SANS Digital Forensics & Incident Response Workshop

  • Monday, July 21, 2014 | 9:00 – 17:00 | Sands Level 4 | Room: Roselle 4701
View all Sessions

Note: There’s an additional fee of S$750 to attend the SANS Workshop. Attendance is only open to those registered for RSA Conference Asia Pacific & Japan 2014.

Ever wanted to take a SANS Forensics course but couldn’t? Want to know the most effective places to look for evidence of information theft? Now you can join us for this special one-day workshop hosted at RSA Asia Pacific & Japan 2014 where SANS Instructor and experienced computer forensic investigator Nick Klein will take you through highlights from the SANS DFIR curriculum and provide insights from his own experiences, covering a range of Windows artifacts including link files, jump lists, shellbags, Recycle bin, Internet history, prefetch, document metadata, geolocation techniques, USB key analysis and more. You’ll learn where the evidence is located, how to correctly analyze it and how you can use it effectively in real life investigations.

The purpose of this workshop is to teach you practical computer forensic skills and tools that will help you to investigate one of the most common incidents that occurs in many organizations - the theft of confidential information. This workshop is based on material from the full SANS Windows Forensic Analysis (FOR408) course.

Below are the areas of analysis that we’ll be covering during the workshop. They’ve been selected to cover a broad range of artefacts and provide an interesting and valuable learning experience for both novice and technically skilled forensic investigators.

  • Recycle Bin
  • Shortcut / Link Files
  • Jump Lists
  • Internet History
  • Shellbags
  • USB Devices
  • Document Metadata
  • Network Connections
  • Email Geolocation
  • Thumbnail Forensics
  • Deleted Registry Keys
  • Prefetch


!! IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.


MANDATORY SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory
  • 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory)
  • Ethernet CAT5 Networking Capability Recommended or Wireless 802.11 B/G/N
  • USB 2.0 or higher Port(s)
  • 200 Gigabyte Host System Hard Drive minimum
  • 150 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical.
  • Students should have the capability to have Local Administrator Access within their host operating system

MANDATORY SYSTEM SOFTWARE REQUIREMENTS:

  • Host Operating System: Any version of Windows, MAC OSX, or Linux operating system that also can install and run VMware virtualization products ( VMware Workstation, VMware Fusion , or VMware Player )
  • Download and install Winzip or 7Zip


PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:


IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring the proper system hardware (64bit/8GB Ram) and operating system configuration
  • Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip


If you have additional questions about the laptop specifications, please contact AsiaPacific@sans.org.

Participants

This document was retrieved from http://www.rsaconference.com/events/ap14/agenda/sessions/1464/sans-digital-forensics-incident-response-workshop on Mon, 01 Sep 2014 21:54:51 -0400.
© 2014 EMC Corporation. All rights reserved.