digital forensics technician - cyberskillshub.co.uk · training introduction intaforensics are one...
TRANSCRIPT
Digital ForensicsTechnicianCore Competency Series
+44 (0)247 77 17780 [email protected] www.intaforensics.com/training
Core Series
Training
Introduction
IntaForensics are one of the UK’s leading Digital Forensic service providers operating from four state of the art facilitates, providing UK wide coverage. We hold certification in ISO 9001:2015 and hold accreditation in ISO/IEC 27001:2013 and ISO/IEC 17025:2005 standards. We design our services to provide an unparalleled forensic service in terms of both capacity and capability.
Our expert team is built from a wide variety of backgrounds including Police Forces, Counter-Terrorism Units, commercial service providers, the legal sector and academia. Throughout our ten years of operation, IntaForensics has established a robust and effective staff development program using bespoke internal training programs.
The ethos of our DF Technician Training is simple – to deliver confident and competent work-ready staff. This is achieved through blending technical and non-technical training aligned specifically to a role’s tasks and workflow. A proven training solution that IntaForensics are now offering to UK Law Enforcement and Government partners.With our exciting new expansions and the addition of a world-class training centre in Stafford, IntaForensics are now an authorised training partner and training centre to vendor-neutral certification bodies including CompTIA, EC-Council and IAPP.
Page 01
Page 02 Training
We understand that every laboratory has developed and operates differently. Drawing upon our detailed experience of working with most UK Police Forces,
Government bodies and private industry, our training delivery is designed to align with your ongoing operations and requirements. We have developed
our core training elements with Quality Management processes in mind. The skills attained in the DF Technician course will allow students to commence
their life in the digital forensic laboratory with not only hands on technical experience of forensic imaging and mobile device extraction, but also an
understanding of life in an environment, governed by ISO/IEC 17025:2005 standards.
As digital forensic practitioners ourselves, we have designed the learning objectives and course content around our own Standard Operating
Procedures and staff competencies.
The syllabus is carefully designed to provide a realistic technical overview so that students can be work ready quickly, efficiently and cost effectively.
IntaForensics have assembled a team of industry experts with decades of combined digital forensics, management and training experience. We
are proud to add Dr Chris Hargreaves, Dr David Day, John McAdam, Chris Jackson, Lee Major and Neil Richardson to our growing list of course tutors.
Why Learn With Us
Page 03 Training
Key Benefits
DF Technician is an entry-level course designed to reduce the time and cost of on-boarding staff in to Technician and Imaging roles within digital forensic laboratories. Through blending in-depth theory and practical hands on skills, our training will:
• Reduce the cost of staff on-boarding - reduce the number of separate courses an individual must take and reduce thementoring requirement of established staff;
• Reduce the time taken for staff to be operationally ready and working on live cases;• Improve the overall consistency of training - once tailored, your bespoke training package can be delivered to future staff
members and you can be assured that all staff have trained consistently;• Improve the competence of staff. We are certain that our training offers unparalleled depth and scope in the field of digital
forensics and will improve the ability of your staff to operate;• Hands-On Experience – our courses are based around utilising knowledge in real-world examples. From exhibit handling
to live data capture our practical classes are led by experienced practitioners who will guide and provide valuable insightof all processes;
• Staff Competency Accreditation – our courses are designed to complement ongoing professional development andsatisfy accreditation requirements. Progressive courses include:
• Digital Forensic – Examination and Investigation Core Skills (DF-EICS)• Digital Forensic – Laboratory Management Core Skills (DF-LMCS)
Page 04 Training
Course Content
DF Technician is a five-day classroom and laboratory based course that is hosted at our secure, state-of-art facility in Stafford. The course comprises of theory, demonstrations and hands-on practical exercises and assessments, with a bound work-book containing all the course material provided and access to our industry experts.
Page 05 Training
Unit 1 - Exhibit Handling
At the conclusion of this module, students will be able to:
• Understand the principles of how items are lawfully seized, examined and how forensic processes provide admissibility of evidence in court
• Explain the record keeping and chain of custody requirements for handling evidence
• Explain the forensic considerations of handling mobile devices including network isolation
• Demonstrate the recording, photographing and “pre-imaging” of computer and mobile phone exhibits
Page 06 Training
Unit 2 - Laboratory Procedures
At the conclusion of this module, students will be able to: • Understand why digital forensic laboratories were first established
and the various functions they now perform• Explain how a case progresses through each of the laboratories
functions and the importance of quality checking at each stage• Understand the role of quality management systems and the
principles and practical applications of ISO17025 on laboratory functions
Page 07 Training
Unit 3 - Mobile Device Acquisition
At the conclusion of this module, students will be able to: • Consider and evaluate the practical implications of conducting
acquisitions and analysis of mobile devices• Demonstrate an understanding of mobile device specific
terminology and technology• Handle mobile devices in a forensically acceptable manner and
preserve relevant information• Identify the correct acquisition method for common mobile
devices, perform acquisitions using various methodologies and understand the implications of their actions with an awareness of the limitations of the acquisition methods/software
• Demonstrate an awareness of the limitations associated with common mobile device acquisitions and identify when advanced techniques would be required to achieve defined acquisition objectives
Page 08 Training
Unit 4 - Forensic Imaging
At the conclusion of this module, students will be able to: • Describe the components of a computer system and its interfaces.
