This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you as the basics of the Linux and Windows operating systems are not covered in this program.

Unpatched, unprotected computers connected to the Internet are being compromised in 3 days or less. The Blaster Worm proves systems behind a firewall can become the victim of a successful attack. Security professionals must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues. Learn forensic techniques and tools in a lab-style, hands-on setting for both Windows and Linux investigations. This course emphasizes a "try-it-by-hand" approach so that any student attending will take with them a solid grasp of how open source and commercial forensic tools complete their tasks, without having to merely have faith in the tool. This is accomplished by teaching the fundamental concepts of computer forensics in a tool-independent manner.

Beginning with foundation concepts such as file system structures, MAC times, and forensic auditing, the content and difficulty level of this track advances rapidly. You will learn more than just how to use a tool; you will be able to show how the tool is able to recover data, find the smoking gun, and present your data in a format that can be easily understood by others. You'll learn how and when to use various tools such as the Sleuthkit, Autopsy Forensic Browser, the Windows Forensic Toolchest (WFT), and then quickly move on to advanced forensic and incident response topics and techniques. Five days of intense, hands-on courses, and a deep-knowledge education into legal challenges and issues culminate with an over-the-shoulder view of an investigation performed on a real-world compromised system collected by the Honeynet Project.

Investigating incidents from intellectual property theft, computer abuse, and intrusions, this hands-on forensic course will arm the students with methods and tools to respond and investigate any event for their workplace. This course is designed to provide a jump-start for new incident handlers and fills in the gaps for more experienced security personnel. This hands-on course covers pragmatic methods to aid you in responding to and investigating an intrusion. Included in this essential course is a hands-on Forensic Workstation Laboratory configuration and filesystem forensics primer.

The key to computer forensics is a core methodology that is used for every case type from intellectual property theft and inappropriate use of the internet to system compromises from hackers. Starting with the core forensic methodology, students will analyze multiple types of operating systems from Linux to Windows to perform investigations. This course begins with filesystem fundamentals but moves rapidly to using advanced toolkits to perform a forensic audit of suspect systems. Forensic analysis is performed on gathered evidence contained in "disk images". Using a disk image of a computer involved in an actual forensic case, students will apply what they learn in class by investigating the incident in a hands-on setting.

This course will provide an in-depth look at "The Coroner's Toolkit" (TCT), Autopsy, and The Sleuth Kit, three complementary software packages that are a reliable set of tools useful in collecting and analyzing forensic evidence from multiple filesystems including Windows (NTFS and FAT), Fast Filesystem (FFS), and Linux based (EXT2 and EXT3 filesystems). Once information is collected, the Autopsy Forensic Browser will be examined in detail to show how to automate the functionality of many of these tools. Students will be able to use these tools in multiple hands-on exercises examining a real-world compromised system.

With the majority of internal incidents occurring on Windows based operating systems, an in-depth study and examination of the forensic evidence left on Windows based filesystems is essential. This hands-on forensic course will arm students with methods and tools to respond and investigate any event for their workplace. It covers Windows methods that will ensure maximum evidence capture without poisoning key evidence that might reside in disk space and memory on the running system. You will learn how to use freely available Windows tools and methods to secure a system without disturbing it, obtain backups without removable media and find hidden clues that may still reside on the system.

Legal issues, especially liability, are always foremost in the minds of an incident handler or forensi c investigator; therefore this class has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. The information presented confronts head-on many of the legal mythologies that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. The information presented in this course will provide an essential legal foundation for professionals managing or working in incident handling teams.

Examine kernel module forensics and techniques to inspect malicious code and binaries which include program dissection, system and process wiretapping, network forensics, and intrusion tracking.

Employ the techniques learned throughout the week in a step-by-step hands-on investigation case, utilizing a real-world compromised system collected by the Honeynet Project.