IFCI Expert Cybercrime Investigator's Course

This lecture explores the different types of careers available for computer forensic specialists and provides general strategies for determining what type of specialty students may be interested in pursuing.

People's lives and freedom are often determined based on the quality of our analysis. It is vital to understand this and the importance of this and how to present our findings fairly and properly in a court of law. That is the focus of this lecture.

This lecture examines different types of tools available to the computer forensic examiner, how to verify their accuracy, and the debate surrounding the "approved tool list" vs. the " any tool to get the job done" approach to forensic lab policies.

Digital evidence comes in many different forms and can be difficult to identify when deploying to cybercrime scenes. This lecture trains students to identify the various different types of evidence that can be analyzed.

The IFCI Cybercrime Investigator course provides 15 hands-on, real world labs where students will investigate a case using forensic tools and forensic evidence, all provided by the instructor free of charge. Students will need to do some basic steps to set their Windows computer up for the labs. This lecture walks you through all you will need to do in order to tackle all 15 labs.

The evidence acquisition stage of forensics is vital to future analysis. Mistakes here can create faulty evidence and cause all findings to be inadmissible in court. This lecture explains chain of custody and proper acquisition processes in detail.

The hash serves as a digital fingerprint for all data types but they can also serve many other uses for forensic examiners. This lecture explores the many different kinds of hashes and how to use them in forensics.

In this hands-on lab students will use instructor provided tools and evidence to analyze files using specific hash algorithims.

This lecture dives deeper into the technical aspects and procedures required for proper forensic image acquisition.

Over the years, the traditional theory of acquisition was to 'make no changes' to the evidence, however, this theory has given way to a more modern theory to 'make minimal changes to the evidence' because this was necessary to overcome modern challenges presented by encryption and other data hiding techniques. This lecture explores the differences between these two approaches and when each should be used.

Volatile memory (RAM), is a vital part of modern forensic analysis. This lecture teaches how to conduct RAM acquisitions in a forensic manner.

In the second hands-on lab students will use instructor provided materials to conduct their own incident response and forensic acqusition.

This lecture teaches about the differences between file systems and operating systems in modern computing.

How do bits and bytes turn into the information a user actually sees on a computer? How does data exist on a computer and how is it used by the system? These are questions that are vital to understand before we can begin to extract forensic evidence of user activity from the computer. This lecture teaches the basic bits and bytes that make up computer forensics.

Evidential data can be hidden in many places on a computer system. Slack space may retain key information from deleted files that would otherwise be unrecoverable. This lecture both teaches how to identify and extract evidence from slack space, as well as how to recover user-deleted files.

Different computer file systems have different specifications and may require unique approaches to evidence recovery. This lecture explores the unique requirements presented by specific file systems.

FAT (File Allocation Table) file systems are used frequently in older computers and USB drives. This lecture explores FAT file system specifics.

NTFS (New Technology File Systems) is the ubiquitous file system used in modern Windows computers. This lecture explores NTFS specifics and how they impact forensic investigations.

Important forensic evidence may exist in areas of a computer's hard drive that are completely inaccessible to the Operating System. Partial or complete files can still be recovered even though there is no way to recover this data using standard tools. This can be done via a process called file caving; this is the focus of this lecture.

Email is the most common communication method in modern business and personal correspondence. It is also a primary location to find evidence of criminal activity. This lecture explores forensic analysis of email.

Recovery of email that is primarily stored on the computer's hard drive is much less challenging than web-based email, such as Gmail or Yahoo mail. This lecture discusses the various aspects of both types of email analysis.

Email contains a vast amount of additional information, if you know where to look. This lecture teaches how to determine the source of email attacks by header analysis, as well as teaching how Base64 is used in modern email transmission and its importance to forensic investigations.

The 4th lab asks students extract suspect email from a real forensic image and to use instructor provided tools to begin their investigation. They are also asked to determine how malware was used to attack the victim computer via an email vector.

Did you know that forensic analysis enables an investigator to recover all Internet searches, maps, and pages that a suspect ever visited? This lecture introduces the topic of Internet activity analysis.

Google Chrome is now the most popular Internet browser on the market and Firefox has been a popular browser for years. This lecture teaches how to recover forensic artifacts that will show all suspect Internet activity conducted with these two browsers.

Internet Explorer has long been a leading Internet browser. Analysis of IE's forensic artifacts has changed little until version 10, which shipped with Windows 8. This lecture will show IE forensic artifacts that can be recovered from both versions.

Oftentimes a forensic investigator can not only say a suspect visited a certain website at a certain day and time, but the can actually reproduce the exact webpages that the suspect accessed. This can be done via analysis of the Internet Cache and this is taught in this lecture.

Bad guys will often hope to hide evidence of their evil websites by obfuscating their URLs. This lecture teaches students to identify these tricks and to de-obfuscate the data.

The 5th lab asks students to analyze the suspect's Internet activity, determine where they went and what they did on the Internet, and to determine if malware was deployed via the Internet.

Creating a timeline of suspect behavior is an important part of all forensic reports. This lecture discusses techniques and strategies to employ when creating your timeline.

Cybercrime is an international problem and often spans across many different time zones. This can create challenges for timeline analysis. This lecture discusses these challenges and introduces strategies to overcome them.