Difference between pages "Training Courses and Providers" and "AFF4"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming Events]]
+
= Advanced Forensic Framework 4 (AFF4) =
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
AFF4 was developed by [[Michael Cohen]], [[Simson Garfinkel]] and [[Bradley Schatz]]. This page describes the basic design. See [[LibAFF4]] for a description of how to use the sample implementation, library and tools.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
== Why did we want to design yet another forensic file format? ==
! Date/Location
+
 
! Website
+
Traditional forensic file formats have a number of limitations which have been exposed over the years:
! Limitation
+
 
|-
+
* Proprietary formats like EWF are difficult to implement and explain. EWF is a fairly complex file format. Most of the details are reverse engineered. Recovery from damaged EWF files is difficult as detailed knowledge of the file format is required.
|Computer Forensics Training and CCE™ Testing for Litigation Support Professionals
+
 
|Oct 05-08, Denver, CO
+
* Simple file formats like dd are very large since they are uncompressed. They also dont store metadata, signatures or have cryptographic support.
|http://www.md5group.com
+
 
|-
+
* Traditional file formats are designed to store a single stream. Often in an investigation, however, multiple source of data need to be acquired (sometimes simultaneously) and stored in the same evidence volumes.
|Paraben Handheld Forensic Course
+
 
|Oct 08-11, Potomac Falls, VA
+
* Traditional file formats just deal with data - there is no attempt to build a universal evidence management system integrated within the file specification.
|http://www.paraben-training.com/
+
 
|-
+
 
|SMART Windows Data Forensics
+
The previous AFF format made huge advancements in the field introducing excellent support for cryptography, digital signatures, compression and even the concepts of external referencing. It was time to gather up all the good things in AFF and redesign a new AFF4 specification.
|Oct 08-10, Austin, TX
+
 
|http://asrdata.com/training/training2.html
+
We wanted to use a well recognized, widely supported and open bit level format. One of the strengths of AFF was the use of segments within the file format itself. It because obvious that the only requirement we have from an underlying storage mechanism is the ability to store blobs of data by name, and retrieve them by that name. How these are actually stored is quite irrelevant to us.
|-
+
 
|AccessData® BootCamp
+
The sections below give a quick overview to some of the major ideas.
|Oct 09-11, Brisbane, QLD, Australia and Milan, Italy
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
== Objects ==
|-
+
 
|AccessData® Applied Decryption
+
AFF4 is an object oriented architecture. We term the ''AFF4 universe'' the total set of objects which are known. Because AFF4 is designed to be scalable to huge evidence corpuses the AFF4 universe is infinite. All objects are addressable by their name which is unique in the universe. For example an AFF4 object might have a name of:
|Oct 09-11, London, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|-
+
 
|AccessData® Windows Forensics
+
This is a standard URN notation object. The URN is unique. There will never be another object created anywhere in the universe with the same URN. Once objects are created their URN is fixed.
|Oct 09-11, Las Vegas, NV; Nashville, TN; and New York City, NY
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
== Relations ==
|-
+
The AFF4 universe uses RDF to specify attributes about objects. In its simplest form (the one we use) RDF is just a set of statements about an object of the form:
|AccessData® Internet Forensics
+
 
