Computer Forensics is the branch of information security
which deals with the data stored in digital media. It is used in the
investigation of computer crimes and identifies, preserve, recover, analyze and
present facts and opinions about the information. As we know that cyber crime
is increasing day by day. So the rate by which cyber crime is increasing, need
for the professionals who can do computer forensics duties is also increasing.
This field of computer security is the best for the career.
Recently I found the best training course which help
students better in learning computer forensics. In this post, I am writing
about the Infosec Institute's online course on Computer Forensics.
This is an online course on which you can study. Once sign
up for the course, you will be given the login and password for the online
study portal of the infosec institute. In this portal, you will be able to
access all the training videos.
About the course:
This course is divided into 31 modules. These modules cover all the topics of
computer forensics step by step. These modules covers topics like Role of a
Computer Forensics Examiner, Legal issues, file structure, hidden files,
password and encryption, network forensics, cell phone forensics, Data recovery
techniques etc.
About the instructor:
If you want to learn better, you need to search a good instructor. Infosec
Institute has assigned Jeremy Martin as the instructor of this course. Jeremy
Martin is an experienced Information Security Researcher based and consultant.
He has good experience of teaching Ethical Hacking / Penetration Testing / Red
Teaming, Computer Forensics, Security Management, and other subjects of
Information Assurance.
Detail analysis of
course modules:
Module 1: This is
the basic introductory module in which instructor tells about the computer
forensic and examination. This module tells about the CCFE exam and its format.
Module 2: This
module mainly focuses on the Role of a Computer Forensic Examiner (CFE). We
learn the responsibilities and roles of CFE in cyber cases. Then instructor explains
the scope of authorities under which CFE works. Instructor also explains four
steps to be a successful CFE. This module further explains how CFE works and
what things he should follow.
Module 3: Module
3 mainly focuses on creating reports. Instructor tells all the things which are
really necessary for the generation of an impressive report. He also explains
the qualities and type of reports. Instructor also tells us about some
automatic report generation tools.. He tells that report should only have few
pages and must have images for better understanding.
Module 4: Module
4 of the course is called legal issues. In this module instructor tells about
the legal issues while performing the task as CFE. He also tells us that all
evidence gathering methods must not be performed without the court order. This
module covers some interesting things like Daubert rules, Stored electronics
communication act.
Module 5: This
module deals with the workstation for Forensics. From this module, you will get
some practical and technical knowledge which is really interesting. Instructor
explains main aspects of a good forensics workstation. He also discussed many
forensics tools such as Encase, Helix, AccessData FTK, Foremost etc. He also
tells that we must not rely on few tools. We should try to bring more and more
tools to the lab. Hence the more number of tools we have, the better chances we
have of getting more evidence. At the end of the module, we also have a lab in
which instructor explains many things.
Module 6: This
module is called Computer evidence recovery concepts. Instructor explains difference
between live and post mortem forensics methods. He also explains when to use
which forensics method. He also discussed the methodology of gathering,
searching, marking and transporting evidence.
Module 7: In this
module instructor explains few things which must be taken care while
transporting the evidence. He explains the method for Storing, packing and
transporting evidence with complying with the organization's regulations.
Module 8: This module shows some live forensics in which
instructor explain what to do when evidence is only the volatile memory of the
system. He also discussed the famous forensics tool Helix in this module. We
also learn about RAM and some windows utilities.
Module 9: In
Module 9, instructor explains about hard disk and its physical components. He
explains each hard disk components and then boot process. He also tells how
data is stored in sectors and file allocation tablets.
Module 10: In
this module, instructor explains the methods to make disk write protected to
prevent evidence changes. In this module we learn how to write software blocker
and hardware blockers for disk write protection. This module includes 2 demo.
Module 11: Module
11 covers the techniques which must be followed in disk image recovery process.
He also tells that destination disk should be forensically clean which is used
in the restoring process. He also suggest to check the hash value of restored
data with original evidence.
Module 12: This
module tells the difference between a physical or bitstream copy and a logical
copy. Instructor explains some linux commands,
Linux dd and the linux dcfl dd and their application. He also show some
demo at the end of module.
Module 13: In
this module, we learn ASCII string search and tools used in this process. We
also learn that all the tools used in this search are only different in their
parsing mechanisms. Then instructor explains limitations of these tools. At the
end of module instructor demonstrate FDK Imager which is used to perform
automatic data carving.
Module 14: Module
14 discusses about Graphic file and different graphic files extensions. Some of
the file viewing software and some of the issues while finding graphic files
are also discussed.
