Note: This 5 day course of instruction covers computer forensics theory and methodology. It is not limited to the use of one specific software tool or one brand of computer forensics analysis tool. Because of the quality and depth of this training course, it qualifies for 3 Oregon State University workshop credit hours and a Professional Development Certificate from Oregon State University.

Click here for a list of the OSU certified computer forensics professionals.

Course Introduction:

NTI is a world leader in computer forensics and computer security risk management training. We have been a key provider of training to computer specialists from U. S. intelligence, U. S. military agencies, law enforcement agencies and Fortune 500 corporations since 1996. NTI is a highly credible training provider and it is part of a respected publicly traded corporation, Armor Holdings, Inc. (NYSE:AH).

Our founders are the technology pioneers who developed the original federal law enforcement training in computer forensics at the Federal Law Enforcement Training Center (FLETC) in 1989 and the International Association of Computer Investigative Specialists (IACIS) in 1990. Our trainers have extensive law enforcement and computer forensics experience. Our clients consistently tell us that this training course ranks with the best training that they have ever had. Be aware that this training course is designed to be challenging and it is very technical. If you do not have an extensive background in computers, this class is probably not for you.

It is clear that computer forensics is a hot topic right now in the world of technology and this training course has a high 'wow' factor. It was designed to provide the participants with a unique hands-on experience in our high tech computer training facility. Emphasis is placed on computer incident responses and security risk assessments. Computer evidence issues are also covered extensively because they have a bearing on both computer incident responses and computer-related investigations. Expert witness testimony is touched upon during the course of instruction and federal law enforcement experience is shared with the participants of the class by our instructors. This training course stresses computer evidence preservation, cross validation of forensic tools and the documentation of computer evidence findings. Solid computer evidence processing methodologies are also taught to help overcome legal "junk science" attacks against the admissibility of computer-related evidence. However, this training course does not go into as much depth as our separate 3 Day Expert Witness Course which deals specifically with the presentation of computer evidence at trial.

This is a unique pass/fail training course and there is no other course like it anywhere. At the conclusion of the third day of training each student is challenged with the hands-on challenge of finding and reconstructing their digital Certificate of Completion from a "special" floppy diskette. At the conclusion of the fifth day of training the participant, also sits for a written examination which is administered by Oregon State University. Successful completion of the OSU written examination entitles the participant to receive an Oregon State University Professional Development Certificate and 3 college workshop credits. Oregon State University is one of the top technology research facilities in the United States and an OSU Professional Development Certificate and the college workshop credits help to bolster the academic qualifications of the participants should they seek to become an expert witness at a later date.

The first three days of training focuses on computer forensics methods and processes. In the beginning DOS, Windows, Windows 95 and Windows 98 are used as the keystone for the basic training. The fourth and fifth days of the training build upon what has been learned but focus is placed on Windows NT, Windows 2000 and Windows XP-based computer systems.

Participants:

The course is ideal for individuals who conduct computer security risk reviews, computer-based internal audits and computer-related investigations. Participants in the course are typically employed by government agencies, law enforcement agencies, Fortune 500, Big 4 accounting firms, corporations and computer consulting firms. They usually have extensive experience in computer operation, DOS, Windows, Windows NT, and/or Unix. Many of the participants have computer science degrees and advanced degrees. Because computer forensics can be used to defeat government and corporate computer security, NTI reserves the right to restrict access to this training course. To help stretch limited training budgets, discounts are always provided to law enforcement and U.S. military employees. Please contact NTI for more information on government and military discounts.

Duration:

The course spans five full days of instruction at our training facility. At the end of the fifth day of instruction, the participant sits for an Oregon State University administered examination. Successful completion of the examination leads to college credits and an OSU Professional Development Certificate.

Prerequisites:

Since this is a hands-on computer forensics training course, the participants should have an in depth knowledge of computer operations, DOS and Microsoft Windows. A college degree in computer science is not required and knowledge of computer programming is also not required. However, such educational background and experience is helpful.

Training Registrations and NTI Refund Policy

Please refer to the information posted at http://www.forensics-intl.com/trpolicy.html concerning NTI's training and refund policy.

