Forensics 101
We have become detached from the data that is recorded in our systems and, for the most part, this is beneficial allowing us to concentrate on organisation and process. However, when we need to probe more deeply, because we suspect abuse, error or fraud, we find we don’t know where to begin.
This course provides a “hands-on” introduction to the search and retrieval of data from systems using low or zero cost software tools.
Suitability and duration
Suitability: All levels
Duration: 2 days
Who should attend
Those responsible for investigating civil or breach of conduct matters will find this course of greatest practical benefit. The course uses a mixture of briefings and interactive case study work to maximise knowledge transfer. Class size is limited.
Delegates are required to bring a notebook with them to the class, that can read a CD, and must have permission to install reputable forensic tools (provided on course).
Benefits
Skills
After completion of this course, you will be able to:
- Assemble a toolkit of valuable search and retrieve utilities at low or zero cost
- Fingerprint and perform a high level review of hosts under review
- Deploy effective strategies for cataloguing structures and finding data at directory, file and sector levels whether in numeric, text or hex form
- Explore the possibilities of recovering lost damaged or corrupted files, passwords and other important data
- Use tools for: locating images within systems; for tracking down numerical inconsistencies within data and spreadsheets; for extracting data from databases; and for resolving IP addresses and exploring email headers
- Discriminate between reliable and unreliable information, consolidate findings and report on observations
Support Materials
This course will be accompanied by a training manual containing briefing materials, examples and practical advice. Additionally a CD of software for personal use will accompany this event.
Programme
The fundamental processes
- Forensic interest or data extraction interest?
- Searching computer systems and files – caveats
Assembling a toolkit
- Low or zero cost tools – the incentive
- Example tools: data and file searching; host fingerprinting; image searching, high and low level scanning; password, crypto tools and more
Practical 1: A high level pass
- Reviewing systems and media and assessing their attributes
- Cataloguing the system - eliminating possibilities
- Examination of cache files and system information: browser histories, cookie libraries, licenses, auto-start programs, installed programs, services
Practical 2: Search and retrieve – simple
- Basic – searching by types and categories of data
- Data attributes – non invasive viewing, what they reveal
- Sectors, filing systems and how files are stored
- File attributes – low level viewing of files as hex and as text, why look at hex?
- Search hex – search text
- Occurrence and frequency analysis
- Keeping results – documenting as you go
Practical 3: Search and retrieve – complex
- Locating text hidden in files – complex searches
- Locating text using fast sector scanning
- Boot sectors and indexing tables
- Comparing files and text
- Hashes and calculating hashes
- Elimination and identification of files using hashing
- Disk and file cloning – exact copies
Practical 4: Recovery of deleted files
- Deliberately concealed data and evidence erasers
- Recovering deleted files
- Recovering passwords and identities
Practical 5: Image processing
- Simple and multi-format image viewers
- Searching for images
- Hidden images – file inclusions
- Steganography and data recovery
Practical 6: Network and email
- IP Headers and meaningful information
- Email content searching
Practical 7: Numerical tools and other techniques
- Style analysis – concordance and correlation
- Benfords Law and dodgy digit handling
- Digging about in spreadsheets
Presenting data
- Fuzzy Time
- Authenticity
- Log Tampering, Corruption and Data Loss
Bringing it all together
- Reporting back on findings
- Keeping your knowledge up to date
