Unpatched, unprotected computers connected to the Internet are compromised in less than 3 days. Additionally, government regulations and organizational policy might require Computer Forensic Investigators to perform system forensics to investigate intellectual property theft, harassment, regulatory compliance, as well as traditional internet based crimes. Investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve their cases. The System Forensics, Investigation, and Response track will teach you forensic techniques and tools in a hands-on setting for both Windows and Linux based investigations. This course emphasizes a "hands-on" approach so you will learn in-depth open source and commercial forensic tool functionality and how to exploit their capabilities in a variety of case types.

Beginning with fundamental forensic concepts such as the file system structures of Windows and Linux, the content and difficulty level of this track advances rapidly to include evidence acquisition, hash database comparisons, and full and partial file recovery and analysis. Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with diverse tools such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. Your learning will rapidly move on to advanced forensic and investigation analysis topics and techniques. The SANS, hands-on, technical courseware arms you with a deep understanding of the forensic methodology, tools, and techniques to successfully solve even the most difficult case.

As part of the course, you will receive the SANS Investigative Forensic Toolkit (SIFT). Using the hardware and software in this toolkit, you will gain first-hand experience in collecting and analyzing evidence recovered from a system under investigation. You will learn best practices on how to investigate and recover deleted data. The course will demonstrate how forensic tools recover evidence so you can articulate how the tool works in-depth. We will examine various investigation methodologies and techniques discovering new places to find evidence and discover the tracks of a motivated suspect who is trying to stay hidden.

The SIFT Toolkit consists of:

• Hard Drive USB evidence acquisition kit for SATA/IDE hard drives 1.8"/2.5"/3.5"/5.25"
• HELIX incident response & computer forensics live CD
• SANS VMware based Forensic analysis workstation equipped to investigate forensic data
• Course DVD loaded with case examples, tools, and documentation
• Best-selling book File System Forensic Analysis by Brian Carrier
  

Prerequisites: This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems will not be covered in this program.