We have some new investigators that have pretty much no experience in computer forensics. They come from an IT admin background.
I was tasked with updating our "training roadmap" to see what training classes are out there and what classes new investigators should follow to have a solid base to get them up and running as soon as possible.
I would appreciate your input on what you guys thing is the best "computer forensics fundamentals" classes on the market ?
By fundamentals, I mean the following
- Understanding the importance of data integrity (hash values, write blockers, etc.)
- Computer forensics workflow (collection, processing, analysis, reporting, etc.)
- Handling and preserving digital evidence
- File system basics (FAT, NTFS, ExFAT), file slack, unallocated space, etc.
- Windows artefacts
- Proper documentation and reporting
When I started in this field several years ago, the first training pretty much everyone got was the "Guidance Software EnCase 1" class. This class did an overview of many concepts (data integrity, hash values, write blockers, documentation, reporting, etc.) Then, you would take the other EnCase classes (Windows Forensics, Mac, etc.)
Now, many "basics" classes are available from multiple vendors, such as
- SANS FOR500 - Windows Forensics
- DF120 - Foundations in Digital Forensics with EnCase
- InfoSEC Institute - Computer and Mobile Forensics Boot Camp
If you have taken those classes, I would greatly appreciate your feedback.
I took Guidance Software's Forensics I and II a couple of years ago and I thought it was very good. I've seen a lot of complaints about Infosec Institute plagiarizing content, e.g. http//
What tools do you primarily use in your lab? I would lean toward vendor training if something appropriate is available. In addition to Guidance, I think Magnet, AccessData, and BlackBag all offer fundamentals training.
Whatever you decide, I would recommend doing a little pre-training before you send them off. These courses can be a lot to take in at once and it's easier if it's not your first exposure to every topic in the syllabus. John Sammons's the Basics of Digital Forensics looks like it covers enough for a basic intro and should give your people the lay of the land before they walk into class. I would also recommend that they spend some time playing around with your primary toolkit before they leave for class. E.g. if you still use EnCase, show them how to image a drive and process it then let them spend time (with any books/manuals you might have for reference) just poking around and looking for things.
I'm going to throw this out there…from what I've seen in 20 yrs in the industry, the "best" course doesn't matter if the person comes back and there's nothing that requires them to use what they learned.
This about the cheapest computer forensic training that I took.
https://
If you are part of a law enforcement agency then you can take CF classes from NW3C for free.