About this course

Course code TPCDaCT
Duration 3 Days

Gain confidence in collecting and handling data by getting a practical understanding of the legalities, best practice and current techniques used for data acquisition as part of eDiscovery, forensic investigation or other regulatory proceedings.

Correct data capture and handling is now essential in all civil and regulatory, as well as criminal, matters. Forensic experts are not always available to preserve data evidence so organisations now require people to be competent to handle data during the initial stages of an investigation. This 2 day course has been specifically designed to equip you with the required skills if you advise on and/or handle data on a regular basis, but do not need to forensically analyse the data. It provides the same advice, techniques and expert trainers used by 7Safe’s longer forensic courses (CFIP and CFIS), but focuses on the data acquisition elements only.

The course includes an examination to recognise the skills and learning attained during the course.

  • An overview of current legislation and the impact of recent case law
  • ACPO best practice and other guidelines for data collection
  • What is ‘forensic’ in respect to data acquisition?
  • Evidence seizure, handling and chain of custody
  • The challenges of data collection due to evolving technologies i.e. solid state and cloud storage
  • Data verification, integrity, hashing techniques and actions on failure
  • Differences between static, booted and live data acquisition
  • When to consider volatile data collection and its potential impact
  • Documenting your process and report / statement writing.

Delegates will apply the theory of forensic data acquisition during practical exercises that demonstrate the following techniques:

  • Forensic imaging in a number of environments using different methods and software
  • Capture of a system from a virtualised environment
  • Extracting an individual mailbox from a live Microsoft Exchange e-mail server
  • Live system memory and volatile data capture.

Prerequisites

General appreciation of Information Technology and computer forensic principles/methods is desirable, but not essential.

Who Should Attend?

Any person responsible for the process of data acquisition including:

  • eDiscovery consultants
  • Civil litigation lawyers / legal council
  • Law enforcement officers & agents
  • IT security Officers
  • Network administrators

Delegates will learn how to

Delegates will apply the theory of forensic data acquisition during practical exercises that demonstrate the following techniques:

  • Forensic imaging in a number of environments using different methods and software
  • Capture of a system from a virtualised environment
  • Extracting an individual mailbox from a live Microsoft Exchange e-mail server
  • Live system memory and volatile data capture

Outline

1. Investigations Principles and Strategy

  • Legislation Considerations
  • ACPO Guideline -The Four Principles

2. Competency

  • ACPO Guideline - Competency
  • ISO standards
  • Relevant case law

3. Considerations

  • Challenges of evolving technology
  • Understanding the requirements of data collection
  • Technological conflicts

4. Collection, Exhibits & Continuity

  • Data collection sites
  • Data collection types
  • Information to be recorded
  • 'Bagging' and 'Tagging'
  • Statement for seizing physical evidence
  • Statement for copying virtual evidence
  • Chain of custody

5. Data Collection

  • The forensic preview
  • Physical examination
  • System date and time

6. Methods & Tools

  • Data acquisition methods
  • Data acquisition hardware
  • Data acquisition software
  • Data acquisition platforms

7. Forensic Image Types

  • Forensic Image
  • Forensic Clone

8. Source Integrity

  • Hardware write blockers
  • Software write blockers
  • Hashing & verification

9. Post Acquisition

  • Working copies & backups

10. Data collection Types

  • Physical
  • Logical
  • Selective

11. Data Environments

  • Booted
  • Static
  • Live
  • Volatile
  • Cloud

The above covers data collection from the following storage mediums:

  • HDD
  • SSD
  • RAID
  • SAN
  • NAS
  • File share
  • MS Exchange server
  • MS Outlook
  • Virtual disk
  • Virtual machine
  • Cloud storage
  • Webmail
  • Website
  • Smart devices

3 Days

Duration

This is a QA approved partner course

Delivery Method

Delivery method

Classroom

Face-to-face learning in the comfort of our quality nationwide centres, with free refreshments and Wi-Fi.

Trusted, awarded and accredited

Fully accredited to ensure we provide the highest possible standards in learning

All third party trademark rights acknowledged.