Food & Lodging:

A continental breakfast and lunch is provided by NTI. Dinner costs are not included in the price of tuition. More detailed information on the classroom location and special lodging opportunities available near the training facility will be provided upon registration. You can also obtain this information by contacting our technical sales manager, Rick Johnston at (971) 732-5653.

Click here for recommended hotels and dining in the Portland, Oregon region
Click here for recommended hotels and dining opportunities in the Jacksonville, Florida region

Software and Books Provided:

Each participant will receive a licensed copy of NTI's Incident Response Software Suite, the new Stealth tools, a computer forensics training DVD and additional support software. They will be exposed to encryption breaking methods and password recovery. Each participant will also receive a free copy of FireHand Ember by FireHand Technology which is a graphics file viewer. This viewer is used in conjunction with NTI's computer forensics software tools which are demonstrated and used during the class. To supplement the course content and NTI training manuals each participant will also receive a copy of Computer Forensics - Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser. This training course is recommended in the book and several of the NTI tools provided with the course are also described and discussed in the book.

Syllabus:

Computer Forensics Course - Day 1:

• Lecture on personal computer security weaknesses and related computer security risks which enhance the ability to find computer evidence.


• Lecture on computer evidence preservation and the safe seizure of computers.


• Lecture and demonstration concerning the identification of computer leads and evidence using computer forensic data sampling techniques.


• Practical exercise involving data sampling to identify leads and evidence from a Windows swap file.


• Practical exercise involving data sampling to identify past Internet activity on a computer hard disk drive.


• Lecture and demonstration concerning file hashing using RSA's MD5 algorithm and related testimony issues in court.


• Lecture and demonstration concerning file slack including ram slack and drive slack. The lecture will focus on security weaknesses associated with file slack and the use of file slack as a source of leads and evidence in computer-related cases.


• Lecture and demonstration concerning unallocated file space and its use as a data sampling source of leads and evidence. The lecture will focus on security weaknesses associated with unallocated file space (erased files) and the use of this ambient data source for leads and evidence in computer-related investigations.


• Practical exercise concerning file hashing using RSA's MD5 algorithm.


• Practical exercise involving file slack analysis and the forensic matching of a floppy diskette to a computer hard disk drive. This advanced technique was developed by NTI and it is mentioned in John Vacca's book, Computer Forensics - Computer Crime Scene Investigations.


• Lecture and demonstration of the computer startup process (boot process). Emphasis is placed upon the importance of the boot process as a potential security risk and insider threat.


• Practical exercise concerning the boot process. Each student will be exposed to the modification of the boot process and the detection of such modifications after-the-fact.


• Lecture and demonstration of computer forensics searches using targeted strings of text. The lecture will focus on the strengths and limitations of traditional forensic text searches. Security reviews for classified agencies will also be discussed and related issues will be demonstrated.


• Practical exercise concerning the hypothetical investigation of the theft of classified government data.

Computer Forensics Course - Day 2:

• Review of information covered during the prior day of instruction.


• Lecture and demonstration of computer usage time line analysis and its relevance in computer-related investigations and computer security reviews.


• Practical exercise involving computer usage time line analysis.


• Lecture and demonstration concerning the documentation of computer evidence findings and related testimony in deposition or at time of trial.


• Lecture on disk structures and related computer evidence and computer security risk issues.


• Practical exercises concerning the documentation of computer evidence and/or security review findings.


• Practical exercises concerning the secure deletion of sensitive data and the validation process used to verify that the data no longer exists.


• Practical exercise involving the evaluation of trojan horse programs, encryption and data hiding techniques.


• Review of the practical exercises and a discussion about relevant findings.


• Lecture and demonstration concerning file header identification and the reconstruction of graphics file images from ambient data sources, e.g. swap files, slack and unallocated storage space.


• Lecture and demonstration concerning the reconstruction of deleted computer files and related testimony and documentation issues.

Computer Forensics Course - Day 3:

• Review of information covered in the prior day of instruction.


• Practical exercise involving the forensic recovery of deleted computer files.


• Lecture and demonstration concerning the breaking of encryption and the recovery of passwords used to secure files created by popular computer applications. This lecture also demonstrates the identification of foreign language passwords used with encryption to secure data.


