Certified Computer Examiner(CCE) ® Boot Camp - Course Content
This is not a "watered down" training course. Not like other courses, we tell you in detail what we cover during the course and what our experience and expertise iraining course, great material, experienced instructors and we truly want you to learn the material and to become good forensic examiners. We want you to compare and decide what is best for you.
You will be provided well developed, detailed handouts of the course material. The course contains a number of practical exercise problems in the form of specially prepared diskettes or a hard disk drive that must be examined. The practical exercises will reinforce the material and teach "hands-on" skills. A case scenario will be used where a fictional private investigator brings you, the examiner, each diskette or a hard disk drive for examination. Each diskette will build to the next exercise, until finally a hard disk drive is examined and the case is concluded. Real life computer forensic issues will be covered by the practical exercises.
Clear, concise, accurate reports that draw appropriate conclusions are a very important factor in presenting the results of a forensic examination. We require reports detailing each "practical exercise" examination. Because of the time constraints of the bootcamp, the reports will be written after the course and submitted to your instructor. We critically review your reports as if we were the "other side" and will help you develop excellent report writing skills. Your final reports can be used as your "template" for real examinations.
Our instructor, Zoran Iliev, is an all Certified Forensic Computer Examiners or Certified Computer Examiners (CCE)® who is currently involved in computer forensic examinations. He will coach and tutor you through the practical exercises, your reports and through the test questions for each module. Zoran Iliev is a highly qualified, experienced and understands forensic examinations far beyond the material in this course. Your interaction with your instructor will normally be via email, but direct assistance is available. We truly want you to learn the material and to become a good forensic examiner.
The course is broken up into seven modules. The material is constantly being revised and is subject to change. The current modules consist of:
Module 1 – Introduction to Computer Forensics
- Recommended Machine Configurations
- What makes a good computer forensic examiner?
- Computer Forensics vs. E Discovery
- Dealing with clients or employers
- Work Product
- Client Contracts
- Legal and privacy issues
- Software Licensing
- Ethical Conduct Issues
- Cases that may include digital evidence
- Forensic Examination Procedures
- Determining Scope of Examinations
- Hardware and Imaging Issues
- Floppy Diskette, USB and Optical Media Examination
- Limited Examinations
- Forensically Sterile Examination Media
- Examination Documentation and Reports
- ASCII Table
- General Overview of Boot Process and Operating Systems
- Floppy Diskette Sides, FD Tracks, Hard Disk Drives
- BIOS History
- Networked Computers
- Media Acquisition
- Acquisition Documentation
- Chain of Custody
Module 2 – Imaging and Introduction to SMART
- Imaging Theory and Process
- Imaging Methods
- Write Blocking
- Imaging Flash Drives
- SMART Introduction
- Wiping, Hashing, Validation, Image Restoration, Cloning, Unallocated Space
- Drive Partitioning
- One (1) Student Lab Practical Exercise
Module 3 – File Signatures, Data Formats & Unallocated Space
- File Identification
- File Headers
- General File Types
- File Viewers
- Examination of Compressed Files
- Data Carving – Using Simple Carver
- One (1) Student Lab Practical Exercise
Module 4 – FAT File System
- Logical structures of DOS, Windows 95, Windows 98
- Master Boot Record
- File Allocation Table
- Directory Entries
- Clusters
- Unallocated Space
- Sub-Directories
- FORMAT
- Six (6) Student Lab Practical Exercises
Module 5 – NTFS
- Introduction and Overview
- Basic Terms
- Basic Boot Record Information
- Time Stamps
- Root Directory
- Recycle Bin
- File Creation
- File Deletion
- Examining NTFS Drives
- Two (2) Student Lab Practical Exercises
Module 6 – Registry & Artifacts
- Creating an Examination Boot Disk
- Data Recovery
- Windows Swap and Page Files
- Forensic Analysis of the Windows Registry
- Internet Cache Files, Cookies and Internet Sites
- Microsoft Outlook
- MSMAIL
- Logical Structures
- Tracking User Specific Computer Use
- Internet Explorer Cache Index
- VISTA
- Basic Mail Issues
- Basic Internet Issues
- Common Situations Encountered during Examinations
- Password Protection and Defeating Passwords
- Compound Documents
- Examining CDR Media
- FTK
- Three (3) Student Lab Practical Exercises
Module 7 – Forensic Policy, Case Writing, Legal Process & Forensic Tool Kits
- Use of Policy and Checklists in Forensic Practice
- Data Presentation to Client
- Case Report Writing
- Legal Process
- Expert Admission
- Going to Court
- Use of Forensic Tools and Software
- One (1) Student Lab Practical Exercise – Hard drive examination
A written final examination will be given.
On the final day of the CCE BootCamp® training course, the online portion of the CCE certification examination will be provided. The balance of the CCE process will be available at a discount price for our students.
We will provide a detailed handout for each module covered. The handouts are provided in advance of the training for self study before the actual bootcamp training course. The handouts can be used as a reference manual. Sample reports, additional practical exercises, a DOS primer, Diskedit primer and other useful information and applications will be provided. You will be subscribed to our listservers that provide both administrative and technical information. Even after you complete the course, as material is updated, you will be able to download the new material from our web site.
We will provide all of the forensic software necessary for the course, including:
- A fast and thorough wiping program
- A fast checksum program
- A fast program that documents files (including deleted files) on a drive
- A program that will allow examination of unallocated space
- A program that will make exact forensic copies of floppy diskettes
- An excellent forensic "carving" utility
- The Passware Kit from Lost Password.com
- Norton Utilities
- Norton Ghost
- QuickView Plus (a viewing application) QuickView
- A good virus scanning utility
- The demo version of Access Data's Forentic Tool Kit (FTK)
- See hardware and software requirements for details on the software provided.
|