|Oct 09-11, Orlando, FL
+
  Subject  Attribute  Value
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
For example:
|EnCase® v6 Computer Forensics II-Private Sector
+
  <nowiki>
|Oct 09-12, Chicago, IL
+
  ******** Object urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2 ***********
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
aff4:stored = urn:aff4:4bdbf8bc-d8a5-40cb-9af0-fd7e4d0e2c9e
|-
+
aff4:type = image
|EnCase&reg; v6 NTFS
+
aff4:interface = stream
|Oct 09-12, Houston, TX
+
aff4:timestamp = 0x49E9DEC3
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
aff4:chunk_size = 32k
|-
+
aff4:compression = 8
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
aff4:chunks_in_segment = 2048
|Oct 09-12, Los Angeles, CA, The Netherlands
+
aff4:size = 10485760
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
  </nowiki>
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
This shows that the object named (the Subject) has all these attributes and their values. We call these ''relations'' or ''facts''. The entire AFF4 universe is constructed around these facts. As we will see later facts can be signed by a person - which essentially has the person asserting that the facts are true.
|Oct 09-12, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
AFF4 objects exist because they do something useful. What they do depends on the interface they present. Currently there are a few interfaces, the most important ones are the '''Volume''' interface and the '''Stream''' interface. An object's interface is a fact about the object with an attribute of aff4:interface. This tells us what the object can do for us.
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
On the other hand AFF4 objects can actually be different things and do what they do in a different way. The actual type of an object is specified by the attribute aff4:type. Whereas an interface tells us what the object can do for us, a type tells us what it actually is. (Its possible to change an object's type without changing its interface for example going from a ZipFile to a Directory volume. This does not affect any users of the object).
|Oct 09-12, Melbourne, Australia
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
== Volumes ==
|-
+
 
|Secure Techniques for Onsite Preview(STOP)
+
We define a '''Volume''' as a storage mechanism which can store a segment (bit of binary data) by name and retrieve it by name. Currently we have two volume implementations: a '''Directory''' and a '''ZipFile'''.  
|Oct 11-12, Pittsburgh, PA
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Directory Volume ===
|Limited to Law Enforcement
+
 
|-
+
The Directory implementation stores the segments as flat files inside a regular directory on the filesystem. This is really useful if we want to image to a FAT filesystem since each segment is really small and we will not exceed the file size limitations. Its also possible to root the directory on a http url (i.e. the directory starts with http://somehost/url/). This allows us to use the image directly from the web - no need to download the whole thing.
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
 
|Oct 12-15, Dallas, TX
+
Directory objects use FileLikeObjects (see below) to actually store the segments into different files. This means that Directory Volumes can be stored on HTTP or HTTPS servers, as well as regular directories.
|http://www.md5group.com
+
 
|-
+
=== ZipFile Volume ===
|AccessData&reg; Vista Forensics
+
 
|Oct 12, Las Vegas, NV and Nashville, TN
+
The ZipFile implementation stores segments inside a zip archive. If the archive gets too large (over 4Gb) we use the Zip64 extensions to store offsets in 64 bits. This is nice since small volumes can just be opened with windows explorer. Its also really easy to extract the data out. A ZipFile volume uses a FileLikeObject to actually store the zip file.
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
This means that its possible to write a ZipFile volume directly onto a HTTP server and use the image directly from the server as well.
|XP-Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
 
|Oct 15-26, Savannah, GA
+
Example: http://www.pyflag.net/images/test.zip is an example of a small (about 1mb) AFF4 image.
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
Directory and ZipFile volumes can be easily converted from one to the other (i.e. unzip the ZipFile into a directory to create a Directory volume).
|-
+
 
|BlackBag Introductory MacIntosh Forensics
+
== Streams ==
|Oct 15-19, Tacoma, WA
+
 
|http://www.blackbagtech.com/products/training.htm
+
Streams are the basic interface for storing image data. Streams present a consistent interface which presents the methods of ''read'', ''seek'', ''tell' and ''close''. (Streams also support ''write'', but thats a bit special because its how you actually create them).
|-
+
 
|Macintosh Forensic Survival Course
+
As long as an AFF4 object presents a stream interface its possible to perform random reads within the body of data. Hence its possible to store any image data within the stream. The following section explain some of the specific implementations of streams.
|Oct 15-19, Philadelphia, PA
+
 
|http://www.phoenixdatagroup.com/cart/index.php
+
=== FileBackedObjects ===
|-
+
 
|Intermediate Data Recovery and Analysis(IDRA)
+
The FileBacked object is a stream which stores data in an actual file on the filesystem. The location of the file is determined from the file's URN. Since a URN is a superset of URLs, URLs are also valid URNs. This means that something like file:///somedirectory/filename is a valid location for a FileBackedObject.
|Oct 15-19, Fairmont, WV
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== HTTPObject ===
|Limited to Law Enforcement
+
 