Identify storage media and select the most appropriate method to acquire data from it
• Understand the principles of hard disk partitioning and file-systems and non-addressable areas
• Explain the structure of a forensic image file and give examples of different types and verification methods
• Demonstrate the forensic imaging of a storage device using the selection of acquisition software and write-blocking methods
• Understand to implications of encryption and common failure causes including optical media and faulty devices
Page 09 Training
Unit 5 - Advanced Forensic Imaging
At the conclusion of this module, students will be able to: • Explain how differing hardware and software technologies impact
on forensic imaging including when and how logical imaging and data collections can be used
• Demonstrate the acquisition of data from live systems, RAIDs, gaming consoles, Apple Macs and the use of Linux-based forensic operating systems
Page 10 Training
Course TimetableDay 1 Day 2 Day 3 Day 4 Day 5
Module A: Exhibit Handling
Unit A1 - Evidence and Exhibits
1. What is an exhibit (Law)?
2. Authorisation
3. Disclosure and Protected Materials
Unit A2- Handling Exhibits
1. Documenting and Recording Exhibits
2. Isolating Mobile Devices
3. Exhibit Photography
4. Researching Exhibits
5. Health and Safety
Unit A3 - Computer – Pre-imaging
1. Pre-Imaging Outline & Strategy
2. Computer Pre-Imaging
Unit A4 - Mobile Device Pre-Imaging
1. Pre-Imaging Outline & Strategy
2. Mobile Device Pre-Imaging
Unit A5 -Post Imaging Procedure
1. Exhibit reassembly
2. Exhibit Re-Seal and Packaging
Module B: Laboratory Procedures
Unit B1 - Digital Forensic
3. Laboratory Overview
4. History Digital Forensics Units and Labora-tories
5. Overview of Digital Forensics Units and Laboratories
6. Digital Forensic Laboratory Management Systems
7. Overview of Digital Forensics Laboratory Functions
8. Quality Checking
9. Security
Module: Laboratory Procedures (cont.)
· Unit B2 - Quality Management Systems
1. History & Overview of QMS History of 9001 & 17025
2. Practical Applications of QMS and 17025 in the laboratory
3. Auditing
4. Calibration & Validation
5. Traceability
Module C: Mobile Phone Acquisition
1. Unit C1 - Principles of Mobile Device Technologies
2. Critical Acronyms
3. Communication Service Providers
4. Device identification
5. Overview of different Mobile Device Operating Systems
6. Overview of relevant legislation
7. Device Identification and Resolving IEMI Numbers
· Unit C2 - Handling of Mobile Devices
1. Network isolation
2. Powering on
3. ESD and PPE considerations
4. Basic disassembly techniques
5. Recording device information and photo-graphing
6. Passcodes/PIN Codes/Pattern Locks
Module C: Mobile Phone Acquisition (cont.)
Unit C3 - Mobile Phone Forensic Acquisitions and Tools
1. Overview of available tools and differences between tools
2. Logical, Advanced Logical, File System & Physical Acquisitions
3. Dual tool methodology
4. App Storage & Parsing SQLITE databases
5. Mobile Device operating systems
6. Device interfaces and connections
7. Common output reports and reader files
Unit C4 - Mobile Device Extraction Practical
1. Practical - Extract and analyse data from feature phones using forensic tools in a forensic lab.
2. Practical - Extract and analyse data from smartphones using forensic tools in a forensic lab.
3. Practical - Extract and analyse data from tab-lets using forensic tools in a forensic lab.
Unit C5 - Overview of Advanced Mobile Forensics
1. NAND/ eMMC storage
2. Encryption.
3. Chip Off, JTAG, ISP.
4. of Chip-off Demonstration
Module D: Forensic Imaging
Unit D1 - Computer System Components and Digital Storage Media
1. Core PC components
2. Storage media
3. How data is stored
4. Convert binary to hex to ASCII
Unit D2 - Drive Geometry, Partitions and File Systems
1. Drive geometry
2. Hidden Disk Areas
3. Disk Partitioning schemes
4. File Systems
5. Operating system shutdowns
Unit D3 - Write Blocking Techniques
1. Hardware Write Blocking
2. Software Write Blocking
Unit D5 - Forensic Image File Formats
1. Verification techniques
2. Expert Witness Format
3. Raw images
Unit D6 - Forensic Acquisition Tools
1. FTK Imager
2. Guymager
3. Acquiring Optical Discs
Unit D7 Troubleshooting & Encryption
1. Types of Encryption
2. Previewing data
3. Acquisition of encrypted data
4. Password cracking
5. Degraded Hard Disks
6. Faulty Drive Electronics
7. ddrescue (Demo)
Module E: Advanced Forensic Imaging
Unit E1 - Technologies Impacting Forensic Imaging
1. Solid State Drives / M2 / NVME
2. RAID
3. Network Attached Storage Devices
4. Games Consoles
5. Cloud Based User Data
6. Cloud Devices (Inc. Chromebooks)
7. Virtual Machines
Unit E2 -Logical Data Acquisition
1. Logical vs Physical Acquisition
2. Preserving metadata
3. Verification of Logically Acquired Data
4. Methods of Acquiring Data Logically
5. Logically Acquiring Data from RAID/NAS (Demo)
6. Logically Acquiring Data from Cloud Storage (Demo)
Unit E3 - Acquiring Data from a Running System
1. Tools and Methods
2. RAM Acquisition
3. Running System with Mounted Encrypted Drives (Demo)
Unit E4 - Live Forensic Operating Systems
1. Live CDs and Forensic OSs
2. Linux Based Forensic Oss
3. Linux Based Imaging Methods
4. WinBuilder & Windows FE
Unit E5 - Apple Macs
1. FileVault
2. Live Boot Method (Demo)
3. hdiutil Method (Demo)