Computer Forensics Course Catalogue

(1)

(2)

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

For more information contact: [email protected]

The AccessData Advanced Forensics five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit® (FTK™), FTK Imager™ Password Recovery Toolkit™ (PRTK™) and Registry Viewer™. Participants will also use AccessData products to conduct forensic investigations on Microsoft® Windows® systems, learning where and how to locate Windows system artifacts.

Prerequisites

This hands-on class is intended for new users, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this course, you should meet the following requirements: • Able to understand course curriculum presented in English

• Perform basic operations on a personal computer

• Have a basic knowledge of computer forensic investigations and acquisition procedures • Be familiar with the Microsoft Windows environment

Class Materials and Software

You will receive the associated materials prior to the course.

During this five-day, hands-on course, participants will perform the following tasks: • Install and configure FTK, FTK Imager, PRTK, and Registry Viewer

• Use FTK Imager to preview evidence, export evidence files, create forensic images and convert existing images

• Use the Registry Viewer to locate evidentiary information in Windows 2K and XP registry files • Create a case in FTK

• Use FTK to process and analyze documents, metadata, graphics and e-mail • Use bookmarks and check marks to efficiently manage and process case data • Update and customize the KFF database

• Create and apply file filters to manage evidence in FTK • Create regular expressions

• Import search lists for indexed searches in FTK

• Use the FTK Data Carving feature to recover files from unallocated disk space • Use custom dictionaries and dictionary profiles to recover passwords in PRTK • Use a FTK word list to create a custom dictionary in PRTK

• Create a user profile and biographical dictionary in PRTK

• Add SAM and Syskey values to PRTK to recover passwords and decrypt encrypted files • Recover forensic information from Recycle Bin INFO2 files

• Recover forensic information from the following Windows XP artifacts:

o Thumbs.db files

o Metadata

o Link and Spool Files

o Alternate Data Streams

o Windows XP Prefetch

• Recover EFS encrypted files on Windows 2000 and XP systems • Create and customize reports

The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

(3)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 1: Introduction Topics:

• Identify the FTK components

• List the FTK and PRTK system requirements • Describe how to receive upgrades and support for AccessData tools

• Install required applications and drivers Lab:

Participants will install the UTK components— FTK, KFF Library, FTK Imager, Registry Viewer, and PRTK

Module 2: Working with FTK Imager Objectives:

• Describe standard data storage devices • Identify some common software and hardware acquisition tools

• List some common forensic image formats • Use FTK Imager to perform the following functions:

o Preview evidence

o Export data files

o Create a hash to benchmark your case evidence

o Acquire an image of evidence data

o Convert existing images to other formats • Use dockable windows in FTK Imager

• Navigate evidence items

• Use the properties and interpreters windows • Validate forensic images

• Create Custom Content Images • Mount images

• Capture active RAM Lab:

During the practical participants acquire an image

of a thumb drive, then explore the FTK Imager features and functions discussed in the module, including converting an image to a different image format, creating a Custom Content Image, and mounting an image.

Module 3: Windows Registry

Windows Registry 101 Objectives:

• Describe the function of the Windows registry

• Identify the files that make up the Windows registry

• Describe how the registry is organized • Identify forensic issues associated with multiple profiles on Windows systems

Windows 2000 and XP Registries

Objectives:

• Identify the files that make up the Windows 2000 and XP registry, list their locations, and describe the information they contain

• Identify reasons to resolve a user to a SID • Identify notable tracking differences in the registry on FAT and NTFS systems including a look at tracking mounted devices

Module 4: Registry Viewer Working with Registry Viewer Objectives:

• Identify the menu and toolbar options in Registry Viewer

• Describe how Registry Viewer displays MRU lists

• Describe the function of the Registry Viewer’s common areas

• Describe different methods to search the registry

• Create a report in Registry Viewer • Create a Summary report in Registry Viewer

• Utilize Registry Viewer help Lab:

• Review the Registry Viewer interface • Harvest and view registry files

(4)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 5: Working with FTK – Part 1 Objectives:

• Effectively use the Case Manager • Create an administer users

• Back up, delete, and restore cases • Identify the evidence processing options • Create a case

• Identify the basic FTK interface

components, including the menu and toolbar options as well as the program tabs

• Obtain basic analysis data Lab:

During the practical, participants go through the introductory steps of processing a case, including creating a case, adding evidence to the case, and processing case evidence.

Students will also perform basic system functions such as creating user accounts and defining different levels of permissions to a case, managing shared objects, and customizing the FTK interface. Module 6: Working with FTK – Part 2

Objectives:

• Change time zone display • Create and manage bookmarks • View compound files

• Export files and folders

• Create custom column settings to manage the information that appears in the FTK file list • Use the Copy Special and Export File List Info features

• Perform additional analysis, such as full text indexing, after evidence has been added to the case

• Perform automatic and manual data carving functions

Lab:

The labs in this module guide participants through more advanced functions in processing case evidence. During the practical, participants will bookmark evidence, view metadata and compound files, examine registry files, recover deleted files from the Recycle Bin, export case files and folders, create custom column settings, decrypt files, and use the data carving feature to recover evidence items from file slack and unallocated space.

Module 7: Processing the Case Objectives:

• Identify the elements of a graphics case • Navigate the FTK Graphics tab

• Export graphics files and hash sets • Tag graphics files using the Bookmarks feature

• Identify the elements of an email case • Identify supported email types

• Navigate the FTK Email tab • Sort email

• Find a word or phrase in an email message or attachment

• Export email items Lab:

During the practical, participants explore FTK features to view, sort, and export email and graphic artifacts from the case. Students will also create custom columns for graphics and email, export email and graphics files, and create a hash list.

(5)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 8: Narrowing Your Focus Objectives:

• Narrow evidence items using the Known File Filter, checked items, and filtered/ignored items

• Perform an indexed search • Import search terms from text files • Perform a regular expression search Lab:

During the practical, participants learn how to effectively sort through case evidence to locate items of interest. Students will use the KFF database to ignore or flag known files, perform keyword searches, use dtSearch options to customize a search, and use regular expressions to search case evidence for pattern data such as credit card numbers or IP addresses. Module 9: Regular Expressions

Objectives:

• Understand basic Operators and Literals in RegEx

• Learn 10 very useful characters and concepts of RegEx++, enabling you to write hundreds of expressions

• Create and interpret a basic regular expression that includes Function Groups and Repeat Values • Integrate a new RegEx into FTK for use

• Integrate a new TR1 Expression into FTK for use Lab:

• Create a regular expression and add it to the list of expressions in the FTK Live Search tab • Perform a live search using the regular expression you created

Module 10: Filtering the Case Objectives:

• Explain basic concepts of rule-based filtering in FTK

• Design a basic filter and use it to filter data • Manage shared filters

• Discuss the use of compound filters • Explain the difference between global and tab filters

• Import and export filters

Lab:

During the labs, participants create filters to locate specific items of interest. Students will further refine filter results using compound filters. Finally, students will have a change to import and export filters so they can share filters with co-workers and colleagues. Module 11: The Recycle Bin

Objectives:

• Describe the function of the Windows Recycle Bin

• Identify the differences in the Recycle Bin

on FAT and NTFS systems

• List what information can be recovered

from the INFO2 file

• Describe how FTK parses and displays INFO2 files

• Describe what happens when a file is

deleted or removed from the Recycle Bin

• Explain what happens when a user empties

the Recycle Bin

• Identify how information can still be retrieved when items are removed from the Recycle Bin

• Describe the forensic implications of files

located in the Recycle Bin

• Describe the function of the Orphan folder

• Create a regular expression to recover

unallocated INFO2 file records

Lab:

• Retrieve deleted evidence from the Recycle

Bin

• Use a regular expression to locate INFO2

files

• Retrieve the following information from

INFO2 files

o Deleted File Path

o Deleted File Index

o Deleted File Drive Number

o Deleted File Date and Time

(6)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 12: Common Windows XP Artifacts Thumbs.db Files

Objectives:

• Define the Thumbs.db file • Define Thumbs.db behavior • Identify thumbnail graphics

• Define EFS file changes and Thumbs.db behavior

Lab:

• Use FTK to recover graphics information from Thumbs.db files

Link and Spool Files Objectives:

• Define the function of a link file

• Identify what evidentiary information is contained in link files

• Describe how FTK parses and displays link files • Define the function of a spool file and its related files

• Identify what evidentiary information is contained in spool files

Lab:

• Use FTK to recover forensic information from link files, including the MAC address of the target machine

• Use link file data to associate a file with a USB drive

• Use FTK to recover forensic information from spool files

Alternate Data Streams Objectives:

• Identify the differences between named and alternate data streams

• Identify forensic issues associated with alternate data streams

• Identify how Forensic Toolkit (FTK) displays alternate data streams • Describe how alternate data streams impact file size, disk space, and file creation date

Lab:

• Identify alternate data stream files in your case

Windows Prefetch Objectives:

• Accurately define Prefetch, Superfetch, and their related functions

• Definte the forensic importance of Prefetch Registry entries, Prefetch files, and the Layout.ini file

• View and analyze pertinent Prefetch artifacts as they relate to case analysis and user behavior

Lab:

• View Prefetch settings in the Registry • View Prefetch entries in FTK to find the last date and time an application was launched • View Prefetch entries in FTK to determine the number of times an application was launched

(7)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 13: Working with PRTK Objectives:

• Navigate within the PRTK interface

• Identify the available password recovery modules and their associated attack types

• Import user-defined dictionaries and FTK word lists to use in a password recovery attack • Create biographical dictionaries

• Set up profiles

• Explain what a PRTK profile is and how it is used • Recount the AccessData Methodology

• Recover Windows logon passwords Lab:

• Export encrypted files from a case

• Export a word list and create a custom dictionary • Create a Biographical dictionary