|-
+
HTTP is ubiquitous and easy to deploy. Since URLs are also valid URNs, its possible to specify that an AFF4 volume be stored or read from a HTTP server. This implementation uses the Range HTTP header to read specific byte ranges from the server - so network traffic between the client and server is minimal. Its possible to examine a remote image over HTTP without needing to copy the whole thing down.
|ILook® Automated Forensic Application(ILook)
+
 
|Oct 15-19, Weyers Cave, VA
+
This is excellent when you just want to have a quick look at a remote image without needing to download the whole thing.
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
For security reasons its recommended write support be restricted in some way (e.g. passwords, SSL certificates etc). Read support can be provided freely if the volume is encrypted. Securing the web server is outside the scope of AFF4.
|-
+
 
|EnCase&reg; v6 Network Intrusion Investigations - Phase II
+
=== Segments ===
|Oct 15-18, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Segments are components stored directly within the Volume. Recall that a volume is simply an object which stores and retrieves segments. Segments also present the stream interface, but practically they should generally be used for smaller streams because it may be expensive to seek within compressed segments.
|-
+
 
|AccessData&reg; BootCamp
+
Segments are particularly useful when you dont have an imaging tool handy and you want to create a logical image of a subset of a filesystem (that is you want to image some files from a filesystem rather than a forensic image of the filesystem itself). This could happen if you can not take the server down for incident response or if the filesystem is just so big and you know most of it will not be relevant.
|Oct 15-17, Calgary, Alberta, Canada
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
In that case there is nothing simpler than just to open up windows explorer - right click and send to a compressed folder. A regular zip file is also an AFF4 volume!!! The files within it are stream objects and libaff4 will recognize them as such. Larger segments can be converted to Image streams later (and signed, encrypted etc).
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
=== Image streams ===
|Oct 16-19, Chicago, IL
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Although segments are great for small files, for very large images we cant really use those because we could not compress them efficiently. Therefore we have an image stream.  
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
The Image stream stores the image in chunks. Each chunk (typically 32kb) is compresses and a group of chunks (called '''bevies''') are stored back to back inside a bevy segment. Segments are named according to the scheme: URN_OF_IMAGE_STREAM/0000000, URN_OF_IMAGE_STREAM/0000001 etc.
|Oct 16-19, Houston, TX and Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
The offset of each chunk within the bevy is stored in an index segment (with a. idx extension). Here is an example:
|-
+
 
|EnCase&reg; v6 Network Intrusion Investigations - Phase II
+
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000000
|Oct 16-19, The Netherlands
+
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000000.idx
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000001
|-
+
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000001.idx
|AccessData&reg; BootCamp
+
 
|Oct 16-18, Los Angeles, CA; Washington, DC; London, United Kingdom; and St Kitts
+
Here is a short python program to unpack an Image stream:
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
  volume=zipfile.ZipFile(INPUT_FILE)
|AccessData&reg; Windows Forensics
+
  outfd = open(OUTPUT_FILE,"w")
|Oct 18-20, Calgary, Alberta, Canada
+
  count = 0
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
  while True:
|-
+
    idx_segment = volume.read(STREAM+"/%08d.idx" % count)
|Intermediate Data Recovery and Analysis(IDRA)
+
    bevy = volume.read(STREAM+"/%08d" % count)
|Oct 22-26, Phoenix, AZ
+
    indexes = struct.unpack("<" + "L" *
|http://www.nw3c.org/ocr/courses_desc.cfm
+
        (len(idx_segment)/4), idx_segment)
|Limited to Law Enforcement
+
    for i in range(len(indexes)-1):
|-
+
        chunk = bevy[indexes[i]:indexes[i+1]]
|X-Ways Forensics
+
        outfd.write(chunk.decode('zlib'))
|Oct 22-24, Hong Kong
+
    count += 1
|http://www.x-ways.net/training/hong_kong.html
+
 
