Computer Forensics Training

Next scheduled classes in English for mixed groups of attendees:

Jun 18-21	Washington DC area	X-Ways Forensics
Jul 2-5	London, England	X-Ways Forensics
Jul 9-12	Vancouver, BC	X-Ways Forensics

More classes in North America, UK, and Asia will be added depending on demand. Classes in German: click here

To be notified of newly scheduled classes in English, please enter your e-mail address and click OK:

We offer the below courses internationally also as on-site training to law enforcement agencies and corporate customers on request (in English or German, only for reasonably sized groups). If you are interested, please contact us by e-mail and let us know the number of prospective attendees and the address of your facilities. However, demand is currently very high, and we may only be able to accommodate the most important requests (i.e. for the basic 4-day course, for large groups) and in such cases try to provide you with an individual quote. Thank you very much.

List of previous classes and attendees • Old list (2005-2009)

 

X-Ways Forensics, 4 days This main training course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”. After attending this course, you may start the X-PERT certification process (though taking the advanced course as well, see below, is recommended). Complete and systematic coverage of most computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack space, partially initialized space, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files, etc. etc.). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, ... You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics. The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, etc. There will be a practical exam at the end of the course, which you can regard as just another exercise for yourself or that you can take more seriously and get scored by the instructor if you like. The exam recapitulates the most important functions of the software and helps you to gauge your proficiency. The results will not be recorded by us in any way. Note that the instructor will present the answers to the test during the final 20 minutes. • Basic setup of the software        • Key folder paths        • Read-only vs Edit vs. In-Place mode - WinHex vs. X-Ways Forensics        • Start-up options        • Alternative disk access methods        • Viewer programs • Learning the user interface components        • Menus and toolbars        • Directory browser (icons, sorting, navigation, ...)        • Virtual files and directories        • Case data window with directory tree        • The case root        • Modes: Disk/Partition/Volume vs File        • Info panel • Navigating disks and file systems        • Understanding offsets and sectors        • Absolute, relative and backwards positioning        • Directly navigating to specific file system structures (e.g. FILE records in NTFS, Inodes in Ext*) • Understanding the Data Interpreter        • Available conversion options        • How to get the value you actually want • Creating disk images        • Raw images and evidence files        • Fast, adaptive compression        • In-built encryption • Creating a case/adding evidence objects • Hash calculation and checking • Using the gallery view and skin color detection efficiently • Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files • Previewing file contents • Calendar view and event list (timeline) • Registry Viewer and Registry Reports, Registry Report definition files • Working with the directory browser        • Recursive listing of directories and entire drives        • Column visibility and arrangements        • Copying cell values        • Selecting, tagging, hiding, viewing, opening files        • Recovering/copying files        • Identifying duplicates based on hash        • Efficient navigation of the file systems' data structures • Filtering files        • existing, previously existing        • tagged, not tagged        • viewed, not viewed        • non-hidden, hidden        • By name, including multiples: by exact name, using wildcards, searching within name, using GREP        • By path, including multiples        • By type - exact type, multiple types, entire category, multiple categories        • By size        • By one or more timestamps        • By attributes: ADS, compression, encryption, e-mail (unread, with attachment), video still, ... • Creating report tables and report table associations • Using report tables for filtering and classification • Report creation: Basic reports, report tables and activity log • Refining Volume Snapshots:        • File system specific thorough data structure search for previously existing data        • Signature search for previously existing data not identifiable via file system metadata        • Verifying file types based on signatures on algorithms        • Extracting metadata from a variety of file types        • Analyzing browser history for Internet Explorer, Firefox, Safari, Chrome        • Analyzing Windows Event Logs (evt and evtx)        • Exploring ZIP, RAR, etc. archives        • Extracting e-mails from PST, OST, Exchange EDB, DBX, mbox (Unix mailboxes, used e.g. by Mozilla Thunderbird), AOL PFC, etc.        • Finding pictures embedded in documents, etc.        • Creating video stills from movie files        • Skin color percentage calculation and black and white detection        • Identifying file type specific encryption and running statistical encryption tests • The Hash Database        • Importing single or multiple hash sets        • Creating your own hash sets        • Matching files against existing hash sets via Refine Volume Snapshot • Various methods of file recovery • Customizing file signatures • Using search functions effectively        • Practically unlimited numbers of keywords simultaneously        • Multiple encodings (Windows codepages, MAC encodings, Unicode: UTF-16, UTF-8) simultaneously        • The many advantages of logical over physical search        • Searching inside archives, e-mail archives, encoded data (e.g. PDF documents)        • GREP search        • Logical combination of multiple keywords while evaluation results        • Filtering keywords based on the files they are contained in • Decoding Base64, Uuencode, etc. It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court. Examples: "What documents were altered on the evening of January 12, 2012?" "What pictures were hidden with what method, where and by whom?" "Who viewed which web pages on what day?" "Which MS Excel documents saved by Alan Smith contain the word 'invoice'?" "Which USB sticks were attached to the computer at what time?"