• Review of computer forensic methodology and the topics covered in class.


• Final examination concerning basic forensics which requires the hands-on demonstration by the participants in finding their NTI Certificate of Completion hidden on a "special floppy diskette".

Computer Forensics Course - Day 4:

• Demonstration and detailed instruction in the use of NTI's SafeBack bit stream backup software to make an evidence grade backup of a computer hard disk drive. Each participant will receive a copy of this software at the conclusion of the training course.


• Lecture and demonstration concerning the correct procedure for seizing and processing Windows NT, Windows 2000 and Windows XP computer systems.


• Lecture concerning the benefits and weaknesses of pulling-the-plug when an NTFS-based computer is seized.


• Lecture concerning the 'forensic' differences between DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP.


• Lecture concerning the structure of the NTFS data storage method and related processes tied to 'erased files' and file slack.


• Practical exercise dealing with 'erased files' and file slack on an NTFS system.


• Lecture concerning the NT File System (NTFS) and its reliance upon a Master File Table (MFT).


• Lecture and demonstration concerning the NT boot sequence to help determine the likelihood of someone hiding data on the system.

Computer Forensics Course - Day 5:

• Lecture on the processing of an NTFS RAID configured system with NTI's NTFS forensic tool suite (which is provided with the class).


• Lecture and demonstration on how the recycle bin works and about the forensic evidence trail that it leaves behind.


• Lecture and demonstration on 'data streams' and how information can be hidden in them.


• Practical exercise dealing with 'data streams'.


• Practical exercise dealing with the search for data using an NTFS aware computer forensics search utility (which is provided with the class).


• Lecture concerning Windows 2000/XP encryption and how it affects computer evidence processing.


• Lecture concerning NTFS backup recovery services and how they relate to the forensics process.


• Practical exercise concerning the processing of an NTFS-based system.


• Participants will sit for an Oregon State University administered examination. (Jacksonville students may take the exam after the class using the OSU web testing facilities if an OSU proctor is unavailable.) Those that receive passing scores will receive 3 workshop hours of college credit and an Oregon State University Professional Development Certificate. In the event the participant does not receive a passing score, they will be allowed to sit for the examination a second time (over the Internet) without additional tuition or costs.

Students will receive licensed copies of computer forensics utilities for use with DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP-based systems (as described in detail above).

Course Objectives:

Each participant should leave the class with a firm understanding of the following:

• Computer security risks and remedies.


• Incident responses, priorities and team building requirements.


• Preservation of computer evidence.


• Time line analysis of computer files based on file creation, file modification and file access.


• Trojan horse programs.


• Differences between DOS, Windows and Windows NT/2000/XP from a forensics standpoint.


• Solid computer forensics processing methods and procedures.


• The documentation of computer forensics findings for use in trial or for management review.


• Identification of past Internet browsing, file downloads and E-mail communications.


• The use of U. S. Department of Defense tested and certified forensic search tools to identify data leakage and related security risks. Each student will leave the class with licensed copies of this NTI software.


• The use of U. S. Department of Defense tested and certified data elimination tools to eliminate identified computer security risks. Each student will leave the class with licensed copies of this NTI software.


• The use of computer forensics software tools to cross validate findings in computer evidence-related cases.


• The use of computer forensics software tools to cross validate and certify the elimination of data leakage in classified government security risk assessments. Each student will leave the class with licensed copies of this NTI software.


• Issues relevant to overcoming a legal junk science attack.

NTI's Training Facilities

The 5 Day Computer Forensics Course is conducted at Gresham, OR or Jacksonville, FL. At Gresham, OR the NTI training center is located on an 18 hole golf course and it is within reach of several Pacific Northwest scenic sites.The Jacksonville, Florida facility is a brand new facility located very close to the Jacksonville Airport with many amenities nearby. The facility is within easy reach of the scenic Florida beach, for some relaxing evenings or weekends.

Both training facilities are state-of-the-art. The course content is highly technical and relevant to computer evidence processing and computer security reviews. Fortunately our trainers have extensive experience in the field of computer forensics and the training environment is ideal for a rewarding hands-on learning experience.