|-
+
 
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
=== Map Streams ===
|Oct 23-26, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
A lot of work in digital forensics involves copying data around. For example, carving files usually results with the carved files copied out of the image for testing. If you image a RAID array separately you end up with 3-5 disk images and typically you will need to copy them into a logical image (unless your favourite software supports RAID reconstruction). When you copy a file out of the image using sleuthkit, you are actually copying bits of data directly from the image.
|-
+
 
|EnCase&reg; v6 Computer Forensics I - Private Sector
+
All these copies are wasteful of disk space. They are also hard to manage because pretty soon you end up with lots of copies of the same data in different ways. There must be a better way!!!
|Oct 23-26, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Now there is. By having the underlying forensic format doing all the mapping its possible to use tools which are not capable of doing these transformations themselves. This is all about tool reuse. For example suppose you have a carver which is used to work on dd images. But you want to use it on the virtual memory image of the firefox process. In the past you had to copy the virtual memory out (it could be 2-4gb) then run the carver on it, and possibly end up with about 3 or 4 copies of the same data - for each process address space!!!
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
Its much easier to have volatility create the initial maps for each process (with zero storage overheads), and then carvers can just use the maps without understanding anything about memory forensics. In this way the AFF4 format is more of an interchange format - allowing tools to be used on the results from other tools.
|Oct 23-26, Toronto, Canada
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
The map stream is an AFF4 object which contains a segment called '''map'''. Here is an example:
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
  1601536,0,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|Oct 23-26, Los Angeles, CA and Singapore
+
  1614848,12288,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
  1879040,274432,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|-
+
  2142208,536576,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|EnCase&reg; v6 Advanced Internet Examinations
+
  2405376,798720,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|Oct 23-26, Canberra, Australia
+
  2668544,1060864,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
  2931712,1323008,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
|-
+
 
|AccessData&reg; BootCamp
+
 
|Oct 23-25, Hamilton, NJ; St. Louis, MO; and Paris, France
+
This map was generated by sleuthkit for an ext2 file. The first number of the offset in the image. The second number is the offset in the file and the third number of the URN of the object to read from (the target). The above map basically says that the byte range from 0-12288 in the file should be read from aff4:f3eba626-505a-4730-8216-1987853bc4d2 offset 1601536 to 1614848, etc.
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
Using the fsbuild tool its possible to create map streams for all files in an image at virtually zero storage requirements. Then its possible to use other tools which may not know how to read filesystems to examine the files.
|AccessData&reg; Internet Forensics
+
 
|Oct 23-25, Des Moines, WA
+
Following is an example of a 3 disk RAID system which was acquired with into three separate streams:
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
  0,0,disk1
|Neutrino-Mobile Phone Forensics
+
  1,0,disk0
|Oct 23-24, Los Angeles, CA
+
  2,1,disk2
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
  3,1,disk1
|-
+
  4,2,disk0
|Secure Techniques for Onsite Preview(STOP)
+
  5,2,disk2
|Oct 24-25, Washington, DC
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
To make this work we need to tell AFF4 that the map should be repeated. We do this by setting attributes on the map objects:
|Limited to Law Enforcement
+
 
|-
+
  aff4:block_size=64k
|AccessData&reg; BootCamp
+
  aff4:stream_period=6
|Oct 25-27, Gaithersburg, MD
+
  aff4:target_period=3
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
[[Category:Forensics File Formats]]
|AccessData&reg; Windows Forensics
+
 
