Essentials of a Computer Forensics Examination - ESP-A-012
- Track: Technical, Management.
- Level: Awareness level - Provides a basic understanding of IT security responsibilities relative to a particular role
- Overview
This course highlights the fundamentals of the computer forensics process. It gives an insight as to how the computer forensic process is approached, the methodologies involved and an understanding of the nature of the evidence. Through this course organisations can better prepare themselves for incidents and be able to respond to them without contaminating the evidence.
- Outline
Computer forensics is the practice of collecting, analysing and reporting on digital information in a way, which is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is believed to be stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces a number of unique challenges.
- Readiness
- Evaluation
- Collection
- Analysis
- Presentation
- Review
- This course is suitable for
This course will suit anyone who deals with personnel and disciplinary issues within an IT environment, i.e. IT, HR, Management.
- Course cost
€350
- Course dates
- Wednesday 21 October 2009
Ireland - Dublin - Saturday 5 December 2009
Ireland - Dublin 
.- Course location
On-Site / Espion Training Centre
- Content
Unit 1: Introduction ACPO Guidelines
For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this process admissibility should be at the forefront of a computer forensic examiner’s mind. One set of guidelines, which has been widely accepted, to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement its main principles are applicable to all computer forensics in whatever legislature.Unit 2: Readiness
For examiners there are many areas where prior organisation can help, ranging from training, regular staff testing and verification of software and equipment, familiarity with legislation, how to deal with unexpected issues (i.e., what to do if child pornography material is present) and ensuring that your on-site acquisition kit is complete and in working order.Unit 3: Evaluation
The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis may include an assessment on the likelihood of collateral intrusion or false accusation and how this would be best dealt with.Unit 4: Collection
If acquisition of evidence is to be carried out on-site as opposed to in a computer forensic laboratory then this stage would include identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information which could be relevant to the examination may be held. Note. The evidence is at this stage preserved. And the target machine can be removed.Unit 5: Analysis
Analysis is dependent on the specifics of each situation, and the scope of a given investigation. Specialised forensic tools are deployed and it would be usual for the examiner to provide feedback during analysis to the instructing party and from this dialogue analysis may take a different path or be narrowed to concentrate on specific areas. Analysis must be accurate, thorough, impartial, recorded and repeatable.Unit 6: Presentation
This stage usually involves the examiner producing a structured report on their findings which addresses the points received in the initial instructions along with any subsequent instructions and would also cover any other information which the examiner deems of relevance to the investigation.Unit 7: Review
A review of an examination can be simple and quick to carry out, and can begin during any of the above stages. It may include a basic ‘what went wrong and how can this be improved’ and a ‘what went well and how to incorporate it in future examinations’. Any lessons learnt from this stage should be applied to the next examination and should be fed into the readiness stage.