Fundamental Theory & Practice of Digital Forensics. Training Course

Transcription

1 Fundamental Theory & Practice of Digital Forensics Training Course Following a decade of investment to meet the needs of intelligence and military agencies, the new generation ILookIX is now available as a commercial product. This integrated and advanced digital evidence toolset goes far beyond the capabilities of any other commercial digital forensic platform. As part of the new approach to forensics being championed by Perlustro, Xtreme Forensics and the University of Western Australia a unique course combining formal university-accredited theoretical education and tool-specific training has been developed. Perlustro ( is now offering a self-directed, short course training course through the University of Western Australia, Perth in the second half of the year - oriented to those seeking entry to computer forensics, IT support that need a para-forensic capability, forensic auditors and legal practitioners. Perlustro accreditation is awarded to participants who successfully complete the course and a Certificate of Completion from the University of Western Australia is provided for each successfully completed module. The training course is oriented to those seeking entry to computer forensics, IT support who need a para-forensic capability, forensic auditors and legal practitioners. Xtreme Forensics ( is also preparing computer forensic training for its ediscovery tool ISeek. While the course does not attempt teach formal digital forensics, it provides realistic crime simulations to enable the student to use advanced forensic tools to complete forensic examinations. This experiential training combined with file and evidence analysis to advanced levels is combined with sound theoretical practice. Many of the built in automated short cuts will be presented, which will assist in improved case preparation and analysis. In November 2014, the training course will be offered through the University of Western Australia. Its key components are: ILookIX and IXImager user training to advanced user status, consisting of: o Gaining practice and competency in using the tools. o Completion of crime scene analysis simulations from basic to advanced level and demonstrating competency in evidence extraction, analysis and using the power of the tool to prepare forensic reports of a high standard. A 90 days self-paced online training and as per the postgraduate certificate pre-recorded, teaching and instructional information in the form of video recordings is available online for participants to gain confidence and competence using the tools and completing the assessable components of the course.

2 Online technical and teaching support by forensic practitioners/academic personnel is available to assist students complete the course. UWA certificate of attendance based on successful completion of each module. Perlustro certification of completion and certification of competency in using the forensic tools. ILookIX light version (KIXLite) is offered on successful completion of the course and a heavily discounted version of ILookIX and an academic discounted version of the full version new release if requested. We are able to offer a discounted training fee of AUS$2,500 for the inaugural offering of the training course until the end of the year, although the course structure and fee are still subject to ratification. The multiple aspects of ILookIX, a GUI-based forensic suite, are presented with emphasis on imaging and processing of seized media. The student will walk through a case from previewing to the final reports. The breakdown of the training modules is set out as follows: Module 1 Course overview 1.1 Objectives of the training course. 1.2 Introduction to Perlustro. 1.3 Structure of the course. 1.4 The assessment structure and criteria. 1.5 Introducing the forensic tools used and conditions of use. Module 2 Description of ILookIX and IXImager 2.1 Basic concepts 2.2 Overview of ILookIX 2.3 Overview of IXImager 2.4 Introducing ISeek and IVault Module 3 Installing ILookIX 3.1 Hardware and software requirements 3.2 Installation Module 4 Forensic imaging with IXImager 4.1 Overview of IXImager 4.2 Setting up IXImager 4.3 Creating IXImager

3 4.4 Using IXImager 4.5 Device Utilities 4.6 Indexing and searching 4.7 Viewing a debug log file 4.8 Quitting IXImager 4.9 Advanced topics Module 5 Imaging and Conversion with ILookIX 5.1 Image formats 5.2 Imaging interface 5.3 When to use ILookIX s imager 5.4 VMDK sparse 5.5 KIX Boot Module 6 ILookIX familiarisation (assessable component) 6.1 Basic concepts 6.2 Interface Exploring mapped data Navigating the Explorer Pane Navigating the View Pane Search history Moving and detaching panes Overview of the Tool Box Setting up ILookIX options for first use Module 7 Case management (assessable component) 7.1 Case set up Wizard 7.2 Adding evidence 7.3 Process actions XFR (Extreme File Recovery) VSS Full and Differential Break-out archives Break-out stores Indexing Hashing Recovery Post filesystem map functions 7.4 Supported image file types

4 Module 8 Working with files and folders (assessable component) 8.1 Listing files 8.2 Columns 8.3 Thumbnail and gallery view 8.4 Filtering files 8.5 Eliminating files 8.6 Restoring files 8.7 Tagging files 8.8 Categories 8.9 Deconstruction 8.10 ILookIX Internal reports 8.11 Viewer 8.12 Properties Module 9 Hashing and data reduction 9.1 Data reduction 9.2 Reports 9.3 Importing NSRL hash data 9.4 Hashing from the Tool Box 9.5 Hashing from the Explorer Pane 9.6 Hash sets and the hash Set Manager 9.7 Hash elimination 9.8 Hash deduplication Module 10 Working with and attachments (assessable component) stores 10.2 Listing messages and attachments 10.3 Viewing attachments 10.4 Columns 10.5 Filtering messages 10.6 Eliminating and restoring messages and attachments 10.7 Tagging messages 10.8 Categories Module 11 Working with Registry (assessable component) 11.1 Standard and hidden values 11.2 Viewing Registry values 11.3 Using shortcuts

5 11.4 Searching the Registry Module 12 Working with raw data 12.1 Disk view 12.2 Selecting sectors 12.3 Hex View Module 13 Indexing and searching (assessable component) 13.1 Indexing 13.2 Searching 13.3 Search interface 13.4 Search results 13.5 Hash searching 13.6 Finder Module 14 Encryption 14.1 Finding encrypted files 14.2 Known passwords 14.4 Dictionaries Module 15 Malware detection 15.1 Viruses and evidence Module 16 Advanced analysis tools (assessable component) 16.1 Event Analysis 16.2 Cloud Analysis 16.3 Lead Analysis Linkage 16.5 Histograms Module 17 Reporting and IVault (assessable component) 17.1 General reports 17.2 Tool Box reports 17.3 IVault Module 18 Mini Apps 18.1 Overview of Mini Apps & IDE

6 Module 19 File Salvage 19.1 File signatures 19.2 Salvaging unallocated and salvage media 19.3 PIP image salvage 19.4 Outlook salvage Module 20 Assessable Components The assessable components require students to: Demonstrate competency in using the forensic tools to complete prescribed tasks in a crime simulation setting. Demonstrate competency in locating, analysing evidence using advanced forensic tools and preparing a report on their findings. Contact Details Richard Boddington Visiting Fellow Digital Forensic Practitioner Centre for Forensic Science The University of Western Australia Mailbag: M Stirling Highway, Crawley WA 6009 Australia Phone nd September 2014