|Oct 25-27, Gaithersburg, MD
+
==See Also==
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
# M. I. Cohen, Simson Garfinkel and Bradley Schatz, [http://simson.net/clips/academic/2009.DFRWS.AFF4.pdf Extending the Advanced Forensic Format to accommodate Multiple  Data Sources, Logical Evidence, Arbitrary Information and Forensic Workflow], DFRWS 2009, Montreal, Canada.
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|XP-Seized Computer Evidence Recovery Specialist (SCERS)
+
|Oct 29-Nov 09, Savannah, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Oct 29-30, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 30-Nov 02, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Oct 30-Nov 02, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
|Oct 30-Nov 02, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Oct 30-Nov 02, Washington DC and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|XP-Internet Investigations Training Program (IITP)
+
|Nov 05-09, Richland, WA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Intermediate Data Recovery and Analysis(IDRA)
+
|Nov 05-09, Little Rock, AR
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows NT Operating System and NT File System(NTx)
+
|Nov 05-09, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Paraben Handheld Forensic Course
+
|Nov 05-08, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Advanced Cell Phone/SIM Card Forensics
+
|Nov 05-08, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Nov 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Cyber Crime
+
|Nov 05-07, Jackson, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Nov 05-06, New Britain, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
|Nov 06-09, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 06-09, Houston, TX and  Muenchen, Germany
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Nov 06-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Nov 06-09, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 06-08, Austin, TX; Baton Rouge, LA; Boston, MA; Columbia, SC; Henderson, NC; Wheaton, IL; London, United Kingdom; Istanbul, Turkey; and Solna, Sweden
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 06-08, Los Angeles, CA and Madison, WI
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 06-08, Little Rock, AR and Mississauga, Ontario, Canada
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Forensics Tools and Techniques
+
|Nov 07-09, Jackson, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 07-09, Curitiba, Brazil
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Nov 07-08, New Britain, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Vista Forensics
+
|Nov 09, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Handheld Forensic Course
+
|Nov 12-15, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 12-14, Curitiba, Brazil
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 12-14, Centurion, South Africa
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Nov 13-16, Singapore, Sydney, Australia and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Nov 13-16, Chicago, IL and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I - Private Sector
+
|Nov 13-16, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Nov 13-16, The Netherlands and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 13-16, Washington DC and  Frankfurt, Germany
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 13-15, Anchorage, AK; Melbourne, VIC, Australia; and Santo Domingo, Dominican Republic
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 13-15, Frederick, MD and Vancouver, BC, Canada
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 13-15, Centennial, CO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 13-15, Norcross, GA; Phoenix, AZ; Rochester, NY; St. Paul, MN; and Melbourne, VIC, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Nov 13-14, Bentonville, AR
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Vista Forensics
+
|Nov 16, Centennial, CO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|AccessData&reg; Vista Forensics
+
|Nov 16, Vancouver, BC, Canada and Wellington, New Zealand
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 19-22, Frankfurt, Germany
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 19-21, Redwood City, CA
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Nov 19-21, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 20-23, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 20-22, Canberra, ACT, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 27-30, Sydney, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
|Nov 27-30, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Nov 27-30, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg;  eDiscovery with v6
+
|Nov 27-30, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 27-30, Sao Paulo, Brazil
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I - Private Sector
+
|Nov 27-30, Hong Kong
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Nov 27-30, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Nov 27-30, Rancho Cordova, CA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 27-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Nov 27-29, Vancouver, BC, Canada
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 27-29, Albany, NY and Birmingham, AL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Nov 27-28, Beaumont, TX, Kansas City, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Nov 27-28, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Identifying and Seizing Electronic Evidence(ISEE)
+
|Nov 29, Kansas City, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Computer Network Investigation Training Program (CNITP)
+
|Dec 03-14, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Dec 03-07, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 03-07, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Handheld Forensic Course
+
|Dec 03-06, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Introduction to Cyber Crime
+
|Dec 03-05, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
|Dec 04-07, Hong Kong
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Dec 04-07, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Dec 04-07, Chicago, IL; Houston, TX; Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 04-07, Austin, TX;  Washington DC; Leipzig, Germany; and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Dec 04-07, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 04-06, Solna, Sweden
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Dec 04-06, Nashville, TN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 04-06, Coraopolis, PA; Sharon Hill, PA; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Forensics Tools and Techniques
+
|Dec 05-07, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Vista Forensics
+
|Dec 07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase II
+
|Dec 10-13, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Dec 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Network Incident Response
+
|Dec 10-13, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Dec 10-14, Tulsa, OK
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Intermediate Data Recovery and Analysis(IDRA)
+
|Dec 10-14, Albuquerque, NM
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows NT Operating System and NT File System(NTx)
+
|Dec 10-14, Myrtle Beach, SC
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Dec 10-13, Hays, KS
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Dec 10-11, Richmond, VA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 11-14, Chicago, IL;  Houston, TX; Los Angeles, CA;  Melbourne, Australia; and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 11-14, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 11-13, Mexico City, Mexico