• Create a profile • Recover a password

• Locate SAM and SysKey Files

• Attack and decrypt encrypted files, then list the recovered passwords

Module 14: Encrypting File System Objectives:

• Describe how EFS works

• List the information required to recover EFS encrypted files on Windows 2000 systems • List the information required to recover EFS ecrypted files on Windows XP Professiona Service Pack 1 (SP1) and later systems

• List potential problems associated with recovering EFS encrypted data

Lab:

• Create EFS encrypted files

• Recover EFS encrypted files in FTK

Module 15: Case Reporting Objectives:

• Define a report

o Modify the case information

o Include a list of bookmarked files

o Export bookmarked files with the

report

o Include thumbnails of bookmarked

graphics

o Manage the appearance of the

Bookmark section

o Include thumbnails of case graphics

o Link thumbnails to full-sized graphics

in the report directory

o Export and link video files

o Export rendered videos and

thumbnails

o Include a list of directories,

subdirectories, files, and file types

o Include a list of case files and file

properties in the report

o Export case files associated with

specific file categories

o Append a registry report to the case

report

• Generate reports in the following formats:

o PDF o HTML o RTF o WML o XML o DOCX o ODT

• Generate reports in other languages Lab:

During the practical, participants create multiple reports from a single case to explore all options available from the report wizard. They build from a very basic report to a detailed report that contains customized report items.

(8)

AccessData Bootcamp

Intermediate • Three-Day Instructor-Led Course

The AccessData Bootcamp three-day course provides the knowledge and skills necessary to install, configure, and effectively use Forensic Toolkit (FTK), FTK Imager Password Recovery Toolkit (PRTK) and Registry Viewer.

Prerequisites

This hands-on class is intended for new users, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this class, you should meet the following requirements: • Able to understand course curriculum presented in English

• Perform basic operations on a personal computer

• Have a basic knowledge of computer forensic investigations and acquisition procedures • Be familiar with the Microsoft Windows environment

Class Materials and Software

During this three-day, hands-on course, participants will perform the following tasks: • Install and configure FTK, FTK Imager, PRTK, and Registry Viewer

• Use FTK Imager to preview evidence, export evidence files, create forensic images and convert existing images

• Review Registry Viewer functions, including indexing the registry, creating reports and integrating those reports with your FTK case report

• Create a case in FTK

• Use FTK to process and analyze documents, metadata, graphics and e-mail • Use bookmarks and check marks to efficiently manage and process case data • Update and customize the KFF database

• Create and apply file filters to manage evidence in FTK • Use regular expressions to perform live searches • Import search lists for indexed searches in FTK

• Use the FTK Data Carving feature to recover files from unallocated disk space • Create and customize reports

• Use custom dictionaries and dictionary profiles to recover passwords in PRTK • Utilize the index in FTK to create custom dictionaries in PRTK

The course includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

(9)

AccessData Bootcamp

Intermediate • Three-Day Instructor-Led Course

• Identify the FTK components

• List the FTK and PRTK system requirements • Describe how to receive upgrades and support for AccessData tools

• Install required applications and drivers Lab:

Participants will install the UTK components— FTK, KFF Library, FTK Imager, Registry Viewer, and PRTK

Module 2: Working with FTK Imager Objectives:

• Describe standard data storage devices • Identify some common software and hardware acquisition tools

• List some common forensic image formats • Use FTK Imager to perform the following functions:

o Preview evidence

o Export data files

o Create a hash to benchmark your case evidence

o Acquire an image of evidence data

o Convert existing images to other formats • Use dockable windows in FTK Imager

• Navigate evidence items

• Use the properties and interpreters windows • Validate forensic images

• Create Custom Content Images • Mount images

• Capture active RAM Lab:

During the practical participants acquire an image

of a thumb drive, then explore the FTK Imager features and functions discussed in the module, including converting an image to a different image format, creating a Custom Content Image, and mounting an image.

Module 3: Working with Registry Viewer Objectives:

• Describe which files comprise the Windows Registry

• Discuss the elements of the Registry Viewer interface

• Identify the key features of the Registry Viewer

• Outline the use of FTK with other tools • Create a basic report from FTK

• Seamlessly launch Registry Viewer from an FTK case

• Determine a user’s time zone setting • Determine a user’s SID

Lab:

During the practical, participants use Registry Viewer to recover information from a sample image. Participants will then generate registry reports for individual registry files.

• Effectively use the Case Manager • Create an administer users

• Back up, delete, and restore cases • Identify the evidence processing options • Create a case

• Identify the basic FTK interface

components, including the menu and toolbar options as well as the program tabs

• Obtain basic analysis data Lab:

During the practical, participants go through the introductory steps of processing a case, including creating a case, adding evidence to the case, and processing case evidence. Students will also perform basic system functions such as creating user accounts and defining different levels of permissions to a case, managing shared objects, and customizing the FTK interface.

