Difference between pages "Training Courses and Providers" and "Windows Job File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(On-going / Continuous Training)
 
m (Unicode string)
 
Line 1: Line 1:
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.  Conferences which may include training are located on the [[Upcoming_events]] page. 
+
{{expand}}
  
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
== Overview ==
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement.  Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
On [[Windows]] a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.
  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
=== fixed-length section ===
== On-going / Continuous Training ==
+
 
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The fixed-length section is 68 bytes in size and consists of:
|- style="background:#bfbfbf; font-weight: bold"
+
{| class="wikitable"
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
 
|-
 
|-
|- style="background:pink;align:left"
+
! offset
! DISTANCE LEARNING
+
! size
 +
! value
 +
! description
 
|-
 
|-
|Basic Computer Examiner Course - Computer Forensic Training Online
+
| 0
|Distance Learning Format
+
| 2
|http://www.cftco.com
+
|
 +
| Product version
 
|-
 
|-
|SANS On-Demand Training
+
| 2
|Distance Learning Format
+
| 2
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|
 +
| File version
 
|-
 
|-
|Champlain College - CCE Course
+
| 4
|Online / Distance Learning Format
+
| 16
|http://online.champlain.edu/computer-forensics-digital-investigation/CFDI_440
+
|
 +
| Job UUID (or GUID)
 
|-
 
|-
|National Center for Media Forensics
+
| 20
|Distance and Concentrated Audio/Video/Image Forensics
+
| 2
|http://cam.ucdenver.edu/ncmf
+
|
 +
| Application name size offset <br> The offset is relative from the start of the file.
 
|-
 
|-
|- style="background:pink;align:left"
+
| 22
!RECURRING TRAINING
+
| 2
 +
|
 +
| Trigger offset <br> The offset is relative from the start of the file.
 
|-
 
|-
|Evidence Recovery for Windows 7&reg; operating system;
+
| 24
|First full week every month<br>Brunswick, GA
+
| 2
|http://www.internetcrimes.net
+
|
 +
| Error Retry Count
 
|-
 
|-
|Evidence Recovery for Windows 8&reg;
+
| 26
|Second full week every month<br>Brunswick, GA
+
| 2
|http://www.internetcrimes.net
+
|
 +
| Error Retry Interval
 
|-
 
|-
|Evidence Recovery for Windows Server&reg; 2008 and 2012
+
| 28
|Third full week every month<br>Brunswick, GA
+
| 2
|http://www.internetcrimes.net
+
|
 +
| Idle Deadline
 
|-
 
|-
|}
+
| 30
 
+
| 2
==Non-Commercial Training==
+
|
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
| Idle Wait
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
 
|-
 
|-
|Defense Cyber Investigations Training Academy (DCITA)
+
| 32
|http://www.dc3.mil/dcita/dcitaAbout.php
+
| 4
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
+
|
 +
| Priority
 
|-
 
|-
|Federal Law Enforcement Training Center
+
| 36
|http://www.fletc.gov/training/programs/technical-operations-division
+
| 4
|Limited To Law Enforcement
+
|
 +
| Maximum Run Time
 
|-
 
|-
|MSU National Forensics Training Center
+
| 40
|http://www.security.cse.msstate.edu/ftc
+
| 4
|Limited To Law Enforcement
+
|
 +
| Exit Code
 
|-
 
|-
|IACIS
+
| 44
|http://www.iacis.com/training/course_listings
+
| 4
|Limited To Law Enforcement and Affiliate Members of IACIS
+
|
 +
| Status
 
|-
 
|-
|SEARCH
+
| 48
|http://www.search.org/programs/hightech/courses/
+
| 4
|Limited To Law Enforcement
+
|
|-
+
| Flags
|National White Collar Crime Center
+
|http://www.nw3c.org/training
+
|Limited To Law Enforcement
+
 