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 11-13, Orlando, FL and West Lafayette, IN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 11-13, Houston, TX and Madison, WI
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Vista Forensics
+
|Dec 14, Houston, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|X-Ways Forensics
+
|Dec 17-19, Singapore
+
|http://www.x-ways.net/training/SGP.html
+
|-
+
|EnCase&reg; v6 NTFS
+
|Dec 17-20, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Dec 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 17-20, Chicago, IL and  Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Dec 17-20, Washington DC and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Advanced Cell Phone/SIM Card Forensics
+
|Dec 17-20, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|DEK: Data Exploitation
+
|Dec 17-20, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|Restricted Enrollment
+
|-
+
|AccessData&reg; Applied Decryption
+
|Dec 17-19, Lynnwood, WA
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 17-19, Des Moines, IA
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
|Dec 18-21, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 18-20, New York City, NY and Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Forensic Fundamentals
+
|Dec 18-20, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 18-20, New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 18-20, Los Angeles, CA; New York City, NY; and Washington, DC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Vista Forensics
+
|Dec 21, Lynnwood, WA; New York City, NY; and Washington, DC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2008 EVENTS__**
+
|_______2008_______
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Jan 07-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Jan 07-11, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jan 07-11, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 07-11, Los Angeles, CA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Advanced Cell Phone/SIM Card Forensics
+
|Jan 07-10, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 07-08, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jan 08-11, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 08-11, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 08-11, Houston, TX;  Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jan 08-11, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jan 08-10, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 09-10, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jan 14-17, Nashville, IN
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Introduction to Cyber Crime
+
|Jan 14-16, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 15-18, Houston, TX and  Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jan 15-18, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 15-18, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jan 15-17, Columbia, SC and Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jan 15-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Jan 16-18, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 16-17, Honolulu, HI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 22-25, Washington DC and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 22-25, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 22-25, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jan 22-25, Honolulu, HI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jan 22-24, Richland, WA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData's Windows Forensics
+
|Jan 22-24, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Cellular/GPS Signal Analysis
+
|Jan 24-25, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jan 28-Feb 08, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 28-Feb 01, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 28-29, Cleburne, TX
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 29-Feb 01, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jan 29-Feb 01, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jan 29-Feb 01, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 29-Feb 01, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 29-Feb 01, Washington DC and  Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jan 29-Feb 01, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 30-31, Cleburne, TX
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Feb 04-08, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|E-Discovery: E-mail & Mobile E-mail Devices
+
|Feb 04-07, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Feb 04-07, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Feb 04-07, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 05-07, Ft Lauderdale, FL; St Paul, MN; and Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg;  eDiscovery with v6
+
|Feb 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Feb 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 05-08, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 05-08, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Feb 05-06, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Basics
+
|Feb 06-08, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Feb 11-15, Birmingham, AL
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Introduction to Cyber Crime
+
|Feb 11-13, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Wireless Forensics
+
|Feb 11-12, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Feb 12-15, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 12-15, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 12-15, Chicago, IL and  Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Feb 12-14, Twinsburg, OH
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 12-14, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|Forensics Tools and Techniques
+
|Feb 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Feb 19-22, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Feb 19-22, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 19-22, Houston, TX and  Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Feb 19-22, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 19-22, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Feb 19-21, Melbourne, VIC, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Mobile Device Investigations Program (MDIP)(Pilot)
+
|Feb 25-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Feb 25-29, Phoenix, AZ
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Network Incident Response
+
|Feb 25-28, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Feb 25-26, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Feb 26-29, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 26-29, Houston, TX;  Los Angeles, CA; and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 26-29, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Feb 26-28, Wellington, New Zealand
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 26-28, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Feb 26-27, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Feb 27-28, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Handheld Forensic Course
+
|Mar 03-06, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Mar 04-07, Chicago, IL, Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Mar 04-07, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 04-07, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg;  eDiscovery with v6
+
|Mar 04-07, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 04-07, Houston, TX and  Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 04-06, Indianapolis, IN; New York City, NY; Canberra, ACT, Australia; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Mar 10-21, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Mar 10-14, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|E-Discovery: E-mail & Mobile E-mail Devices
+
