FOR498: Digital Acquisition and Rapid Triage THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING. LET US SHOW YOU HOW. The FOR498: Digital Acquisition and Rapid Triage course will help you to: • Acquire data effectively from: - PCs, Microsoft Surface, and Tablet PCs - Apple Devices, Mac, and Macbooks - RAM and memory - Smartphones and portable mobile devices - Cloud storage and services - Network storage repositories • Produce actionable intelligence in 90 minutes or less The first step in any investigation is the gathering of evidence. Digital forensic investigations are no different. The evidence used in this type of investigation is data, and this data can live in many varied formats and locations. You must be able to first identify the data that you might need, determine where that data resides, and, finally, formulate a plan and procedures for collecting that data. With digital forensic acquisitions, you will typically have only one chance to collect data properly. If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation, but more importantly, destroying the very data that could have been used as evidence. With the wide range of storage media in the marketplace today, any kind of standardized methodology for all media is simply untenable. Many mistakes are being made in digital evidence collection, and this can cause the guilty to go free and, more importantly, the innocent to be incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes that you are tasked with properly collecting and interpreting. An examiner can no longer rely on “dead box” imaging of a single hard drive. In today’s cyber sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a normal day. Compounding this issue is the expanding use of cloud storage and providers, and the proper collection of data from all these domains can become quite overwhelming. This in-depth digital acquisition and data handling course will provide first responders and investigators alike with the advanced skills necessary to properly respond to, identify, collect, and preserve data from a wide range of storage devices and repositories, ensuring that the integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today’s need for widespread knowledge and understanding of the challenges and techniques that investigators require when addressing real-world cases. Numerous hands-on labs throughout the course will give first responders, investigators, and digital forensics teams practical experience needed when performing digital acquisition from hard drives, memory sticks, cellular phones, network storage areas, and everything in between. During a digital forensics response and investigation, an organization needs the most skilled responders possible, lest the investigation end before it has begun. FOR498: Battlefield Forensics & Acquisition will train you and your team to respond, identify, collect, and preserve data no matter where that data hides or resides. You Will Be Able To • Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where they are stored • Handle and process a scene properly to maintain evidentiary integrity • Perform data acquisition from at-rest storage, including both spinning media and solid-state storage • Identify the numerous places that data for an investigation might exist • Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less • Assist in preparing the documentation necessary to communicate with online entities such as Google, Facebook, Microsoft, etc. • Understand the concepts and usage of large- volume storage technologies, including JBOD, RAID storage, NAS devices, and other large- scale, network-addressable storage • Identify and collect user data within large corporate environments where they are accessed using SMB • Gather volatile data such as a computer system’s RAM • Recover and properly preserve digital evidence on cellular and other portable devices • Address the proper collection and preservation of data on devices such as Microsoft Surface/ Surface Pro, where hard-drive removal is not an option • Address the proper collection and preservation of data on Apple devices such as MacBook, MacBook Air, and MacBook Pro, where hard- drive removal is not an option • Properly collect and effectively target email from Exchange servers, avoiding the old-school method of full acquisition and subsequent onerous data culling • Properly collect data from SharePoint repositories • Access and acquire online mail stores such as Gmail, Hotmail, and Yahoo Mail accounts 6 Day Program 36 CPEs Laptop Required “ In DFIR, things rarely go as planned. This course teaches you about the options to control when things aren’t working as expected.” — J-Michael Roberts, Corvus Forensics GBFA Battlefield Forensics and Acquisition giac.org/gbfa sans.org/for498 • Watch a preview of this course • Discover how to take this course: Online, In-Person