In this hands-on lab, we will cover the basic requirements for the identification, collection and preservation of electronic evidence, as well as introductory approaches for analyzing various types of electronic evidence. Attendees will learn how to collect disk, memory and log data using forensic tools. In addition, attendees will learn how to ask answer some of the fundamental questions that come up during an investigation.
Attendees will develop an understanding of what evidence can be retrieved from a disk image, memory image and log data and how to recognize evidence related to unauthorized activity. You will learn how to determine when a program was executed, when a file was deleted or if a file was opened by a particular user. Memory analysis techniques will cover analyzing processes and network connections, as well as how analyzing malware in memory can provide insight into the malware’s capabilities and behavior. Log analysis will help attendees develop an approach to reviewing logs with the goal of determining the scope of an incident and where to continue to focus their investigation.