Accidental or intentional destruction of data, hardware failure or cyber attacks can happen at any time and you may be called upon to respond, investigate, document, handle, and escalate the analysis to a formal investigation. In this two day hands-on workshop, you'll consider when investigations are appropriate or warranted, and learn how and when to recover lost or deleted information from the Recycler Bin (Info2 file), Disk Directory/Master-File-Table and hard drive free space. You’ll also discover how to examine the operating system artifacts that connect the user to the actions taken on the computer (including event logs, SID info, link files, pre-fetch files, auto-complete files, email NK2 files, index files, external devices attached and much more). The workshop will include hands-on investigative scenarios. You’ll receive the awareness, training and tools to locate and properly examine important user and operating system sources of information. This is a “How To” program on evidence preservation and computer forensics. It will outline the role of the system administrator or security practitioner in the investigation and prosecution of cyber crimes.

Who Should Attend:  This training is for the individual who will respond to actual or suspected cyber incidents involving sensitive data, including system administrators and security practitioners. Individuals in need of this training include:

• System Administrators
• Security Practitioners
• IT Professionals
• Data Center Technicians
• Data Storage Technicians
• Citizen Records Managers
• Chief Technology Officers and Staff
• Computer Security Officers and staff
• Program Managers
• Law Enforcement Community that are responsible for investigations involving computers and electronic devices
• Homeland Defense and First Responder Communities
• Legal Staff involved in technology and technology related cases
• Inspector General Staff

Key Topics Covered:

• Forensic processing.
• Procedural guidelines for analysis of information.
• To avoid common pitfalls in the investigative process.
• To acquire a forensic image.
• What is the chain of custody, and what does it mean to investigator within the first few hours/minutes of a known or suspected event?
• A basic understanding of disk structures.
• Recovery of data from Recycler Bin (info2 file), Directory/Master-file-Table and Hard Drive unallocated space.
• The tools and methods to examine operating system and application artifacts.
• Examine link, pre-fetch and USB-store files to determine what external devices have been attached
• Examine Outlook NK2 and PST email artifacts and Outlook Express DBX and older MDX files

Prerequisites: An understanding of Windows based operating systems, command level instructions and hard disk hierarchal structures.