11 Sep 2017
300 € (no fee for the Sponsoring Nations, Contributing Partners and NATO bodies)
The course is targeted at technical IT staff who are used to working with IT in roles such as administrator, auditor and whose normal duties do not include forensic analysis. Experienced digital forensic staff doing forensics on a regular basis are not the target group and will receive only limited benefit from attending.
The course is also open to forensics trainers such as lecturers and tutors whose duties include forensics training.
- Provide an introduction into the field of digital forensics, touching upon terminology, methodology, chain of custody, and authority of investigation
- Introduce the main sources to search for evidence (assuming exclusively Windows hosts)
- Introduce and use primarily open source/free software (No Encase, limited FTK) Linux‐ and Windows‐based tools to show the students an example tool‐set for conducting digital investigations
- Provide exemplary experience in conducting forensic investigation through a number of hands‐on sessions using a limited number of tools
- Provide introduction to incident response
- Prepare course students for more in‐depth forensics/reverse engineering training.
- Technical IT Staff, working in the IT area in roles like administrator, auditor, etc., whose normal duties do NOT include forensic analysis, but who might be asked to support a forensic investigation. This course is introductory. Experienced digital forensic staff doing forensics on regular basis are not the target group and will receive only limited benefit from attending
- Administrators or IT Security staff who might be first responders to security incidents and want to secure evidence for later analysis, when no forensic staff is available
- IT staff who will acquire an initial skill set of how to conduct forensic investigation.
- Introduction to Digital Forensics
- Forensic process and workflow (theory)
- Terminology, Methodology, Mindset, Note taking, Authority
- Evidence Acquisition block (theory and hands‐on)
- System description and verification
- Different types of evidence and locations
- Forensic software/hardware for evidence acquisition
- Evidence handling
- Acquisition process
- Analysis and legal issues (theory and hands‐on)
- Media analysis (file systems, listing, string/byte search, timeline, data recovery, carving, hashing, etc.)
- Windows registry and other artifacts (theory and hands‐on)
- Data carving and application fingerprinting (theory and hands‐on)
- Internet activities focus (theory and hands‐on)
- Browser, Email, Instant Messaging Forensics
- Real‐Case Study presentation by external DF Expert (working at Estonian Forensic Science Institute, EFSI)
- IT staff without forensic knowledge can ‘understand’ what digital forensics is about and capable of, raising awareness and improving possible future support
- Basic knowledge to ensure that evidence is not spoiled by the acquisition process and all available evidence is collected
- Security awareness training for staff to understand the traces left behind on a system which can lead to intelligence gathered by others
- Practising forensic methods on the basis of prepared, exemplary exercises.
- Good work/administration experience in the Linux and Windows environments, especially command line
- Comfortable with using virtual machines for training environment (Virtual Box or similar)
- English language skill comparable to STANAG 6001, 220.127.116.11.
NB! This course will provide an overview and is not meant to provide an in‐depth introduction of forensic methods or tools. One of the aims of this course is to help to prepare students for the more challenging reverse engineering training offered by the NATO CCD COE, the Botnet Mitigation Course.
Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Should you have any questions, please contact: events -at- ccdcoe.org.
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website