The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply.
An extraordinary course which has opened up a whole new world of evidence gathering - UK Metropolitan Police Officer
This course has been taught in a classroom format to 100's of investigators in over a dozen countries and receives rave reviews.
The best computer forensics class I've ever taken - Swedish Police Officer
We use professionally shot video, screen capture and high quality audio combined with whiteboard animations, quizzes and interactive sections to maximise your learning and retention.
The course is designed to be fully hands-on, it is vital that the student follow along with each section and so would benefit from having 2 screens if possible. The class should take around 18 hours to complete if you try each command, complete the practicals and take the final exam.
To sit this course in a classroom with Nick Furneaux teaching costs around £1850 (UK), however you can now enjoy the class from the comfort of your own computer for just £950 (UK). If you are Government or Law Enforcement please contact me via the contact page on www.csitech.co.uk for a discount code.
Take this class! You will never look at computer memory the same again - Investigator for European Bank
- Approaching the Live Scene
- Live RAM imaging (Cmd line and GUI based)
- Imaging Windows RAM
- Volatile data acquisition
- Live Disk imaging
- Creating and scripting your own USB based toolkits
- Scripted disk and RAM imaging
- Quick Wins - what can we do with a RAM dump quickly
- Advanced Memory analysis
- Extraction of bespoke file types
- Extraction of Internet History
- Extraction of Skype chat and other data
- Extracting data from Hiberfil and Crashdump files
- Understanding running processes and how they can help an investigation
- Enumerating network sockets and connections
- Finding and carving files for each process
- Reconstructing the Internet History
- Carving and investigating network packets
- Extracting executables from memory samples
- Virus checking RAM dumps
- Registry analysis
- Location and extraction of specific registry keys
- Extracting the SAM and decrypting passwords
- Decryption of Truecrypt
- Finding other plain text passwords passwords
- Cracking the OSX keychain
- Imaging Linux RAM
- Linux RAM analysis section
- Imaging Intel Mac’s (OSX)
- OSX RAM Analysis section
- Real world practicals
- Loads more…..
What will you need?
You will require a Windows computer or Virtual Machine.
2 monitors is useful but not essential.
You will need to be able to install programs.
You will need a browser such as Firefox installed.
You will need access to the command shell (locked down on some corporate machines)
A pen and paper is useful.
To be able to approach a live computer and successfully image the computer memory.
To ascertain whether there is full disk encryption and if needed image the disks
To be able to carry out detailed investigation of the RAM using a variety of tools
To utilise Master Keys contained in RAM to decrypt encrypted containers without the password
To be able to build your own data extraction script
To the able to build your own RAM Analysis script
By completing/passing this course, you will attain the certificate RA
Your cart is empty