This course will give you the knowledge and skills to preserve and protect evidence with secure forensic imaging. Guided by industry standards and methods the student will learn and apply best practices to identify and utilize the most effective and defensible imaging methods. More than ever, this skill is of critical importance because creating and backing up a forensic image helps ensure evidence integrity presentable in court. Forensic imaging can also prevent the loss of critical files due to drive or other device failure. Students interested in the imaging process and image types including the underlying technology will find this course appealing, Technologies range from disk drive geometry and operating systems to hashing algorithms and bit-stream imaging. Whether you are interested in computer forensics or are already a forensic examiner this course if for you. There is more to forensic imaging and this course will explain why and increase your skills and knowledge implementing the forensic process.
Why THIS course?
While all steps in the forensic process have equal priority and attention to detail, evidence acquisition and preservation is arguably the most important aspect of the forensic process because this is where the case begins. One could also argue that forensic imaging is equally an important first step because, if done accurately, it preserves evidence in its original state and ensures that critical evidence will not be lost due to drive or other device failures. As such, it is critical to thoroughly understand forensic imaging to do it correctly so that there is absolute integrity in the subsequent handling, analysis, and reporting of acquired data. This course will give you the knowledge and skill in how to conduct forensic imaging flawlessly. By taking this course, you will gain insight into different imaging standards and methods as well as background knowledge in the underlying technology and how to connect image processing to your overall case.
Being an expert on a subject means total mastery over that subject. If you want to be an expert and credible witness in computer forensic acquisition and analysis that ensures effective and defensible images, then you will take this course now. This course offers a cost-effective way to gain skills and knowledge in computer forensic imaging while at the same time enhancing your credentials. By taking this course now you can enhance your credentials and solidify your skills as a computer forensic examiner
Who is this course for?
This course is for anyone interested in computer forensics or computer forensic examiners looking for more detail in computer forensic imaging or seeking to add to their credentials and enhance their skill set.
What skills will you gain?
- Create a forensically sound image that is effective and defensible
- Perform hashing and verify that two files are the same
- Examine and navigate the operating systems logical file system structure
- Perform a physical bit-by-bit extraction
- Perform a logical extraction
- Perform a targeted extraction
- Examine hard drive unallocated and slack space
- Image traditional hard disk drives and solid-state drives (SSD)
- Extract contents of RAM and image that memory
- Create RAID images
- Create remote network images
- Identify techniques to perform cloud-based imaging
- Create SaaS based images such as Office 365, SharePoint, etc.
- Image virtual hard drives in a virtual machine.
- Conduct enterprise-wide triage imaging
What will you learn about?
You will achieve a thorough understanding of what computer forensic imaging is stressing its importance and relevance to investigating computer related crimes gaining a fresh perspective and urgency in conducting effective and defensible images. This will entail a brief history of computer forensics and what the future entails. You will be able to preserve and protect evidence flawlessly following industry standards for forensic imaging. This includes the underlying hard drive and operating system technology as well as imaging tools and methods. Other topics presented include memory imaging, SSD imaging, RAID imaging as well as a discussion of evidence handling and maintaining a chain of custody. Finally, you will identify challenges to computer forensic imaging including legal issues, cloud considerations, network imaging and virtual hard drives in virtual machines.
What tools will you use?
There are a variety of imaging tools out there that are free to use. You will research various imaging tools and have direct hands-on experience with Logicube, Atola, KAPE, Live Response Collection, and scripting with WMI and PowerShell. Other tools that you will investigate include FTK Imager, Linux dd command, and Autopsy
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion, you get a certificate granting you 18 CPE points.
COURSE LAUNCH: October 13th
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What should you know before you join?
The student shall have a basic understanding of computer hardware, operating system file structure and how to navigate common components of software interfaces such as opening, closing, and naming files. The student should also be able to research, download and install different forensic imaging tools. While detailed knowledge of binary calculations is not necessary, the student should be aware of different number systems including hexadecimal and binary.
