NISGTC LOGO CCBY

This work by the National Information Security and Geospatial Technologies Consortium (NISGTC), and except where otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License.

Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah.

This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

Forensics labs are supported in NETLAB+ using the Forensics Pod.

Enabling the Labs

To enable the Forensics labs, check the box for "NISGTC Forensics" in the class settings. This must be done for each class requiring access to the labs.

FOR

Using the Labs

Always select the correct lab exercise for the lab being performed. Students or teams should schedule the correct lab exercise from the catalog. NETLAB+ will only show those labs for which the required pod type is available. A lab that works on different pod types may appear more than once if your system is so equipped. Instructors should select the correct lab from the Exercise tab during instructor-led lab reservations. This can be done as many times as needed during the reservation.

Importance of Choosing the Correct Lab Exercise

Several of the labs may differ from the standard pod topologies. This is handled by NETLAB+ Dynamic VLAN Mapping technology. Always select the correct lab exercise for the actual lab. This insures that NETLAB+ will set up VLANs on the control switch such that lab devices and PCs are placed in the correct LAN segment for the exercise being performed. Selecting the correct exercise will also make the completed lab output easier to find in the archive.

Forensics Supported Labs

Lab Title Objective Objective Description
1 Introduction to File Systems Digital Forensics Fundamentals The candidate will demonstrate an understanding of forensic methodology, key forensics concepts, and identifying types of evidence on current Windows operating systems.
2 Common Locations of Windows Artifacts Digital Forensics Fundamentals The candidate will demonstrate an understanding of forensic methodology, key forensics concepts, and identifying types of evidence on current Windows operating systems.
3 Hashing Data Sets Digital Forensics Fundamentals The candidate will demonstrate an understanding of forensic methodology, key forensics concepts, and identifying types of evidence on current Windows operating systems.
4 Drive Letter Assignments in Linux Evidence Acquisition, Preparation and Preservation The candidate will demonstrate understanding of evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners.
5 The Imaging Process Evidence Acquisition, Preparation and Preservation The candidate will demonstrate understanding of evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners.
6 Introduction to Single Purpose Forensic Tools Digital Forensics Fundamentals The candidate will demonstrate an understanding of forensic methodology, key forensics concepts, and identifying types of evidence on current Windows operating systems.
7 Introduction to Autopsy Forensic Browser Evidence Acquisition, Preparation and Preservation The candidate will demonstrate understanding of evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners.
8 Introduction to PTK Forensics Basic Edition Evidence Acquisition, Preparation and Preservation The candidate will demonstrate understanding of evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners.
9 Analyzing a FAT Partition with Autopsy File and Program Activity Analysis The candidate will demonstrate an understanding of how the Windows registry, file metadata, memory, and filesystem artifacts can be used to trace user activities on suspect systems.
10 Analyzing a NTFS Partition with PTK File and Program Activity Analysis The candidate will demonstrate an understanding of how the Windows registry, file metadata, memory, and filesystem artifacts can be used to trace user activities on suspect systems.
11 Browser Artifact Analysis Browser Forensics The individual will demonstrate a solid understanding of Browser Forensics.
12 Communication Artifacts User Communications Analysis The candidate will demonstrate an understanding of forensic examination of user communication applications and methods, including host-based and mobile email applications, Instant Messaging, and other software and Internet-based user communication applications.
13 User Profiles and the Windows Registry System and Device Profiling and Analysis The candidate will demonstrate an understanding of the Windows registry structure, and how to profile Windows systems and removable devices.
14 Log Analysis Log Analysis The candidate will demonstrate an understanding of the purpose of the various types of Windows event, service and application logs, and the types of information they can provide.
15 Memory Analysis File and Program Activity Analysis The candidate will demonstrate an understanding of how the Windows registry, file metadata, memory, and filesystem artifacts can be used to trace user activities on suspect systems.
16 Forensic Case Capstone Capstone Lab Covering all Objectives Refer to descriptions above.