(10)

AccessData Bootcamp

Intermediate • Three-Day Instructor-Led Course

• Change time zone display • Create and manage bookmarks • View compound files

• Export files and folders

• Create custom column settings to manage the information that appears in the FTK file list • Use the Copy Special and Export File List Info features

• Perform additional analysis, such as full text indexing, after evidence has been added to the case

• Perform automatic and manual data carving functions

Lab:

The labs in this module guide participants through more advanced functions in processing case evidence. During the practical, participants will bookmark evidence, view metadata and compound files, examine registry files, recover deleted files from the Recycle Bin, export case files and folders, create custom column settings, decrypt files, and use the data carving feature to recover evidence items from file slack and unallocated space.

Module 6: Processing the Case Objectives:

• Identify the elements of a graphics case • Navigate the FTK Graphics tab

• Export graphics files and hash sets

• Tag graphics files using the Bookmarks feature • Identify the elements of an email case

• Identify supported email types • Navigate the FTK Email tab • Sort email

• Find a word or phrase in an email message or attachment

• Export email items

Lab:

During the practical, participants explore FTK features to view, sort, and export email and graphic artifacts from the case. Students will also create custom columns for graphics and email, export email and graphics files, and create a hash list.

• Narrow evidence items using the Known File Filter, checked items, and

filtered/ignored items • Perform an indexed search • Import search terms from text files • Perform a regular expression search Lab:

During the practical, participants learn how to effectively sort through case evidence to locate items of interest. Students will use the KFF database to ignore or flag known files, perform keyword searches, use dtSearch options to customize a search, and use regular expressions to search case evidence for pattern data such as credit card numbers or IP addresses.

• Import and export filters Lab:

During the labs, participants create filters to locate specific items of interest. Students will further refine filter results using compound filters. Finally, students will have a change to import and export filters so they can share filters with co-workers and colleagues.

(11)

AccessData Bootcamp

Intermediate • Three-Day Instructor-Led Course

• Define a report

o Export bookmarked files with the report

graphics

o Manage the appearance of the Bookmark

section

o Link thumbnails to full-sized graphics in

the report directory

o Export rendered videos and thumbnails

o Include a list of directories, subdirectories,

files, and file types

o Export case files associated with specific

file categories

o Append a registry report to the case report

• Navigate within the PRTK interface • Identify the available password recovery modules and their associated attack types • Import user-defined dictionaries and FTK word lists to use in a password recovery attack

• Create biographical dictionaries • Set up profiles

• Explain what a PRTK profile is and how it is used

• Recount the AccessData Methodology Lab:

During the labs, participants will use PRTK to recover passwords from data files. Students will also apply the AccessData Methodology to decrypt files in a sample image. This process will require students to export the FTK case index and Registry Viewer’s registry index to create a custom dictionary, create a biographical dictionary and custom profiles, then re-apply intel gathered from decrypted files to attack other encrypted files.

(12)

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.

AccessData Linux Forensics

Advanced • One-Day Instructor-Led Course

AccessData® Linux Forensics course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit® (FTK®), FTK Imager® Password Recovery Toolkit® (PRTK®), and Registry Viewer®

.

Prerequisites:

• AccessData BootCamp or equivalent experience with FTK and PRTK

• Have a basic knowledge of computer forensic investigations and acquisition procedures • Perform basic operations on a personal computer

• Be familiar with the Linux environment Class Materials and Software:

During this one-day, hands-on course, participants will review the following: • Common Linux Distributions

• General Linux File Structure, Commands and Applications • Linux OS Artifacts

o Printer information

o Installed software

o USB Tracking

o Distribution in Use

o Wireless Network Information

o Time Zone Information

o Computer Host Name

• User Profile Information

• System-related Data in the User Profile

o Track Folder

o Bash History

o Thumbscaching

o .cache Folder Artifacts

o .config Folder Artifacts

• Files and Folders Accessible to the User • User-related Artifacts for Default Applications

o Firefox

o Thunderbird

o XChat

o Pidgin

This course includes multiple hands-on labs that allow students to apply what they have learned in the workshop. (Continued on other side)

(13)

AccessData Linux Forensics

Advanced • One-Day Instructor-Led Course

• Introductions

• Class Materials and Software • Prerequisites

• Class outline • Helpful information Lab:

• Check system information

• Select Windows Explorer display preferences • Prepare your system

Module 2: Linux Overview Objectives:

• Outline the history of the Linux operating system • Describe common Linux directories and their functions

• Describe common Linux commands and their purpose

• Describe common Linux applications Lab:

• Navigate a Linux image in FTK to collect system artifacts

• Open a virtual machine in WMWare Player • Navigate the desktop and program menus • Using the terminal to navigate the file system • Using the terminal to manage files and directories

Module 3: Linux OS Artifacts

Objectives:

• Locate information about configured printers

• Identify software installed on Debian-derived distributions

• Identify USB devices connected to the system • Identify which distribution is in use

• Locate information about wireless and wired networks configured on the system

• Determine the system’s time zone • Determine the system’s host name

Lab:

• Examine Linux system log rotation

• Examine wireless and wired network connections

• Locate system printer information

• Locate software installation information • Track USB devices

• Identify users who have logged in to a Linux system

• Identify failed login attempts

• Identify users who have SuperUser access • Locate the computer name

• Identify computers allowed to access a local system

• Identify computers denied access to a local system

• Identify symbolic links

• Navigate the root user’s home directory • Data carve the Linux swap partition Module 4: Lab – User Profile – System Related Objectives:

• Identify user accounts on the local system and determine group memberships

• Identify UNIX permissions applied to objects on a Linux system and determine ownership

• List and describe user profiles

• Locate additional user data beyond the home directory

• Analyze core artifacts pertaining to:

o Recycling of user files – Trash folder

o History of commands entered into

the terminal window-bash

o Thumbs caching artifacts

o Contents of the .cache folder

o Contents of the .config folder

Lab:

• Explore the password file • Explore the shadow file • Identify user login passwords • Set up a job with PRTK

• Attack encrypted documents using • Decrypt a shadow file

• Use the recovered password • Locate the password in FTK

• Analyze system-related data in the user profile

(14)

AccessData Linux Forensics

Advanced • One-Day Instructor-Led Course

Module 5: User Profiles – User Related Topics:

• Identify files and folders accessible to a given user

• Research internet usage history for Firefox • Navigate email storage for Thunderbird • Parse IRC logs and information for the XChat IRC client

• Analyze account information for the Pidgin instant messenger client

Lab:

• Review the user’s default directories • Review recent file activity

• Locate Firefox artifacts and password cache • Recover Firefox cached data

• Recover Thunderbird email

• Review the downloads directory for the RC client • Recover Instant Messenger artifacts (pidgin)

(15)

AD Triage

_{Advanced • One-Day Instructor-Led Course}

This advanced one day course training course provides the knowledge and skills necessary to install, configure, and effectively use the AccessData® Triage software tool. AD Triage allows both forensic examiners and non-forensic personnel to acquire either all or specifically targeted hard drive data from a system in just minutes. Prerequisites:

• Perform basic operations on a personal computer • Be familiar with the Microsoft Windows environment Class Materials and Software:

During this one-day, hands-on workshop, participants will review the following: • Standard and custom profiles and how to create them • Standard and custom filters and how to create them

• Standard and custom AD Triage devices and how to create them • Using profiles, filters, and AD Triage devices to collect data • Data collection

• Collecting data remotely • Creating data reports • Remote Shares

• Using AD Triage to send collected information • Using AD Triage to Image

(16)

AccessData Triage

Advanced • One-Day Instructor-Led Course

• Introductions

• Class materials and software • Prerequisites

• Class outline • Helpful information Module 2: Regular Expressions Objectives:

• Describe how AD Triage works

• Discuss Live Response versus Dead Box issues • Understand licensing

• Explain how to create an AD Triage device Lab:

• Manage licenses Module 3: Profiles and Filters

Objectives:

• Explain what a standard profile is

• Create a standard profile • Explain what a filter is • Create a filter

• Create a standard AD Triage device

Lab:

• Create a standard filter

• Use AD Triage on a virtual machine • Create a custom profile

• Create a hash group • Create a keyword list • Create a custom filter

Module 4: Collecting and Reporting Objectives:

• Explain what a custom profile is • Create a custom profile

• Create a custom AD Triage device • Explain what a report it

• Create a report

Lab:

• Use filters to create a profile

• Create a custom AD Triage device • Create a data report

Module 5: Using Remote Shares Objectives:

• Discuss Remote Destination • Understand Remote Shares • Use AD Triage to send collected information

Lab:

• Configure Remote Shares

• Collect data • Import collections Module 6: Imaging Objectives:

• Demonstrate how to Image with AD Triage

Lab:

• See the different imaging options. Make an AD1 image of files.

(17)

Advanced FTK

Advanced • Three-Day Instructor-Led Course

The AccessData® Advanced FTK class provides the knowledge and skills necessary to effectively use the advanced analysis features of FTK™, FTK Imager™ Password Recovery Toolkit™ (PRTK™) and Registry Viewer™.

During this three‐day, hands‐on course, participants will perform the following tasks: • Use FTK’s advanced processing options to examine evidence

• Merging index, setting preferences, saving cases

• Managing shared objects both at a global level and a case level • Gain and understanding of processing options and profiles • Use filtering to locate items of interest quickly

• Examine Live and Index searching, including TR1 Regular Expressions • Utilize Cerberus to locate possible malware

• Use Visualization to get a graphic timeline view of files and Internet history. • Use Geolocation to identify where photos were taken

• Remote data preview and acquisition features

• Understand the requirements and how to setup Distributed Processing

• Obtain live memory and volatile data from a target system and complete an analysis of the data

Prerequisites:

This hands-on course is intended for users who have previously attended the AccessData BootCamp training, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

• Previous AccessData BootCamp training

• Able to understand course curriculum presented in English • Perform basic operations on a personal computer

• Have a basic knowledge of computer forensic investigations

(18)