What will you need?
Any computer with access to the Internet using the latest browser. Most of the tools explained and demonstrated run on a Windows 10 system.
Module 0: Before the course
Evidence preservation and maintaining a chain of custody is an important factor in the forensic process. The Forensics Process is listed below. Students interested in advancing their skills in digital forensic imaging should be familiar with the forensic process as well as types of evidence found in computer related crimes. Introductory materials will be provided.
Module 1: Introduction to Forensic Imaging
Effective and defensible imaging is established according to accepted standards. To understand computer forensic imaging, you need to understand the devices that you are imaging. This includes drive geometry and the operating system as well as navigating the file system. The imaging method used depends on the evidence that needs to be examined. It is critical to understand drive geometry and the operating system to match the imaging method to the evidence that you will collect and analyze. Forensically sound imaging is important in preparing a presentation for a court. This module addresses these issues as well as defines what imaging means and why it is important
- Standard Operating Procedures and Chain of Custody– Effective and defensible imaging (knowledge)
- Industry Standards and History of Forensic Imaging (knowledge)
- Defining Computer Forensic Imaging and its importance to data preservation (knowledge)
- Understanding Drive Geometry (knowledge)
- Unallocated and slack space (knowledge)
- Operating Systems and Forensic Images (Knowledge)
- Navigating the OS File System including root, absolute and relative paths (skill)
- Connecting drives to forensic workstations (skill)
- Write blocking (knowledge)
- Image Verification and Hashing (skill)
- Image Types (Knowledge)
- Creating and converting image types (skill)
Module 1 exercises:
- This exercise presents information on forensic imaging history, standard operating procedures, chain of custody, forensic standards and defining computer forensics and its importance to data preservation. A knowledge check completes this exercise
- This exercise presents information on drive geometry of traditional hard drives and SSDs. A knowledge check completes this exercise
- This exercise presents information on unallocated and slack space. A knowledge check completes this exercise
- This exercise presents information on operating systems and forensic images. Navigate the OS file system including root, absolute and relative paths
- This exercise presents information on connecting a drive to a forensic workstation including steps to extract a hard drive and connect to a computer. This will include a video to demonstrate disassembly and connection process. A knowledge check completes this exercise
- This exercise presents information on write blocking and image verification and hashing. Create a hash on a drive and its corresponding image
- This exercise presents information on image types. Convert between image types. A knowledge check completes this exercise
Suggested Module 1 Time – 150 minutes
Module 2: Forensic Imaging Tools
Forensic imaging tools are validated against industry standards. Not all tools are equal. Usually computer forensic software tools are comprehensive while imaging tools are free and have a specific purpose, i.e., imaging. Functions of imaging tools should include image verification using hash algorithms and the ability to image in more than one format. Write blocking is an important step to ensure that data remains unaltered. This module examines forensically sound imaging tools as well as image type flexibility and verification compared against an extraction source
- Imaging Tool Requirements – The National Institute of Standards and Technology (knowledge)
- Logicube (knowledge and skill using)
- Atola (knowledge and skill using)
- KAPE (knowledge and skill using)
- Live Response Collection (knowledge and skill using)
- Scripting with WMI and PowerShell (knowledge and skill using)
- FTK Imager (knowledge and skill using)
- Linux dd command with Autopsy (knowledge and skill using – emphasis raw image)
Module 2 exercises:
- This exercise presents information on Imaging Tool Requirements. A knowledge check completes the exercise
- This exercise presents information on Logicube. Complete the simulation on using Logicube
- This exercise presents information on Atola. Complete the simulation on using Atola
- This exercise presents information on KAPE. Complete the simulation on using KAPE
- This exercise presents information on Live Response Collection. Complete the simulation on Live Response Collection
- This exercise presents information on scripting with WMI and PowerShell. Complete the simulation on scripting with WMI and PowerShell