X-Ways Forensics II, 2 days Advanced training course for experienced users and previous attendees of the main course. Topics may include (not all guaranteed because of time constraints, instructor availability or for other reasons): • .e01 evidence file format • Creating skeleton images • Creating cleansed images • Sector superimposition • Working with evidence file containers        • Creating containers, understanding the available options        • Adding files to containers from various sources        • Closing containers, optionally converting them        • Using containers as evidence objects • Finding and analyzing deleted partitions • Reconstructing RAID systems        • Practical examples for RAID 0 and RAID 5        • Explanation of underlying data arrangements        • Clues towards finding the right parameters • Dynamic disks • LVM2 • Understanding the levels at which file data is read and interpreted during analysis • How X-Tensions work • Recovering deleted NTFS-compressed files manually • Block-wise hashing and matching • Data profiles (Analyze Block functionality) • Indexing • Customizing the registry report • Templates

Memory Forensics, 1 day Essentials of virtual memory management (Intel, AMD; 32 Bit, 64 Bit) • Page Tables • PFN Database • Pagefile Windows Object Management in context • Processes, Threads, Sockets, Files, Tokens, ... • Active drivers • Registered storage media • Plug-and-Play device management • Using templates to navigate to kernel objects in X-Ways Forensics (major topic) • Types of and working with object references How to navigate a process's address space • Process Environment Block (PEB) • Open handles • Mapped memory areas • Loaded modules • Heaps, Stack Creating RAM images • hiberfil.sys Special issues when searching memory areas • Alignment • Endianness • Memory Pools Malware Analysis (hidden processes, hidden connections, DKOM, rootkits) • Identifying suspicious references by address range comparison Network Forensics (incident analysis) • Ethernet packets by signature search • Analysing traces of connections in RAM (major topic) The course deals mostly with Windows systems, esp. XP.

File Systems Revealed Variable combination of file system courses, with extensive introduction to file system basics (binary data storage concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4 (1/2 day). See below for file system courses that are available. By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations. Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. Explanation of the effects of file deletion and potentials for file recovery. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge).

FAT12, FAT16, FAT32, 1/2 day • Structure of FAT file systems • Boot record • File Allocation Table (FAT) • Directory entries • Effects of file deletion and potentials for file recovery • ...

NTFS, 1 day • Boot sector • Master File Table (MFT) • FILE records structure • FILE record attributes • Data runs • Data compression • Attribute lists • Directory organisation in NTFS • INDX record structure • NTFS system files • Consistency in NTFS • Alternate data streams • Encrypting File System (EFS): NTFS encryption • ...

Ext2/Ext3/Ext4, 1/2 day • File system basics        • Block Group layout        • Superblock and Group Descriptor backups • Superblock data structure        • Feature flags        • ext2 revisions • Layout and function of the Group Descriptors • Block and Inode Bitmaps • Inode structures        • File Mode        • Block Addressing        • Reserved Inodes • Directory Management • Ext4 extents • Ext4 extension of file system limits • Ext4 timestamp refinement and other improvements • ...

XFS, short version, 1/2 day (precondition: Ext2/Ext3/Ext4) XFS, long version, also covering the latest variants of XFS, 1 day (no precondition) • IRIX heritage vs. current Linux file system        • Big Endian        • Similarities and differences with ext* • Allocation Group Layout • Superblock structure • Allocation Group info sectors        • Free Space + Free List        • Inode Info • Free Space B+Trees • XFS-specific Inode and Block number formats • XFS Inodes        • File Mode        • Attribute fork • Inode Formats and their respective structures and uses        • Device        • Local        • Extents        • B+Tree • XFS Directory structures        • small and long entries for local directories        • Single and Multiple Block directories

ReiserFS, Reiser4, 1 day ReiserFS: • ReiserFS block formats • Superblock structure • The Reiser Tree        • Tree organisation        • Keys        • Internal tree node structure        • Leaf node structure • Stat items • Directory structures • Direct vs. Indirect items • File system navigation • Hans Reiser's own criticism Reiser4: • Extents instead of block listing • ReiserFS vs Reiser4 trees • Reiser4 Superblock • The Reiser4 tree        • Tree organisation        • Keys        • Tree node structure: Branches, twigs, leaves        • Plugin IDs for node items • Stat items • Directory structures

exFAT, 1/2 day • Partition layout • Boot sector • File allocation table • Directory entries        • Root-only entry types        • Metadata entries        • Stream extensions        • Filenames • Time zone offsets

NTFS+XWFS2, 1 day NTFS: see above XWFS2 is the file system at work in evidence file containers of X-Ways Forensics and X-Ways Investigator. Takes only ~45 minutes to explain once NTFS has been explained.

training trainings course courses class classes seminar seminars education lecture exercise teaching computer forensic forensics electronic evidence acquisition data recovery electronic digital examine examination IT security analysis analyze software tool tools