Advanced • Three-Day Instructor-Led Course
For more information contact: [email protected]
The Internet Forensics course provides the knowledge and skills necessary to use AccessData™ tools to recover forensic information from Internet trace evidence artifacts. Participants learn where and how to locate evidence from Internet browsers, Instant Messenger (IM) clients, and social network sites using Forensic Toolkit™ (FTK™), Registry Viewer™, and Password Recovery Toolkit™ (PRTK™).
Prerequisites:
Although there are no specific prerequisites for this course, the following recommendations will enable students to realize the greatest benefit from the training:
• Able to understand course curriculum presented in English • Attend the AccessData BootCamp or have equivalent experience
• Have previous investigative experience in forensic case work, in either public or private sector • Be familiar with the Microsoft Windows environment
• User-level understanding of Internet applications such as browsers, Instant Messenger clients,
and social networking sites Class Materials and Software:
You will receive the associated materials prior to the course.
During this three-day hands-on course, participants perform the following tasks: Locate, and process, Internet browser client trace evidence for:
o Preferences and settings
o History o Internet cache o Bookmarks/Favorites o Cookies o Downloads o Search queries
o Autocomplete, and Form Data
o Webpage authentication
Identify, and process, Instant Messenger (IM) clients for:
o Local user, and Contact, information
o Archived instant messages
o Transactional log files
o File transfer, and sharing information
Examine the Windows registry for:
o Internet browser, and IM client user preferences
o Local user and contact information for IM and social network clients
o Browsing history, bookmarks, and downloads
o Search queries, form data, and Webpage authentication
Use the interoperability between AccessData products to:
o Decrypt Webpage authentication user name, and passwords
o Decrypt search queries, form data, and e-mail account information
o Bookmark and generated relevant reports, in support of an Internet-based investigation
Students will have hands-on labs that allow them to apply what they have learned to a mock case. These performance-based simulations are designed to help participants retain information learned during the training.
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData , Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Internet Forensics
Advanced • Three-Day Instructor-Led Course
For more information contact: [email protected]
Module 1: Introduction Topics:
• Introductions
• Class materials and software • Prerequisites
• Class outline • Helpful information Lab:
• Software installation and local machine configuration.
Module 2: Yahoo! Instant Messenger Objectives:
• Recover artifacts from the Yahoo! Instant Messenger client in the Windows file system and registry to include:
o Local User account information
o Contact information
o Transactional logs
o Instant Message (IM) conversations
o File transfer, Webcam, and file sharing activity
Lab:
• Utilizing FTK Imager, Registry Viewer, Forensic Toolkit (FTK), and the Password Recovery Toolkit (PRTK). Participants examine Yahoo! Instant Messenger artifacts within the Windows operating system.
Lab exercises include an examination of local user profile information, contact lists, file transfers, photo sharing activities, instant message conversation history, and Yahoo! Transactional logs.
Module 3: Skype
Objectives:
• Recover artifacts from the Skype Instant Messenger client in the Windows file system and registry to include:
o Local User account information
o Contact information
o Transactional logs
o Instant Message (IM) conversations
o File transfer, Webcam, and file
sharing activity
o Discuss incorporating the former
Windows Live Messenger client into the Skype application
Lab:
• Utilizing FTK Imager and FTK, participants examine artifacts that result from the use of Skype within the Windows operating system. Lab exercises include an examination of user profile and contact information, the
interoperability of Windows Live Messenger contact lists, file transfers, phone calls, and instant message conversation history. Module 4: Facebook
Objectives:
• Recover forensic artifacts associated with the following Facebook elements:
o Account creation and activation
o Local user’s personal home page
(profile) updates and activities
o Artifacts associated with interactions
with other users
o Chat (Facebook Messenger) client
conversations
o Facebook artifacts from within the
Internet browser cache
• Utilize index searches, live searches, and filtering within FTK to help narrow the scope of evidence
Lab:
• Utilizing FTK Imager, Registry Viewer, FTK, and PRTK, participants examine evidence that results from the use of the Facebook social network within the Windows operating system.
Lab exercises include an examination of temporary Internet cache, Internet browser history, and live memory analysis to identify Facebook-related artifacts.
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData , Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Internet Forensics
Advanced • Three-Day Instructor-Led Course
For more information contact: [email protected]
Module 5: Safari Objectives:
• Examine the Windows file system to recover the following Apple Safari browser artifacts:
o User preferences and settings
o Internet history
o Internet cache
o Cookies
o Bookmarked websites
o Online searches
o Autofill and form data
o Downloaded files
o Encrypted user data
Lab:
• Utilizing FTK Imager, Registry Viewer, FTK, and PRTK, participants examine evidence that results from the use of the Safari browser within the Windows operating system.
Module 6: Firefox Objectives:
• Examine the Windows file system to recover the following Firefox browser artifacts:
o User preferences and settings
o Internet history
o Cookies
o Bookmarked websites
o Online searches
o Autofill and form data
o Downloaded files
o Encrypted user data
• Identify encrypted Webpage authentication data and understand the necessary components for decryption within PRTK
Lab:
• Utilizing FTK Imager, Registry Viewer, FTK, and PRTK, participants examine evidence that results from the use of the Mozilla Firefox browser client within the Windows operating system.
Lab exercises include the examination of Firefox history, temporary Internet cache, user
preferences and settings, file downloads, Internet bookmarks, cookies, and the decryption of the user’s sign-on data.
Module 7: Internet Explorer Objectives:
• Examine the Windows file system and registry to recover the following Internet Explorer browser artifacts:
o User preferences and settings
o Internet history
o Internet cache
o Cookies
o Bookmarked websites
o Online searches
o Autofill and form data
o Downloaded files
o Encrypted user data
Lab:
• Utilizing FTK Imager, Registry Viewer, FTK, and PRTK, participants examine Internet Explorer artifacts within the Windows operating system.
Lab exercises include the examination of Internet Explorer history, temporary Internet cache, user preferences, file downloads, Web page recovery,
Webmail account access, searches, and the decryption of the user’s IntelliForms data. The Windows Extensible Storage Engine (ESE) database is also discussed. Module 8: Google Chrome
Objectives:
• Examine the Windows file system to recover the following Google Chrome browser artifacts:
o User preferences and settings
o Internet history
o Internet cache
o Cookies
o Bookmarked websites
o Online searches
o Autofill and form data
o Downloaded files
o Encrypted user data
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData , Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Internet Forensics
Advanced • Three-Day Instructor-Led Course
For more information contact: [email protected]
Lab:
• Utilizing FTK Imager, Registry Viewer, FTK, and PRTK, participants examine Google Chrome artifacts within the Windows operating system.
Lab exercises include the examination of temporary Internet cache files, Internet history files, file downloads, user preferences, bookmarks, offline email archives, and the decryption of the user’s logon data.
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.