The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.
The course is an advanced forensic training course designed for forensic analysts in the public or private sector looking to build on their current forensic knowledge. Students should be active computer forensic professionals with an understanding of core forensic and information technology principles. Students who currently conduct incident response and/or intrusion investigations should find the course helpful to extend their knowledge base. Students who currently conduct other types of computer forensic investigations will find it opens the door to new collection and analysis techniques. The course is designed to be fast-paced. Students should have more than a basic understanding of common forensic principles, including evidence collection and analysis, and should actively conduct computer forensic investigations as part of their current position.
At the completion of this course students will have the ability to better perform the following tasks:
This is an advanced course. Students should have a solid understanding of Windows operating systems and windows artifacts, such as prefetch files, restore points, registry files and event logs. Students should also have a good understanding of Linux operating systems, including how to run applications from the terminal. Students should be familiar with developing a known or trusted toolset and evidence collection. Students should also be familiar with malicious software files. Knowledge of VMWare and virtual machine environments is required. Previous usage of forensic software applications such an EnCase, FTK and/or Sleuthkit is required.
Participants will receive a course notebook and a CD containing the course material.
This three-day course meets at the following times:
Days 1-3: 9:00 a.m.-5:00 p.m.
This course may be offered by special arrangement at customer sites.