BlackBag’s Forensic Certification Courses Scheduled for 2017

BlackBag®'s EFT I and II are now open for registration for 2017. Sign up now to reserve your spot!

ESSENTIAL FORENSIC TECHNIQUES I (EFT I)

SAN JOSE, CA – FEB 6, 2017
STAFFORD, UK – FEB 20, 2017
LARGO, FL – MAY 1, 2017

ESSENTIAL FORENSIC TECHNIQUES II (EFT II)

SAN JOSE, CA – FEB 13, 2017
STAFFORD, UK – FEB 27, 2017
LARGO, FL – MAY 8, 2017

Each course is one week long taught by industry-leading experts in a professional training setting. Please click on the corresponding course for more information or to register. If you are unsure if you are qualified to take the EFT II course take our placement exam.EFT I is the perfect way to quickly and effectively learn how to navigate the most important Mac, iPhone, iPad and PC device areas. For years, BlackBag® has remained a highly reliable, go-to resource when detectives and investigators need advice regarding what to do with seized digital devices, in terms of both acquiring and analyzing evidence. The BlackBag® team consistently remains abreast of the latest developments and techniques in digital forensics, and their research and experience with real-world cases act as the framework for the training courses. As a result, the example scenarios discussed in the classroom are driven by relevant data and realistic challenges. In short, BlackBag®’s instructors will use their wealth of knowledge and firsthand experience with forensic examinations to help students learn all the tips and tricks needed to successfully complete their work. This course will guide students through all the pertinent forensic strategies for finding key data within Mac OS X, iPhone, iPad, and Windows operating systems, all while looking directly at case data.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

EFT II will delve into more complex concepts, including the specific data points found within any iOS, Windows and/or Mac OS X analysis. Operating systems and file systems leave complex artifacts in both active and unallocated space, all of which will this course covers in detail. It is because BlackBag®’s instructors remain in contact with investigators from both the law enforcement and corporate environments that the data used in classes is current and relevant. With continued hands-on learning and realistic scenarios, BlackBag®’s instructors will guide students through methods of discovery for new application data, analysis of known data, and best reporting practices. As with the EFT I course, BlackBag®’s team of instructors will use their extensive knowledge and experience to address practical, significant casework challenges facing investigators today.

About the Company

BlackBag® Technologies is a developer of innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. The company’s flagship product, BlackLight®, has been adopted worldwide by many digital forensics examiners as a primary analysis tool. Mobilyze, BlackBag®’s groundbreaking mobile device triage tool, empowers virtually all law enforcement personnel, with or without specialized experience, to capably triage and report on data from smartphones.

To learn more about BlackBag®’s software and training, please contact us at 855-844-8890, or visit us at blackbagtech.com.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...