Home / Courses / IT Security / CDFE Certified Digital Forensics Examiner (CFED Replacement)

Popular Courses

CDFE Certified Digital Forensics Examiner (CFED Replacement)

COURSE OVERVIEW

Computer Forensics was developed by U.S. federal law enforcement agents during the mid to late 1980s to meet the challenges of white-collar crimes being committed with the assistance of a PC. By 1985 enforcement agents were being trained in the automated environment and by 1989 software and protocols were beginning to emerge in the discipline.

The Certified Digital Forensics Examiner program is designed to train Cyber Crime and Fraud Investigators whereby students are taught electronic discovery and advanced investigation techniques. This course is essential to anyone encountering digital evidence while conducting an investigation.

UPON COMPLETION

Certified Digital Forensics Examiner graduates will obtain real world computer forensic knowledge that will help them recognize, seize, preserve and present digital evidence. Graduates will be able to confidently attempt the following professional computer forensic certifications:

1.Certified Digital Forensics Examiner (CDFE)
2.The Certified Computer Examiner (CCE) ® certification.
3.Computer Hacking Forensic Investigator (CHFI)
4.The external Certified Forensic Computer Examiner (CFCE) certification.

Module 1: Legal Aspects and the Need for Digital Forensics
Module 2: Computer Hardware
Module 3: File Systems, Disks and Storage Media
Module 4: First Response Model
Module 5: Boot Process: Windows, Linux and Macintosh
Module 6: PDA Forensics
Module 7: Acquiring Digital Evidence
Module 8: Forensic Models and Protocols
Module 9: Forensics Software and Hardware
Module 10: Cryptography, Password Cracking and Steganography
Module 11: Lab Protocols
Module 12: Forensic Investigative Theory
Module 13: Processing Evidence
Module 14: Documenting and Reporting Digital Evidence
Module 15: Presentation of Digital Evidence
Module 16: Fraud and it Implications
Module 17: Evidence of Fraud – How do you find it?
 

Module 1: Legal Aspects and the Need for Digital Forensics

•Computer Forensics Overview
•Origins of Computer Forensic science
•Criminal and civil Laws
•Council of Europe
•Types of computer fraud incidents
•Internal and external threats
•Investigative challenges
•Lab Exercise:
?www.cybercrime.gov
Module 2: Computer Hardware

•Computer Hardware Components
•The Boot Process
•Hard Disk Partitioning
•File System Overview
•Exam Tips
•Lab Exercise:
?The BIOS (Basic Input Output System)
?Virtual Machine BIOS
?Boot Sequence Modification (Physical and Virtual)
Module 3: File Systems, Disks and Storage Media

•File System Basics - What about the Linux and MAC File System?
•FAT (File Allocation Table) Basics
?Physical Layout of FAT
?Viewing FAT Entries
•The Function of FAT
?How a file is stored (Media Creation , Modified, Accessed)
?The effects of deleting and un-deleting files
?Slack Space
?Directory entry status byte
•Instructor Demonstration Viewing FAT
•NTFS (New Technology File System)
?Alternate Data Streams
•Linux Files Systems
?FSSTND – File System Standard
?FHS – File System Hierarchy Standard
?EFS – Extensible File System
?GoboLinux
•Mac File Systems
?HFS – Hierarchical File System
?HFS+ - Hierarchical File System +
•VFS – Virtual File System
•CD and DVD File Systems
?ISO9660
?UDF – Universal Disk Format
•Media Devices:
?Magnetic Tapes
¦CFS – Cluster Files System
?Floppy Disk
?Compact Discs, DVD and Blue Ray
?Ipods, Zune, PSP, Flash Memory Cards
•Lab Exercise:
?Viewing File Systems Using a HEX editor
?Ultimate Boot CD
?Helix Linux Live Boot CD
?Sanitizing Media Storage
?Alternate Data Streams, Creation, Detection and removal
Module 4: First Response Model

•What is Computer Evidence?
?Incidents, and Evidence Types
•Search & Seizure
?Voluntary Surrender
?Subpoena
?Search Warrant
•Planning and Preparation
?The Physical Location
?Personnel
?Computer Systems
?What Equipment to take
?Search Authority
•Handling Evidence at the scene
?Securing the Scene
?Taking Photographs
?Seizing Electronic Evidence
?Bagging and Tagging
•Chain Of Custody
?Definition
?Controls
?Documentation
•Evidence Admissibility in a Court
?Relevance and Admissibility
?Best Practices for Admissibility
?Hearsay Rule, Exculpatory and Inculpatory Evidence
•Lab Exercise:
?Report and documentation Overview
?Working with the Chain Of Custody
Module 5: Boot Process: Windows, Linux and Macintosh

•The Boot Process
?System StartUp
?Loading MSDOS
?Loading Windows XP
?Loading Windows Vista
?Loading Windows 2003 Server
?Loading Linux
?Loading Linux Server
?Loading Macintosh
•When to Pull the Plug or Shutdown?
•Lab Exercise:
?Boot Process Observation
¦Linux
¦Windows XP
Module 6: PDA Forensics