|-
 
|-
 +
| 52
 +
| 16
 +
|
 +
| Last run time <br> Consists of a SYSTEMTIME
 
|}
 
|}
  
==Tool Vendor Training==
+
==== SYSTEMTIME ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
{| class="wikitable"
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
 
|-
 
|-
|AccessData (Forensic Tool Kit FTK)
+
! offset
|http://accessdata.com/training
+
! size
 +
! value
 +
! description
 
|-
 
|-
|ASR Data (SMART)
+
| 0
|http://www.asrdata.com/forensic-training/overview/
+
| 2
 +
|
 +
| Year
 
|-
 
|-
|ATC-NY (P2P Marshal, Mac Marshal)
+
| 2
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
+
| 2
 +
|
 +
| Month
 
|-
 
|-
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
+
| 4
|https://www.blackbagtech.com/training.html
+
| 2
 +
|
 +
| Weekday
 
|-
 
|-
|Cellebrite (UFED)
+
| 6
|http://www.cellebrite.com/mobile-forensic-training.html
+
| 2
 +
|
 +
| Day
 
|-
 
|-
|CPR Tools (Data Recovery)
+
| 8
|http://www.cprtools.net/training.php
+
| 2
 +
|
 +
| Hour
 
|-
 
|-
|Digital Intelligence (FRED Forensics Platform)
+
| 10
|http://www.digitalintelligence.com/forensictraining.php
+
| 2
 +
|
 +
| Minute
 
|-
 
|-
|e-fense, Inc. (Helix3 Pro)
+
| 12
|http://www.e-fense.com/training/index.php
+
| 2
 +
|
 +
| Second
 
|-
 
|-
|Forward Discovery (Cellebrite, EnCase, Mac Forensics)
+
| 14
|http://www.forwarddiscovery.com/training
+
| 2
 +
|
 +
| Milli second
 +
|}
 +
 
 +
==== Priority ====
 +
{| class="wikitable"
 
|-
 
|-
|Guidance Software (EnCase)
+
! Value
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
+
! Identifier
 +
! Description
 
|-
 
|-
|Micro Systemation (XRY)
+
| 0x00800000
|http://www.msab.com/training/schedule
+
| REALTIME_PRIORITY_CLASS
 +
| The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
 
|-
 
|-
|Nuix (eDiscovery)
+
| 0x01000000
|http://www.nuix.com.au/training
+
| HIGH_PRIORITY_CLASS
 +
| The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
 
|-
 
|-
|Paraben (Paraben Suite)
+
| 0x02000000
|http://www.paraben-training.com/schedule.html
+
| IDLE_PRIORITY_CLASS
 +
| The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
 
|-
 
|-
|Software Analysis & Forensic Engineering (CodeSuite)
+
| 0x04000000
|http://www.safe-corp.biz/training.htm
+
| NORMAL_PRIORITY_CLASS
 +
| The task has no special scheduling requirements.
 +
|}
 +
 
 +
==== Status ====
 +
{| class="wikitable"
 
|-
 
|-
|Technology Pathways(ProDiscover)
+
! Value
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
! Identifier
 +
! Description
 
|-
 
|-
|Volatility Labs (Volatility Framework)
+
| 0x00041300
|http://volatility-labs.blogspot.com/search/label/training
+
| SCHED_S_TASK_READY
 +
| Task is not running but is scheduled to run at some time in the future.
 
|-
 
|-
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
| 0x00041301
|https://www.wetstonetech.com/trainings.html
+
| SCHED_S_TASK_RUNNING
|-
+
| Task is currently running.
|X-Ways Forensics (X-Ways Forensics)
+
|http://www.x-ways.net/training/
+
 
|-
 
|-
 +
| 0x00041305
 +
| SCHED_S_TASK_NOT_SCHEDULED
 +
| The task is not running and has no valid triggers.
 
|}
 
|}
  
==Commercial Training (Non-Tool Vendor)==
+
==== Flags ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
|- style="background:#bfbfbf; font-weight: bold"
+
 
