Investigators learn how to collect and preserve digital evidence, and to integrate digital evidence into a case. Additionally, investigators are exposed to the advanced tools and techniques used by the CGRCFL, so they can better understand what to expect from a forensics examination. This course requires no prerequisites, but attendees should have a working knowledge of computers.
The Federal Bureau of Investigation's (FBI) Computer Analysis Response Team (CART) developed the Image Scan system to help investigators locate the presence of picture files that may contain contraband on a computer. This system allows the investigator to view a variety of graphic formats during a consensual search, and protects valuable digital evidence by booting up a computer using the Linux operating system. After mounting the hard drive in a “read only” manner, Image Scan prompts the investigator to search for picture files only. During this process, the tool logs every step taken by the investigator, further documenting what occurred during the search process.
CART successfully completed field-testing of Image Scan in May of 2004, and has offered to make this tool available to all law enforcement personnel upon request. The North Texas RCFL in conjunction with CART's Unix Program, designed and developed Image Scan instructor training, and has educated several Examiners working at FBI-sponsored RCFLs. These individuals are the only authorized instructors/distributors of Image Scan outside of FBI Headquarters.
Law enforcement personnel that conduct on-site investigations for child pornography are encouraged to take the Image Scan training. To receive a notification regarding the training's upcoming availability, click here and provide your contact information.
This advanced AccessData training course provides the knowledge and skills necessary to use the unicode compliant Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) tools to recover passwords from industry standard applications and systems. Attendees should be conducting computer based investigations and be familiar with the AccessData suite of tools. FTK and Registry Viewer will also be utilized.
While learning how to create effective attack profiles that include biographical profile dictionaries, user-defined dictionaries and unicode compliant characters with PRTK, students will determine how many commonly applied encryption schemes work. Using the techniques learned in class, students will crack applications such as:
Beyond PRTK, students will create and use a Distributed Network Attack environment. Applying network technology, students will assign Master Controllers and Supervisors as well as trusted / untrusted workers - to include Linux based machine workers.
To further enhance attack profiles - students will use AccessData web-crawling and pass-phrase generation technology to create unicode and code-page dictionaries for alternate language attacks. Auto-Complete Students will also utilize Forensic Toolkit (FTK) to locate and decrypt YAHOO Instant Messenger .DAT files, parse Internet Explorer .DAT files (History and Temporary Files) for hit rates, use counts and more - including Netscape history files, the download manager, user favorites, etc. Students will also parse America Online client files for user history, search terms, address books, buddy lists, email and more. Students will use the Registry Viewer to analyze Instant Messenger data such as:
This course is open to law enforcement personnel only. Registration is through AccessData at www.accessdata.com.
This course provides students with the knowledge and skills necessary to conduct an effective Internet application based investigation. Students should already be familiar with the AccessData suite of tools, and have experience with internet based investigations. This is not an undercover investigations course - it is data recovery focused. Students begin immediately working a mock missing person case initiated from an instant message found on the computer screen of the missing person. The case takes the student to several different machines with multiple internet chat, browsing and email platforms.
In addition to using Password Recovery Toolkit (PRTK) to break sign-on passwords for the following Internet applications and Messengers: " MSN Instant Messenger " YAHOO Instant Messenger " America Online and AOL Instant Messenger " Internet Explorer and Netscape Communicator Auto-Complete Students will also utilize Forensic Toolkit (FTK) to locate and decrypt YAHOO Instant Messenger .DAT files, parse Internet Explorer .DAT files (History and Temporary Files) for hit rates, use counts and more - including Netscape history files, the download manager, user favorites, etc. Students will also parse America Online client files for user history, search terms, address books, buddy lists, email and more.
Students will use the Registry Viewer to analyze Instant Messenger data such as: "Shared file permission status and file transfer information" Block or allow information for user contacts (buddy lists) "Last user access information and Recent contacts via the messenger This course is open to law enforcement personnel only. Registration is through AccessData at www.accessdata.com.