recover data.
Module 16: In this module, instructor explains NTFS file system and method of file recovery in this kind of file system. This module explains how NTFS stores data and saves the disk space.
Module 17: Module 17 explains File Slacks and allocated disk space. Instructor explains about File Slack and its importance. He then explains various storage places where data could be find. These are File slack, RAM, Drive slack, Windows swap file, or unallocated space.
Module 18: This module covers various techniques for hiding evidence on hard disk. He explains methods including Altered file extensions, Bit shifting, Steganography, File Altering, Streamed data are discussed. He also demonstrates ADS.
Module 19: This module tells about file compression detail. He also tells that file compression make searching harder and then he explains techniques used in detecting operating system compression and consequently view compressed files.
Module 20: Module 20 explains Steganography and how it works. He also discuss various steganography tools like S-Toolsv4 , Stigdetect which can help in detecting steganography. Stegnography is really an interesting topic and I love this module.
Module 21: Module 21 explains encryption and password management. In this module, we learn different tricks to break the encryption and gather evidence. Instructor explains cryptography with simple explanation of public and private keys.
Module 22: Module 22 runs around windows password management and breaking windows password. Instructor explains SAM files and how windows store and use these passwords. We then learn what is a SYSKEY and how it is used to rehash the hashed password. At the end of the module, instructor show some common and popular tools of windows password cracking which includes L0phtCrack, Cain and Able etc.
Module 23: Module 23 deals with network forensics. If you like networking, this module will be interesting for you. This module covers networking with basics and also explains common protocol used. Then instructor also discuss domain, dns and addressing. After that he explains how to gather evidence on network. He also discussed firewalls and snifffers. Module 23 also includes some labs in which instructor demonstrates some sniffers.
Module 24: Module 24 explains internet cache and temporary files. Instructor explains how browser is used for most of the internet crimes. Then he explains some popular browsers and difference in their mechanism of data storage. He also discussed importance of data cache and method to obtain this. He also explains some place where the traces can be left like history, swapfile, ram cache etc. After this, he comes to the cookies and its various types. He also explains common internet vulnerabilities like XSS, SQLi and other. This module also has 2 labs and interesting war stories.
Module 25: Module 25 covers email recovery and how it works. Instructor also explains how email works and travels on internet. He also explains email header and how email header can be used to trace emails. He also explains how email can be recovered from the email server.
Module 26: Module 26 covers Memory Forensics. In this module instructor explains that sometimes hard drive or network drive may not provide enough information. So memory dumping is important. He also explains tools which can be used to perform memory dumping.
Module 27: In Module 27, instructor comes back to windows and explains Windows swap files. He explains how it works and how to change swap file registry settings and then recovering the swap file. He also explains pagefile.sys in detail.
Module 28: Module 28 is little bit complicated and explains Virtualization. In this module, instructor explains the importance of virtualization and how it can be used to create an live environment. Module also contains an interesting demo.
Module 29: Module 29 is interesting and smartphone lovers will really like to play with their phones. In this instructor show the difference between mobile forensics and computer forensics. He shows how to gather data from smartphones. He also discussed some of the entities in mobile phone like SIM, flash memory cards, phone internal memory etc. At the end he discussed some software.
Module 30: This module focuses on Android smartphone and is called Android Forensics. Instructor explains basics of Android and how to gather data from Android devices. He also discussed some tools and demonstrate how to extract information from an android device using AFLogical.
Module 31: This module covers basics of iPhone. He also explains jail breaking and reasons why it is needed. At the end he also discuss some tools.
Things which I really like in this course:
· First thing is the instructor who really know how to show things in interesting manner.
· War stories make the course content interesting.
· Demonstration is nice which helps to understand things properly.
· Legal issues are also covered which makes the course content professional.
· Each module covers fundamental which make it really easy to understand.
Things which I wish this course would have
· More about mobile forensics.
· I always find it hard to go on theory classes. So there should be some printed content.
· Most of the tools used in demo are commercial and costly. Course must add some open source alternates.
Overall the course content and instructor are best in industry. I personally recommend this course.
All students who want to make career in information security and data forensics may join the course. If you wish to join any law enforcement agency, this course will help you. You can see the course module overview above. If you found it interesting, you can surely join the course.
How to Join this course: Go to the Infosec Institute website www.infosecinstitute.com and apply for the course.