|Mar 10-13, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Introduction to Cyber Crime
+
|Mar 10-12, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Cellular/GPS Signal Analysis
+
|Mar 10-11, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 11-14, Houston, TX and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Mar 11-14, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 11-14, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Mar 11-14, Chicago, IL and Phoenix, AZ
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Mar 11-13, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Mar 11-12, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Mar 12-14, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 12-14, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Wireless Forensics
+
|Mar 13-14, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Mar 17-20, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Mar 17-18, Las Vegas, NV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Mar 18-21, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Mar 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 18-20, Las Vegas, NV
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Mar 19-20, Las Vegas, NV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 24-28, Miami, FL
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fast CyberForensic Triage(FCT)
+
|Mar 24-26, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Mar 25-28, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Mar 25-28, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 25-28, Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 25-28, Chicago, IL;  Houston, TX and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Mar 31-Apr 11, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Mar 31-Apr 02, Meriden, CT and Burlington, KY
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 01-04, Chicago, IL and Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 01-04, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Apr 01-04, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Apr 01-02, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Apr 07-10, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Cyber Crime
+
|Apr 07-09, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 08-11, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 08-11, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 08-11, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Apr 08-11, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 08-10, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Apr 08-10, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Apr 08-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Apr 09-11, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Apr 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 15-18, Houston, TX and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Apr 15-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Apr 15-18, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Apr 15-18, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 15-18, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 15-17, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Apr 21-May 02, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Apr 21-24, Vassalboro, ME
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Apr 22-25, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 22-25, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Apr 22-24, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Apr 28-May 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 29-May 02, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 29-May 02, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 29-May 02, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Apr 29-May 02, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Apr 29-May 01, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 06-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 06-09, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|May 06-09, Chicago, IL and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|May 06-08, Manchester, United Kingdom andSydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 06-08, New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|May 12-23, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|May 12-16, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Fast CyberForensic Triage(FCT)
+
|May 12-15, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|May 12-15, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|May 12-13, Pullman, WA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|May 13-16, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 13-16, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 13-16, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|May 13-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 13-15, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|May 13-15, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|May 14-15, Pullman, WA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic On-Line Technical Skills(BOTS)
+
|May 19, Lynchburg, VA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|May 19-23, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 20-23, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|May 20-23, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 20-23, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 20-22, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 27-30, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|May 27-29, San Jose, CA
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jun 02-13, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jun 02-06, Vassalboro, ME
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 03-06, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Jun 03-06, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 03-06, Chicago, IL and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 03-06, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 03-06, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jun 03-05, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Jun 10-12, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jun 10-11, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 10-13, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jun 10-13, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 10-13, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jun 16-27, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Intermediate Data Recovery and Analysis(IDRA)
+
|Jun 16-20, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jun 16-19, Hamilton, NJ
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 17-20, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 17-20, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 17-20, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jun 17-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Jun 23-27, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 23-24, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 24-27, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 24-27, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jun 24-26, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 25-26, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Jun 30-Jul 03, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jul 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Jul 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Applied Decryption
+
|Jul 15-17, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 15-17, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jul 21-Aug 01, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP
+
|Jul 21-25, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 06-10, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 01:37, 24 December 2009