! width="40%"|Title
+
=== variable-length section ===
! width="40%"|Website
+
The variable-length section contains the following values:
! width="20%"|Limitation
+
* Running Instance Count
 +
* Application Name
 +
* Parameters
 +
* Working Directory
 +
* Author
 +
* Comment
 +
* User Data
 +
* Reserved Data
 +
* Triggers
 +
* Job Signature
 +
 
 +
These values are stored as Unicode strings.
 +
 
 +
==== Unicode string ====
 +
{| class="wikitable"
 
|-
 
|-
|Applied Security (Digital Forensics Training)
+
! offset
|http://www.appliedsec.com/forensics/training.html
+
! size
 +
! value
 +
! description
 
|-
 
|-
|BerlaCorp iOS and GPS Forensics Training
+
| 0
|http://www.berlacorp.com/training.html
+
| 2
|-
+
|
|Computer Forensic Training Center Online (CFTCO)
+
| Number of characters <br> The value will be 0 if the string is empty.
|http://www.cftco.com/
+
|-
+
|CCE Bootcamp
+
|http://www.cce-bootcamp.com/
+
|-
+
|Cyber Security Academy
+
|http://www.cybersecurityacademy.com/
+
|-
+
|Dera Forensics Group
+
|http://www.deraforensicgroup.com/courses.htm
+
|-
+
|e-fense Training
+
|http://www.e-fense.com/training/index.php
+
|-
+
|Forward Discovery, Inc.
+
|http://www.forwarddiscovery.com
+
|-
+
|H-11 Digital Forensics
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
+
|-
+
|High Tech Crime Institute
+
|http://www.gohtci.com
+
|-
+
|Infosec Institute
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
|-
+
|Intense School (a subsidiary of Infosec Institute)
+
|http://www.intenseschool.com/schedules
+
|-
+
|MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX)
+
|http://www.md5group.com
+
|-
+
|Mile 2 (Security and Forensics Certification Training)
+
|https://www.mile2.com/mile2-online-estore/classess.html
+
|-
+
|Mobile Forensics, Inc
+
|http://mobileforensicsinc.com/
+
|-
+
|NetSecurity
+
|http://www.netsecurity.com/training/registration_schedule.html
+
|-
+
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
+
|http://www.nidforensics.com.br/
+
|-
+
|NTI (an Armor Forensics Company) APPEARS DEFUNCT
+
|http://www.forensics-intl.com/training.html
+
|-
+
|Security University
+
|http://www.securityuniversity.net/classes.php
+
|-
+
|Steganography Analysis and Research Center (SARC)
+
|http://www.sarc-wv.com/training
+
|-
+
|Sumuri, LLC - Mac, Mobile, iLook Training
+
|http://www.sumuri.com/
+
|-
+
|SysAdmin, Audit, Network, Security Institute (SANS)
+
|http://computer-forensics.sans.org/courses/
+
|-
+
|Teel Technologies Mobile Device Forensics Training
+
|http://www.teeltech.com/tt3/training.asp
+
|-
+
|viaForensics Advanced Mobile Forensics Training
+
|http://viaforensics.com/education/calendar/
+
|-
+
|Zeidman Consulting (MCLE)
+
|http://www.zeidmanconsulting.com/speaking.htm
+
 
|-
 
|-
 +
| 2
 +
| ...
 +
|
 +
| String <br> UTF-16 little-endian with end-of-string character
 
|}
 
|}
 +
 +
== See Also ==
 +
* [[Windows]]
 +
 +
== External Links ==
 +
* [http://msdn.microsoft.com/en-us/library/cc248285.aspx .JOB File Format], by [[Microsoft]]
 +
 +
[[Category:File Formats]]

Revision as of 11:55, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

variable-length section

The variable-length section contains the following values:

  • Running Instance Count
  • Application Name
  • Parameters
  • Working Directory
  • Author
  • Comment
  • User Data
  • Reserved Data
  • Triggers
  • Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

See Also

External Links