Advanced FTK

Advanced • Three-Day Instructor-Led Course

• Identify the LAB components

• List the LAB and PRTK system requirements • Describe how to receive upgrades and support for AccessData tools

Module 2: Case Setup Objectives:

• Merging Index

• Optimum Setup for FTK • Preferences

• Archive/Backup • Restore

• Indexing Options

Module 3: Advanced Processing (Part 1)

Objectives:

• Managing Shared Objects

o Carvers

o Custom Identifiers

o Columns

o File Extension Maps

o Filters

o Labels

• Photo DNA

• Evidence Processing Profiles Module 4: Advanced Processing (Part 2)

Objectives:

• Managing Shared Objects

• Photo DNA

• Windows Event Logs • Prefetch files

• Explicit Image Detection • Optical Character Recognition • Examining Video Files

Module 5: Advanced Filtering

Objectives:

• Designing Filters

• Compound Filters • Global Filters • Tab Filters

Module 6: Advanced Searching Techniques Objectives:

• Live Search Options

o Text

o Pattern

o Hex

• Index Search

o dtSearch Indexing Options

o Conducting an Index Search

o Importing/Exporting Search Terms

o Search Operators

o Searching for a phrase

o Boolean Searches

o Searching Options

o TR1 Regular Expressions

Module 7: Cerberus

Working with Registry Viewer Objectives:

• What is Cerberus Analysis • Cerberus Processing Stages • Stage 1 Analysis

• Stage 1 Threat Scoring • Stage 2 Analysis • Stage 2 Report

• Running Cerberus Analysis • Reviewing Results in Examiner • Exporting a Cerberus Report

• Bookmarking & Reporting Cerberus Files

(19)

Advanced FTK

Avanced • Three-Day Instructor-Led Course

Module 8: Visualization Objectives: • Launching Visualization • Visualization Page • Themes • Visualization of Data o Files o Emails o Social Analysis o Traffic

o Internet Browser History

• Geolocation

Module 9: Adding Remote Evidence Objectives:

• Describe the Remote Disk Mounting Service (RDMS)

• Deploy Temporary Agents

• Access Remote Data with Temporary Agent • Create Digital Certificates

• Deploy Enterprise Agents

• Access Remote Data with Enterprise Agent

o Including Memory

• Mount a drive remotely

• Preview and Image a drive remotely Module 10: Distributed Processing

Objectives:

• Describe the benefits of Distributed Processing • System Requirements

• Installing DPE software Module 11: Volume Shadow Copy Objectives:

• Describe how Volume Shadow Copy works • Identify what forensic information can be recovered from Volume Shadow Copy • Use FTK to process a retore point

Module 12: Memory and Volatile Data Analysis Objectives:

• What is memory vs. volatile data • Capturing RAM

• Obtaining volatile data • Adding to case • Volatile tab • Reporting

(20)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

• Narrow evidence items using the Known File Filter, checked items, and filtered/ignored items

• Perform an indexed search • Import search terms from text files • Perform a regular expression search Lab:

During the practical, participants learn how to effectively sort through case evidence to locate items of interest. Students will use the KFF database to ignore or flag known files, perform keyword searches, use dtSearch options to customize a search, and use regular expressions to search case evidence for pattern data such as credit card numbers or IP addresses. Module 9: Regular Expressions

Objectives:

• Understand basic Operators and Literals in RegEx

• Learn 10 very useful characters and concepts of RegEx++, enabling you to write hundreds of expressions

• Create and interpret a basic regular expression that includes Function Groups and Repeat Values • Integrate a new RegEx into FTK for use

• Integrate a new TR1 Expression into FTK for use Lab:

• Create a regular expression and add it to the list of expressions in the FTK Live Search tab • Perform a live search using the regular expression you created

• Import and export filters

Lab:

During the labs, participants create filters to locate specific items of interest. Students will further refine filter results using compound filters. Finally, students will have a change to import and export filters so they can share filters with co-workers and colleagues. Module 11: The Recycle Bin

Objectives:

• Describe the function of the Windows Recycle Bin

• Identify the differences in the Recycle Bin

on FAT and NTFS systems

• List what information can be recovered

from the INFO2 file

• Describe how FTK parses and displays INFO2 files

• Describe what happens when a file is

deleted or removed from the Recycle Bin

• Explain what happens when a user empties

the Recycle Bin

• Identify how information can still be retrieved when items are removed from the Recycle Bin

• Describe the forensic implications of files

located in the Recycle Bin

• Describe the function of the Orphan folder

• Create a regular expression to recover

unallocated INFO2 file records

Lab:

• Retrieve deleted evidence from the Recycle

Bin

• Use a regular expression to locate INFO2

files

• Retrieve the following information from

INFO2 files

o Deleted File Path

o Deleted File Index

o Deleted File Drive Number

o Deleted File Date and Time

(21)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

Module 12: Common Windows XP Artifacts Thumbs.db Files

Objectives:

• Define the Thumbs.db file • Define Thumbs.db behavior • Identify thumbnail graphics

