The clock is ticking. You need to prioritize the most valuable evidence for processing. Let us show you how! FOR498, a digital forensic acquisition training course, provides the necessary skills to identify the many and varied data storage mediums in use today, and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. It covers digital acquisition from computers, portable devices, networks, and the cloud. It then teaches the student rapid triage, or the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less. FOR498 Will Help You To: ▐ Acquire data effectively from: • PCs, Microsoft Surface, and Tablet PCs • Apple Devices, and Mac, and Macbooks • Random Access Memory (RAM) • Smartphones and portable mobile devices • Cloud storage and services • Network storage repositories • Virtual Machine environments ▐ Produce actionable intelligence in 90 minutes or less Syllabus Summary SECTION 1: Digital Forensics and Advanced Data Triage SECTION 2: Registry Analysis, Application Execution, and Cloud Storage Forensics SECTION 3: Shell Items and Removable Device Profiling SECTION 4: Email Analysis, Windows Search, SRUM, and Event Logs SECTION 5: Web Browser Forensics SECTION 6: Windows Forensics Challenge FOR498: Digital Acquisition and Rapid Triage™ CURRICULUM: DFIR & Threat Hunting 6 Day Program 36 CPEs 23 Labs You Will Be Able To ▐ Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where they are stored ▐ Handle and process a scene properly to maintain evidentiary integrity ▐ Perform data acquisition from at-rest storage, including both spinning media and solid-state storage ▐ Identify the numerous places that data for an investigation might exist ▐ Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less ▐ Assist in preparing the documentation necessary to communicate with online entities such as Google, Facebook, Microsoft, etc. ▐ Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network-addressable storage ▐ Identify and collect user data within large corporate environments where they are accessed using SMB ▐ Gather volatile data such as a computer system’s RAM ▐ Recover and properly preserve digital evidence on cellular and other portable devices Who Should Attend ▐ Federal agents and law enforcement personnel ▐ First responders ▐ Digital forensic analysts ▐ Information security professionals ▐ Incident response team members ▐ Media exploitation analysts ▐ Department of Defense and intelligence community professionals ▐ Anyone interested in an understanding of the proper preservation of systems and who has a background in information systems, information security, and computers NICE Framework Work Roles ▐ Cyber Crime Investigator (OPM 221) ▐ Cyber Defense Forensics Analyst (OPM 212) “ FOR498 provides a solid foundation for the new forensicator with regards to evidence acquisition and triage! The labs provide a great variety of opportunity to tackle the most basic and complex data acquisition scenarios.” —Chris G., U.S. Federal Dept. “ In DFIR, things rarely go as planned. This course teaches you about the options to control when things aren’t working as expected.” —J-Michael Roberts, Corvus Forensics For detailed course description, visit SANS.ORG/FOR498 WAYS TO TAKE FOR498 Live Online In-Person OnDemand GBFA Battlefield Forensics and Acquisition giac.org/gbfa Kevin Ripa Course Author Eric Zimmerman Course Author
