Course Topics & Program

Day Three Overview

On this day you will learn how to initialize and start processing a case using a common and widely accepted commercial forensic software tool. The instruction for this day will far surpass just learning how to use a software tool - you will be provided with a repeatable process that can be used for any type of digital forensic investigation, and that has been developed and perfected by CSI to quickly and efficiently process cases.

You will learn how to locate critical computer user and system information from the Windows registry, and will be shown how to ascertain what users of the computer system did, such as performing searches of the computer and Internet search engines, running programs, and opening and saving files - this is just the tip of the iceberg. While there will be much information that will be covered, rest assured that you will be provided with videos of all processes used so that you can review and practice long after class is over.

As well, you will learn how to tell what types of removable media was used with a computer, such as USB storage devices. You will see how to extract detailed information about USB devices such as when they were first used, last used, make and model of device, and possibly even the device serial number.

From this day through Day Five, you will utilize your skills and knowledge to continue to process your case that is based on an actual case of identity theft and credit card fraud.

DAY THREE TOPICS

Initializing a Case

  • The Importance of Time Zone Information
  • Selecting the Optimum Case Processing Options

Navigating Your Case

  • Views
  • Creating Bookmarks
  • Sorting
  • Searching
  • Using Regular Expressions
  • Filtering Evidence

Windows Registry Basics

  • Registry Hives, Keys, and Value Types
  • Registry Slack

The SAM Registry File

  • Ascertaining the User Accounts Used
  • Obtaining Last Logon Dates/Times
  • Accounting For Deleted User Accounts
  • SIDS/RIDS
  • Password Policies

System and Software Registry Files

  • System Name
  • Windows Version
  • Time Zone
  • IP Address / DHCP Information
  • Wireless and Wired Networks
  • Network Shares / Local Drives Used
  • Last Shut Down Time
  • USB Devices

Evening Session: Optional, Until 21:00
Open Topics Based On Student Requests