• Define EFS file changes and Thumbs.db behavior

Lab:

• Use FTK to recover graphics information from Thumbs.db files

Link and Spool Files Objectives:

• Define the function of a link file

• Identify what evidentiary information is contained in link files

• Describe how FTK parses and displays link files • Define the function of a spool file and its related files

• Identify what evidentiary information is contained in spool files

Lab:

• Use FTK to recover forensic information from link files, including the MAC address of the target machine

• Use link file data to associate a file with a USB drive

• Use FTK to recover forensic information from spool files

Alternate Data Streams Objectives:

• Identify the differences between named and alternate data streams

• Identify forensic issues associated with alternate data streams

• Identify how Forensic Toolkit (FTK) displays alternate data streams • Describe how alternate data streams impact file size, disk space, and file creation date

Lab:

• Identify alternate data stream files in your case

Windows Prefetch Objectives:

• Accurately define Prefetch, Superfetch, and their related functions

• Definte the forensic importance of Prefetch Registry entries, Prefetch files, and the Layout.ini file

• View and analyze pertinent Prefetch artifacts as they relate to case analysis and user behavior

Lab:

• View Prefetch settings in the Registry • View Prefetch entries in FTK to find the last date and time an application was launched • View Prefetch entries in FTK to determine the number of times an application was launched

(22)

AccessData Advanced Forensics

Intermediate • Five-Day Instructor-Led Course

• Navigate within the PRTK interface

• Identify the available password recovery modules and their associated attack types

• Import user-defined dictionaries and FTK word lists to use in a password recovery attack • Create biographical dictionaries

• Set up profiles

• Explain what a PRTK profile is and how it is used • Recount the AccessData Methodology

• Recover Windows logon passwords Lab:

• Export encrypted files from a case

• Export a word list and create a custom dictionary • Create a Biographical dictionary

• Create a profile • Recover a password

• Locate SAM and SysKey Files

• Attack and decrypt encrypted files, then list the recovered passwords

• List the information required to recover EFS encrypted files on Windows 2000 systems • List the information required to recover EFS ecrypted files on Windows XP Professiona Service Pack 1 (SP1) and later systems

• List potential problems associated with recovering EFS encrypted data

Lab:

• Create EFS encrypted files

• Recover EFS encrypted files in FTK

• Define a report

o Export bookmarked files with the

report

graphics

o Manage the appearance of the

Bookmark section

o Link thumbnails to full-sized graphics

in the report directory

o Export rendered videos and

thumbnails

o Include a list of directories,

subdirectories, files, and file types

o Export case files associated with

specific file categories

o Append a registry report to the case

report

(23)

Applied Decryption

Advanced • Three-Day Instructor-Led Course

Applied Decryption is an intensive, hands-on course that reviews current encryption technology and provides the knowledge and skills necessary to recover passwords using PRTK™ and DNA™. This course introduces advanced cryptography concepts, including encryption standards and file recovery strategies. Participants are guided through a basic cryptographic system, including the elements used to create a File Encryption Key (FEK), passwords, hash functions, salt, passkey, and the FEK itself.

Participants are also introduced to AccessData™ decryption technology software. The course outlines how Password

Recovery Toolkit™ (PRTK) and Distributed Network Attack™ (DNA) recover passwords from common applications, including the types of attacks that may be employed. It also reviews PRTK and DNA features and functions, including how to start attack sessions, how to import dictionaries, how to create attack profiles, and how to report Session/Job properties information. Also key to this course is AccessData Decryption Methodology. Students review tactics like generating dictionaries based on suspect intelligence or exporting a word list from FTK, then importing the word list in PRTK or DNA to build an attack profile. After setting up the framework of decryption tools and strategies, this course focuses on how to attack specific encryption technologies, including:

• PGP: Participants review digital signatures and certificates, with a specific discussion about the PGP Web of Trust—

including how the Web of Trust can be implemented, methods a third-party may use to infiltrate the group, and man-in-the-middle attacks.

• Encrypted Containers: Participants first learn how a virtual container file is viewed with a forensic tool when it is not mounted with the native application. This is followed by a discussion of how to recover passwords for encrypted containers so that you can natively mount the volume. Participants also discuss best-practice procedures to acquire a forensic image of the mounted virtual container using FTK Imager.

• EFS: Participants gain an understanding of how the Encrypting File System (EFS) works and how EFS file data can be

recovered. Participants learn where Windows stores the encryption and decryption keys and how to exploit weaknesses within the Windows operating system to obtain these keys and decrypt the data. They are also given detailed instruction on the steps required for FTK to decrypt EFS file data on Windows 2000 and Windows XP SP1 systems.

• Protected Storage in Internet Explorer Versions 7-9: Participants discuss the definition, function, and forensic importance of protected storage artifacts associated with the Microsoft Internet Explorer Browser.

• Data Within Data: Participants are introduced to steganography—the concept of data concealed within data—and how to

forensically process such files.

• System BitLocker and BitLocker To Go: Participants review some of the core functions related to acquiring BitLocker-encrypted evidence. Participants first learn how to identify an BitLocker-encrypted volume. The course then presents different ways to decrypt and forensically acquire data from a BitLocker-protected drive.

Prerequisites:

This course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK.

• AccessData BootCamp or equivalent experience with FTK and PRTK

• Previous investigative experience in forensic case work

Class Materials and Software:

(24)

Applied Decryption

Advanced • Three-Day Instructor-Led Course

• Introductions

• Class Materials and Software • Prerequisites

• Class outline • Helpful information Lab:

• Check system information

• Select Windows Explorer display preferences • Prepare your system

Module 2: Cryptography 201 Objectives:

• Define cryptography and the difficulty levels provided by different algorithms

• List the different types of passwords and standards defined by software applications • Define cryptography terminology

• Describe the concepts and theory of basic cryptography systems

• Describe symmetric and asymmetric encryption standards

• Describe how digital certificates and signatures are used to encrypt data

Lab:

• During the lab, participants conduct exercises in ROT13, XOR, and manually obtain passwords from Trillion *.ini files.

Module 3: Decryption Technology

Objectives:

• Describe the PRTK/DNA interface

• Utilize the recovery modules

• Import and use dictionaries, rules, and characters to set up an attack profile

• List the steps to successfully break passwords • Describe jobs and how to analyze their properties

Lab:

• During the lab, participants review the menu options in DNA, install a DNA Worker, run a job in PRTK and DNA, and import a custom dictionary.

Module 4: Working with DNA Objectives:

• Plan and install a DNA network

• Set up and manage groups of machines • Describe the DNA interface and

preferences

• Set up the options and resources available to crack passwords

• Describe how to troubleshoot DNA Lab:

• During the lab, participants review the DNA interface and management options.

Module 5: AccessData Decryption Methodology Objectives:

• Attack encrypted document using wordlists

o Word lists from images

o Word lists that maintain case and

symbols

o Word lists from memory captures

• Attack encrypted documents using environment artifacts

• Investigate and uncover suspect

intelligence to attack an encrypted document • Create alternate dictionaries with a

WebCrawler

• Create a passphrase dictionary with the AccessData Passphrase Generator • Attack encrypted documents using wordlists

Lab:

Participants recover passwords and decrypt files by completing each of the following steps of the AccessData Decryption Methodology:

• Export an FTK word list

• Create word lists from a memory capture • Recover passwords stored in an individual user’s registry file: NTUSER.DAT

• Create biographical dictionaries from suspect intelligence

• Use WebCrawler to create an alternate dictionary from Web artifacts

• Generate passphrases from a dictionary

. (Continued)

(25)

Applied Decryption

Advanced • Three-Day Instructor-Led Course

Module 6: Lab - Decrypting Selected Applications • Learn the ins and outs of using rules

• Recover passwords from encrypted Office documents

• Recover extended ASCII passwords • Recover foreign language character set passwords

• Recover symbol substitution passwords • Create a concatenation dictionary • Perform reset, decryption, dictionary, and keyspace attacks

• Explore a variety of different file type attacks Module 7: Working with PGP

During this practical, you will perform the following tasks: • Generate public and private keys in PGP • Implement the web of trust with digital signatures

• Break PGP key rings Lab:

• Participants use the AccessData Decryption Methodology to break PGP key rings.

Module 8: Working with Encrypted Containers Objectives:

• Decrypt a virtually encrypted container • Mount the decrypted virtual container • Create an image of the mounted virtual container

• Obtain header information from encrypted containers

• List the information required to recover EFS encrypted files on Windows systems

• List what information is required to recover EFS

encrypted files on Windows XP Professional Service Pack 1 (SP1) and later systems • List potential problems associated with recovering EFS encrypted data

• Discuss traditional attacks using the user’s login password and using saved keysets from a .pfx file

Lab:

• Participants use DNA to crack a SAM logon password. Subsequently, participants use the AccessData Decryption

Methodology and a .pfx keyset to decrypt EFS files.

Module 10: Protected Storage in Internet Explorer Versions 7-9

Objectives:

• Compare and contrast the Protected Storage System Provider (PSSP) in Windows 2000/XP systems (Internet Explorer 6) with Windows Vista and Windows 7 DPAPI (specifically, systems using Internet Explorer versions 7–9).

• List the steps required to decrypt the protected information located in the IntelliForms subkey in Internet Explorer versions 7-9.

• List the steps required to break the user’s

logon password

Lab:

• Participants use FTK Imager to harvest live registry files, then break the associated user’s logon password using FTK and PRTK.

Module 11: Working with Data Within Data During this practical, you will perform the following tasks:

• Hide data using steganography

• Identify steganography detection methods • Statistically analyze source and carrier files • Recover payload from carrier files

Module 12: System BitLocker and BitLocker To Go

Objectives:

• Identify the fundamentals of BitLocker encryption and how it is implemented in Windows 7 and Windows 8

• Successfully image and access data from a seized system that is protected by BitLocker.