- This exercise presents information on FTK Imager. Complete the simulation on using FTK Imager
- This exercise presents information on the Linux dd command. Complete the simulation on using the Linux dd command with Autopsy
Suggested Module 2 Time – 150 minutes
Module 3: Forensic Imaging Methods
Description – Forensically sound imaging ensures that evidence acquisition is defensible and will hold up in court. This depends on using a valid imaging method that matches relevant evidence. Request for evidence must be specific and relevant to a case. Not all evidence requests are the same because each case is unique. Some cases will require deleted artifacts while other cases will only need a subset of data or to just examine the file system. This module examines forensic imaging techniques and why they are forensically sound. The module concludes with a comparison between cloning and imaging
- Forensically Sound Imaging (knowledge)
- Physical Extraction (skill)
- Bitstream copies – International Association of Computer Investigative Specialists, 2001, Hard Disk Examination (knowledge)
- Logical Extraction (skill)
- Target Extraction (skill)
- Tradition hard drive and SSD imaging
- Memory imaging
- Cloning vs Imaging (knowledge)
Module 3 exercises:
- This exercise presents information on forensically sound imaging. A knowledge check completes this exercise
- This exercise presents information on physical extractions. A knowledge check completes this exercise
- This exercise presents information on bitstream copies. A knowledge check completes this exercise
- This exercise presents information on logical extractions. A knowledge check completes this exercise
- This exercise presents information on targeted extractions. A knowledge check competes this exercise
- This exercise presents information on traditional hard drive and SSD imaging. Complete the simulation on imaging a hard drive
- This exercise presents information on memory imaging. Complete the simulation on imaging RAM
- This exercise contrasts imaging with cloning. A knowledge check completes this exercise
Suggested Module 3 Time – 145 minutes
Module 4: Forensic Imaging Challenges
There is more to computer forensic imaging than meets the eye. Imaging is not as simple as it seems. It should not be minimized or glossed over if you want your total case to be effective and defensible in court. As such, there are challenges and issues to consider beyond drive space on a local computer. This module examines legal aspects related to imaging as well as the cloud, drive virtualization and some other topics beyond a hard drive. The module concludes with a look at the future of computer forensic imaging.
- RAID Imaging
- Virtual Hard Drives in Virtual Machines (skills)
- Enterprise-wide triage imaging
- Remote networks
- Cloud Considerations (knowledge)
- SaaS images e.g. Office 365, SharePoint, etc.
- Mobile devices
- Legal aspects
- The future of computer forensic imaging (skills)
Module 4 exercises:
- This exercise presents information on RAID and creating RAID imaging. Complete the simulation on creating a RAID image
- This exercise presents information on virtual hard drives in a virtual machine. Complete the simulation on creating a VHD image
- This exercise presents information on enterprise-wide triage imaging. A knowledge check completes this exercise.
- This exercise presents information on remote network imaging. A knowledge check completes this exercise
- This exercise presents information on cloud considerations. A knowledge check completes this exercise
- This exercise presents information on SaaS images illustrating Office 365 and SharePoint. A knowledge check completes this exercise
- This exercise presents information on mobile device imaging. A knowledge check completes this exercise
- This exercise presents legal aspects with digital forensic imaging. A knowledge check competes this exercise
- This exercise presents information on the future of computer forensic imaging. A knowledge check completes this exercise
Suggested Module 4 Time – 170 minutes
Simulation that includes quiz questions. Simulation steps must be complete before moving on and include hints. Quiz questions provide multiple attempts and must be attempted before continuing
Suggested Final Exam Time – 60 minutes
Your instructor: David J Tatum
David has taught computer network systems for over twenty years and digital forensic for the last ten years. Prior to teaching, David worked as a senior technical support engineer supporting a wide variety of hardware and software platforms. David recently started his own business that includes teaching with computer networks and specializing in computer forensic imaging and data recovery. Interests include 3D printing and video game design. In his spare time, David enjoys reading, hiking and trips to the beach.
If you have questions, feel free to contact our course coordinator Marta at [email protected]