Computer Forensics and Incident Response: Hands-On

Frequently Asked Questions

What is computer forensics? Computer forensics is the process of examining data to reveal illicit activity or recover lost information. A computer forensics investigation includes the response to and evaluation of a potential computer crime in addition to gathering evidence and maintaining a chain of custody. What is this course about? This course provides a comprehensive introduction to Windows-based computer forensics investigative techniques. You gain the knowledge and skills required to conduct a computer forensics investigation from initial discovery to completion. You also learn how to exploit your organization's Computer Incident Response Team (CIRT); collect, manage and record digital evidence; and leverage powerful software tools and techniques to uncover hidden or deleted information. Who will benefit from this course? This course is valuable for: System and network administrators who need to determine if an incident has occurred within their organization and the best means for handling such incidents Members of a CIRT who must enhance or develop their skills of forensics analysis and information discovery Security managers who are required to more effectively allocate resources for their organization's CIRT members, ensuring optimal team performance Security advisors and consultants who must advance their knowledge and skills of computer forensics to better advise their clients and present more effective incident solutions What background do I need? It is assumed you have a fundamental knowledge of Windows-based PCs, hardware and operating system software, including knowledge of OS architecture, memory usage and disk file systems. Course 551, Windows® XP Professional: A Comprehensive Hands-On Introduction, provides the basic hardware and operating system experience needed for this course. Why should I be concerned about computer forensics? Despite efforts to safeguard sensitive data and networks, organizations today face an ever-growing threat of cyber crime and security violations. These attacks can occur internally as well as from an external source and include fraud, copyright infringement and stolen data. Computer forensics and incident response provide an organization with a legal method for handling computer misuse as well as a means for securing sensitive data and identifying compromised systems. Does this course cover steganography? Yes! Steganography is a technique used to hide and covertly transmit information. In this course, you learn steganalysis, the process of imbedding and extracting information from normal file types, such as graphic files. You also learn how to detect and analyze information obscured by steganography. Which computer systems are covered in this course? You learn and apply computer forensics investigative techniques on Windows Server 2003 and Windows XP. Will this course help me prepare for the CISSP Certification examination? Yes, this course helps you prepare for the CISSP Certification exam. For more information, please refer to the CISSP Q&A. Does this course provide me with (ISC)2 continuing professional education (CPE) credits? Yes! Learning Tree, in agreement with (ISC)2, is a recognized "Trusted CPE Provider." This course provides you with 32 "A-level" CPE credits toward maintaining your CISSP Certification. Please see the CISSP Q&A for more information on the continuing education requirements of (ISC)2. How much time is spent on each topic? Content Hours Responding to incidents and investigating computer crime 2.5 Conducting and managing the investigation 2.0 Performing disk-based analysis 3.5 Investigating information-hiding techniques 5.5 Examining e-mail 1.5 Tracing Internet access 1.5 Searching memory in real-time 5.0 Forensics challenge 1.5 Times, including the workshops, are estimates; exact times may vary according to the needs of each class. I've heard that information can be hidden in unused areas of the hard drive. Is this covered in the course? Yes. This course provides you with the skills to find and recover information from unused storage areas of a disk cluster and the free space portion of the disk. You also learn techniques used to obscure information on a disk drive, such as Alternate Data Streams and file mangling. How much of this course is hands-on? Approximately 45 percent of the course is dedicated to hands-on exercises. Employing the latest software forensic tools you capture disk images, undelete files, search memory in real-time for hidden data, and discover compromised machines. What platform is used for the hands-on exercises? For the hands-on exercises, you utilize Windows Server 2003 and Windows XP. You also interact with a UNIX environment and employ UNIX software tools. However, a background in UNIX is not required. The knowledge and skills you learn are also applicable to Windows 2000 and previous versions. Is this course just for people who will be taking someone to court? This course is for anyone who needs experience uncovering hidden data or reconstructing user activity. Collected evidence can be retained as supporting documentation in an employee dismissal or used in a court of law when criminal activity is discovered. How does this course relate to other Learning Tree courses? 599, Securing Windows Server® 2003: Hands-On provides you with the skills and experience to control the privacy, integrity and authenticity of data within a Windows Server 2003 environment 597, Deploying and Managing a Windows Server® 2003 Environment: Hands-On provides the skills needed to efficiently deploy and administer clients and servers within Windows Server 2003 domains 588, Detecting and Analyzing Intrusions: Hands-On supplies knowledge of how attackers break into systems and networks, and how an IDS can play a key role in detecting and responding to these events 589, Vulnerability Assessment: Protecting Your Organization provides experience applying exploits and running vulnerability scans to better secure networks, servers and workstations

Windows is a registered trademark of Microsoft Corporation.