Certified Forensic Investigation Specialist

This specialist-level technical course is designed to practically develop a cyber investigator’s skills and extend their knowledge to reveal potential ‘smoking gun’ evidence from a system.

Investigators need to be capable of collecting and analysing data from a constantly evolving range of disk technologies, file and operating systems. The course is continually updated, based on our experiences, knowledge and client requirements to provide delegates with answers to the ‘How can I collect that data or find evidence of that activity?’

This five-day course provides theory and scenario-based practical exercises and expanding data collection to include ‘live’ and volatile data.

Delegates will investigate artefacts buried in common file systems and ‘recorded’ by Windows of both system and user activity.

WHO SHOULD ATTEND

Primarily aimed at practising digital forensic investigators and cyber security practitioners who have computer forensic experience and wish to dig deeper and broaden their skills. A natural progression from the Certified Forensic Investigation Practitioner course.

Select specific date to see price, venue and full details.

Learning Objectives

Using practical scenarios based primarily on Windows environments and artefacts, you will:

Understand the digital investigation process and best practice
Build a bootable USB data collection device
Collect data from Live, Remote and Virtual systems
Understand the underlying structures associated with NTFS, FAT32 and ExFAT file systems
Collect and process volatile data
Capture a mailbox from a live Microsoft exchange server
Investigate a Windows domain controller to identify systems and users
Understand RAID storage and rebuild data
Test data ‘wiping’ software
Understand types of ‘User’ account
Investigate Windows Event Logs and USB device activity
Examine user activity for program execution, file activity and system navigation
Investigate log files
Query Chrome web-browser SQLite databases and extract stored passwords
Explore and extract data from Volume Shadow Copies
Parse and interpret the USN/ Change Log

KEY BENEFITS

This course will enable you to:

Develop your forensic investigation skills to an advanced level
Practice new techniques suitable for evidence identification, capture and analysis in a ‘live’ environment
Acquire an industry-recognised qualification to support your career progress

Pre-Requisites

Principles and general guidelines surrounding forensic investigations
Experience of carrying out forensic investigations
A basic computer forensic course, e.g. Certified Forensic Investigation Practitioner course

Course Content

1. Digital Forensic Investigations

• A review of the investigation process, best practice and equipment

2. Data Theft

• How can data be stolen, investigated and possibly mitigated?

3. Data Acquisition

• Images and Clones; Static, Booted and Live; Physical and selective

• Solid State devices

• Considerations and associated problems

4. Windows Domains

• Gathering information from Domain Controllers

• Capturing File Shares and inaccessible systems

5. RAID’s and Virtualisation

• Identifying and rebuilding RAID’s

• Capturing and examining virtualised systems

6. Volatile Data

• Memory capture and volatile data collection from ‘live’ systems

• Investigating memory using volatility

7. Data Collection – Other Sources

• Exchange servers and web-mail

• Facebook, Websites, Linux and Macs

8. File Systems Revisited

• Understanding FAT32, NTFS and ExFAT data structures from a forensic perspective

9. Data Deletion and Wiping

• Windows Recycle Bins

• Testing wiping software

10. Tracing System Activity

• Investigating the Windows Registry, User Accounts, Event Logs and USB connected devices

11. Tracing User Activity

• Identifying Program execution, Files opened and Folder navigation

• Windows Object ID’s and file tracking

12. Log File Analysis

• Web and FTP logs

• Examination using Cygwin

13. Databases

• SQLite and Chrome browser artefacts

14. Volume Shadow Copies and File History

• Approaches to extracting data from VSC’s

• Windows File History

15. NTFS Journals

• Understand the value of the NTFS journal in investigations

Exams & Certification

Those delegates successfully passing the exam at the end of the course will be awarded the Certified Forensic Investigation Specialist (CFIS) qualification.

Related Courses

We can arrange to deliver all our public courses at your premises. In-house training offers advantages over booking public courses including:

cost savings
avoidance of travel expenses
tailoring to meet specific needs

Simply fill out the form below or call our sales team.

Remember, we aim to beat any like for like quote you have received.

Company:

Number of delegates:

Training location:

Time frame:

First name:

Last name:

Email address:

Phone number:

Notes:

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.

I would like to receive marketing via email: