FT215, Windows Forensic Examinations - FTK (WFE-FTK)

Who Should Attend:
Training is available to DoD and federal law enforcement agents and prospective intrusion analysts.

Prerequisites:
TT110 (INCH) and RT120 (CIRC) or Test outs

Duration:
10 Days

Course Description:
In a hands on environment, course introduces the basic concepts and practices of processing digital evidence using the Access Data Forensic Tool Kit (FTK) 1.8 analysis tool. Students set up a forensic workstation, review a Case Jacket, import digital evidence into FTK, formulate and execute a method for forensic examination based on case type, properly document the case (through written forensic reports) and identify key legal concepts.

Objectives:

• Demonstrate a basic knowledge of Windows operating systems and respective file systems
• Import digital evidence into FTK and conduct various investigative tasks
• Formulate and execute a methodology for a forensic examination based upon case type
• Document in a report how the evidence supports the investigation
• Identify key legal concepts for a forensic examination

Topics Covered

Technical Background

• Discuss the Windows file systems and how they relate to an investigation
• Basics of the NT and FAT file systems and how data is stored in each
• Structure of partition tables

Case Setup and Management

• Focus on the procedures to start and manage a case
• New case setup and management
• Open a new case, perform analysis, and record findings in the forensic report
• Set up your forensic workstation
• Install and configure FTK
• Understand the Case Jacket
• Perform a hash analysis
• Use the Windows registry to identify case data

Automated Tools

• Conduct analysis with automated tools
• Perform text searches, signature searches, and data carving
• Conduct a positive hash analysis

File Level Analysis

• Analyze evidence found on the Web, e-mail, and system files
• Recover and review e-mail, Web cache, and newsgroup mailboxes
• Recover passwords