Module 15: This
is really an interesting module which explains file formats and its storage on
various media. Instructor explains how to identify deleted file and folders and
then method for recovery. He also explains some cases where file recovery is
easy. He tells that heavily fragmented disks is harder to recover. Higher activity across a disk, the more
difficult it is to recover data.
Module 16: In
this module, instructor explains NTFS file system and method of file recovery
in this kind of file system. This module explains how NTFS stores data and
saves the disk space.
Module 17: Module
17 explains File Slacks and allocated disk space. Instructor explains about
File Slack and its importance. He then explains various storage places where
data could be find. These are File
slack, RAM, Drive slack, Windows swap file, or unallocated space.
Module 18: This
module covers various techniques for hiding evidence on hard disk. He explains
methods including Altered file extensions, Bit shifting, Steganography, File
Altering, Streamed data are discussed. He also demonstrates ADS.
Module 19: This
module tells about file compression detail. He also tells that file compression
make searching harder and then he explains techniques used in detecting
operating system compression and consequently view compressed files.
Module 20: Module 20 explains Steganography and how
it works. He also discuss various steganography tools like S-Toolsv4 ,
Stigdetect which can help in detecting steganography. Stegnography is really an
interesting topic and I love this module.
Module 21: Module
21 explains encryption and password management. In this module, we learn
different tricks to break the encryption and gather evidence. Instructor
explains cryptography with simple explanation of public and private keys.
Module 22: Module
22 runs around windows password management and breaking windows password.
Instructor explains SAM files and how windows store and use these passwords. We
then learn what is a SYSKEY and how it is used to rehash the hashed password.
At the end of the module, instructor show some common and popular tools of
windows password cracking which includes L0phtCrack, Cain and Able etc.
Module 23: Module
23 deals with network forensics. If you like networking, this module will be
interesting for you. This module covers networking with basics and also explains
common protocol used. Then instructor also discuss domain, dns and addressing.
After that he explains how to gather evidence on network. He also discussed
firewalls and snifffers. Module 23 also includes some labs in which instructor
demonstrates some sniffers.
Module 24: Module
24 explains internet cache and temporary files. Instructor explains how browser
is used for most of the internet crimes. Then he explains some popular browsers
and difference in their mechanism of data storage. He also discussed importance
of data cache and method to obtain this. He also explains some place where the
traces can be left like history, swapfile, ram cache etc. After this, he comes
to the cookies and its various types. He also explains common internet
vulnerabilities like XSS, SQLi and other. This module also has 2 labs and interesting
war stories.
Module 25: Module
25 covers email recovery and how it works. Instructor also explains how email
works and travels on internet. He also explains email header and how email
header can be used to trace emails. He also explains how email can be recovered
from the email server.
Module 26: Module
26 covers Memory Forensics. In this module instructor explains that sometimes
hard drive or network drive may not provide enough information. So memory
dumping is important. He also explains tools which can be used to perform memory
dumping.
Module 27: In
Module 27, instructor comes back to windows and explains Windows swap files. He
explains how it works and how to change swap file registry settings and then
recovering the swap file. He also explains pagefile.sys in detail.
Module 28: Module
28 is little bit complicated and explains Virtualization. In this module,
instructor explains the importance of virtualization and how it can be used to
create an live environment. Module also contains an interesting demo.
Module 29: Module
29 is interesting and smartphone lovers will really like to play with their
phones. In this instructor show the difference between mobile forensics and
computer forensics. He shows how to gather data from smartphones. He also
discussed some of the entities in mobile phone like SIM, flash memory cards,
phone internal memory etc. At the end he discussed some software.
Module 30: This
module focuses on Android smartphone and is called Android Forensics.
Instructor explains basics of Android and how to gather data from Android
devices. He also discussed some tools and demonstrate how to extract
information from an android device using AFLogical.
Module 31: This
module covers basics of iPhone. He also explains jail breaking and reasons why
it is needed. At the end he also discuss some tools.
Things which I really like in this course:
·
First thing is the instructor who really know
how to show things in interesting manner.
·
War stories make the course content interesting.
·
Demonstration is nice which helps to understand
things properly.
·
Legal issues are also covered which makes the
course content professional.
·
Each module covers fundamental which make it
really easy to understand.
Things which I wish this course would have
·
More about mobile forensics.
·
I always find it hard to go on theory classes.
So there should be some printed content.
·
Most of the tools used in demo are commercial
and costly. Course must add some open source alternates.
Overall the course
content and instructor are best in industry. I personally recommend this
course.
All students who want to make career in information security
and data forensics may join the course. If you wish to join any law enforcement
agency, this course will help you. You can see the course module overview
above. If you found it interesting, you can surely join the course.