•TBA
•Investigative options available to crack password-protected files
•Lab Exercise:
?TBA
Module 7: Acquiring Digital Evidence

•Using Live Forensics Boot CD’s
•Boot Disks
?Viewing the Invisible HPA and DCO data
?Drive-to-Drive DOS acquisition
?Instructor Demonstration Drive to Drive Imaging
•Forensics Image Files
?File Formats
?Data Compression
?Image File Forensics Tools
?Instructor Demo: Creating a Bit-by-Bit Image File
?Copy Right Issue’s Graphic Files
•Network Evidence acquisition
?Why Network acquisition?
?Network Cables
?What tools can you use?
•FastBloc acquisition
?FastBloc Models
?Fastbloc acquisition process
•LinEn acquisition
?Mounting a File System as Read Only
?Updating a Linux Boot CD with the Latest Version of LinEn
?Running LinEn
?Steps to using LinEn Acquisition
•Lab Exercise:
?VMware Technology
?Creating a Forensics Image of a USB Thumb Drive
?Deleting Files and recovering them
?Erasing Files
?Deleted Partition Recovery Tools
?File Creation, Modification and Accessed Stamps
?Changing the Time Stamp with timestomper
Module 8: Forensic Models and Protocols

•Four Cardinal Rules
•Alpha 5
•Best Practices
Module 9: Forensics Software and Hardware

•Software Licensing Types
•Free Software
•Industry Accepted Software
•Forensics Hardware Devices:
?Disk Duplicators
?Write Blockers
?Various Other
•Lab Exercise:
?FTK Case
?Encase Case Scenario
?Hex Editors Indepth
?Hex File Analysis
?Helix Live Linux CD
Module 10: Cryptography, Password Cracking and Steganography

•Origins of cryptology and cryptography
?Cryptography and cryptanalysis
?Hash Types
?Pre-Computated Hash Tables
?Types of encryption concepts
?Principles of “diffusion” and “confusion”
•Investigative options available to crack password-protected files
•Lab Exercise:
?Breaking a Windows XP Password
?Brute Force Attacks
?Dictionary Attacks
?Username and Password list files
•Introduction: Past and Future
•Classification of Steganography
?Insertion, Substitution and Creation
•Steganography Catagories
?Substitution System
?Transform Domain Technique
?Spread Spectrum Techniques
?Statistical Methods
?Distortion Techniques
?Cover Generation Methods
•Types of Steganography
•Applying Steganography
?Pictures, Video, Audio, Text
?Hidden Partitions
?Slack Space
?Unused Sectors
•Steganography Tools
•Detecting Steganography
•Lab Exercise:
?Creating Steganography
?Image Hide Tool
?Blind Side Tool
?Your Own Tool
?Detecting Steganography
?Using FTK
?Using Encase
?Other Methods
Module 11: Lab Protocols

•Quality Assurance
•Standard Operating Procedures
•Peer Review
•Administrator Review
•Annual Review
•Deviations from the SOP
•Lab Intake and what you must receive
•Tracking Digital Evidence in the Lab
•Storage Requirements
•Proficiency Tests
•Code of Ethics
Module 12: Forensic Investigative Theory

•Locard’s Exchange Principal
•Aspects of Reconstruction
•Classification
?Comparison
?Individualization
•Behavioral Evidence Analysis
?Equivocal Forensic Analysis
?Victimology
?Incident Scene Characteristics
Module 13: Processing Evidence

•MAC times and image metadata
•Windows Registry
•System identifiers
•Sources of unique identification within OS
•Aspects of OS data files, to include Index.dat and AOL system files
•“Recycle” folder and deleted files
Module 14: Documenting and Reporting Digital Evidence

Reviews and analyzes the methods used to document and report the results of a computer forensic examination. Students will present their finding and electronic discoveries in an exercise to demonstrate their abilities to create an effective presentation.

Module 15: Presentation of Digital Evidence

Students are introduced to aspects of presenting digital evidence in a courtroom environment. They are exposed to the specialized tools necessary to effectively create and present the results of a cyber crime investigation to an administrative body or court of law. Both civil and criminal incidents are covered during this lesson. This is the final exercise where students are faced with the challenge of presenting their findings in a low-tech format where non-technical personnel are able to decipher and understand the results. The students will physically present their findings in “layman’s terms,” which is critical during any investigation. Students will have mastered this critical skill by the end of this exercise.

•“Best evidence” concept
•“Hearsay” concept
•“Authenticity” and “Alteration of Computer Records” concepts
•“Layman’s analogies” available to the Computer Forensic practitioner
•Admissibility of digital evidence in a court of law
Module 16: Fraud and it Implications

Module 17: Evidence of Fraud – How do you find it?
 

Course Registration

 

5 days
$3,450.00

 

Course Outline

 

Request