|What to bring:
Students are required to provide their own laptops.
The laptop should be running Windows XP professional version. You should have about 300-500 MB available in a separate partition. Two CDs containing tool sets and forensics images will be distributed in class.
You must provied your own laptop. No loaner computers will be provided.
This Overview The clinical course will involve case investigation procedures and a set of advanced open source and proprietary tools for the imaging, forensics review and reporting processes involving Windows® XP client platforms. The intensive course includes use of a set of procedures and software tools in order to properly: acquire, analyze, report and defend digitally stored case evidence on exclusively Windows XP systems.
In this intensive learning experience, attendees will receive vital information about the following topics:
- Forensic Examinations and Terms of Art - The module describes the procedures requisite to conduct an accurate and legally sufficient XP-platform forensic examination. Differing computer forensic protocols are described, including intrusive evidence recovery.
- Windows XP Architecture - This module describes the software design and architecture of the XP platform and its variants. File structures, partitions, registry and directory attributes will be described.
- Seizure, Documenting and Reporting Digital evidence - This exercise reviews and analyzes the methods used to document and report the results of a forensic examination. Certain students will present their findings in a simulated exercise in order to reinforce their capabilities to create effective demonstrative presentations.
- Media Preparation Methods - Students are introduced to the prevailing instruments and technologies forensically prepare digital media. This is a critically important set of procedures when imaging a suspects digital media in order to be assured that no digital artifacts remain from prior investigations.
- Hardware Utilities - Forensic learners are introduced to four differing hardware devices, all of which are currently available to support computer forensic acquisitions. Certain difficulties are reviewed and the instructor will demonstrate these advanced tools.
- Specialized Examination Tools - This is an introduction to a variety software tools for use in a computer forensic examination. Learners are required to utilize advanced software and participate in a practical exercise in order to achieve a working understanding of these tools.
- Forensics Artifact Recovery - This is a both a discussion and hands-on lab where learners will conduct an advanced forensic examination of XP-based digital media. Some attention will be made to the PDA as a XP ancillary device. The focus of this lesson is to utilize tools for the recovery of digital artifacts which are unattainable by conventional methods.
- Cryptography & Password Recovery - This topic covers digital encryption file structures and password protected data that an investigator may encounter while conducting an investigation. Students are exposed to methods to compromise passwords which are used to protect potential evidence. This information is useful when trying to investigate a computer criminal that tries to hide data of forensics interest.
- Presentation of Digital Evidence - This is the final in-class exercise where student are faced with the challenge of presenting their findings in a liturgical setting. The students will present their findings in understandable terms, which is critical during a forensics investigation.
- Course Final Examination - This is a wrap-up practical and knowledge based instrument that is intended to assess the student mastery of the material presented.
Prospective students should bring to the class meetings a notebook running Windows XP professional version. You should have about 300-500 MB available in a separate partition. Two CDs containing tool sets and forensics images will be distributed in class.
Course Length: 2 days
Cost: US $1600 before July 3, 2003 or US $1800 after July 3, 2003
NOTE: this is a two day course. A Certificate of Completion will be offered.
Larry Leibrock, Ph.D., is a member of the McCombs Business School The University of Texas faculty and serves as the Associate Dean and Technology Officer for the McCombs Business School. He has held or currently holds clinical teaching and research appointments at McCombs Business School, Institute for Advanced Technology, The University of Texas Law School, Emory University, Helsinki School of Economics and Monterrey Technologica in Mexico City and Monterrey. He is a member of IEEE, ACM, Internet Society, FIRST and USENIX/SAGE. He is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He is the founder and CTO for eForensics LLC, a private technical services firm.
Larry has delivered expert digital evidence testimony at both civil and criminal trials. He has testified for the Presidential Commission for Protection of Critical Information Infrastructure and the Senate Science Committee. He recently presented forensics testimony at an invitational conference for the Executive Office of the President. He presently serves on the Texas Infrastructure Protection Advisory Committee formed by the Attorney General of Texas. He is also appointed to the Board of Directors - Texas Department of Information Resources. Larry is active in IT industry and government systems consulting projects in the areas of systems forensics, enterprise IT operations, security and incident investigations.