Advanced Forensic Framework 4 (AFF4)

AFF4 was developed by Michael Cohen, Simson Garfinkel and Bradley Schatz. This page describes the basic design. See LibAFF4 for a description of how to use the sample implementation, library and tools.

Why did we want to design yet another forensic file format?

Traditional forensic file formats have a number of limitations which have been exposed over the years:

  • Proprietary formats like EWF are difficult to implement and explain. EWF is a fairly complex file format. Most of the details are reverse engineered. Recovery from damaged EWF files is difficult as detailed knowledge of the file format is required.
  • Simple file formats like dd are very large since they are uncompressed. They also dont store metadata, signatures or have cryptographic support.
  • Traditional file formats are designed to store a single stream. Often in an investigation, however, multiple source of data need to be acquired (sometimes simultaneously) and stored in the same evidence volumes.
  • Traditional file formats just deal with data - there is no attempt to build a universal evidence management system integrated within the file specification.


The previous AFF format made huge advancements in the field introducing excellent support for cryptography, digital signatures, compression and even the concepts of external referencing. It was time to gather up all the good things in AFF and redesign a new AFF4 specification.

We wanted to use a well recognized, widely supported and open bit level format. One of the strengths of AFF was the use of segments within the file format itself. It because obvious that the only requirement we have from an underlying storage mechanism is the ability to store blobs of data by name, and retrieve them by that name. How these are actually stored is quite irrelevant to us.

The sections below give a quick overview to some of the major ideas.

Objects

AFF4 is an object oriented architecture. We term the AFF4 universe the total set of objects which are known. Because AFF4 is designed to be scalable to huge evidence corpuses the AFF4 universe is infinite. All objects are addressable by their name which is unique in the universe. For example an AFF4 object might have a name of:

   urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2

This is a standard URN notation object. The URN is unique. There will never be another object created anywhere in the universe with the same URN. Once objects are created their URN is fixed.

Relations

The AFF4 universe uses RDF to specify attributes about objects. In its simplest form (the one we use) RDF is just a set of statements about an object of the form:

  Subject   Attribute   Value

For example:

 
  ******** Object urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2 ***********
	aff4:stored = urn:aff4:4bdbf8bc-d8a5-40cb-9af0-fd7e4d0e2c9e
	aff4:type = image
	aff4:interface = stream
	aff4:timestamp = 0x49E9DEC3
	aff4:chunk_size = 32k
	aff4:compression = 8
	aff4:chunks_in_segment = 2048
	aff4:size = 10485760
  

This shows that the object named (the Subject) has all these attributes and their values. We call these relations or facts. The entire AFF4 universe is constructed around these facts. As we will see later facts can be signed by a person - which essentially has the person asserting that the facts are true.

AFF4 objects exist because they do something useful. What they do depends on the interface they present. Currently there are a few interfaces, the most important ones are the Volume interface and the Stream interface. An object's interface is a fact about the object with an attribute of aff4:interface. This tells us what the object can do for us.

On the other hand AFF4 objects can actually be different things and do what they do in a different way. The actual type of an object is specified by the attribute aff4:type. Whereas an interface tells us what the object can do for us, a type tells us what it actually is. (Its possible to change an object's type without changing its interface for example going from a ZipFile to a Directory volume. This does not affect any users of the object).

Volumes

We define a Volume as a storage mechanism which can store a segment (bit of binary data) by name and retrieve it by name. Currently we have two volume implementations: a Directory and a ZipFile.

Directory Volume

The Directory implementation stores the segments as flat files inside a regular directory on the filesystem. This is really useful if we want to image to a FAT filesystem since each segment is really small and we will not exceed the file size limitations. Its also possible to root the directory on a http url (i.e. the directory starts with http://somehost/url/). This allows us to use the image directly from the web - no need to download the whole thing.

Directory objects use FileLikeObjects (see below) to actually store the segments into different files. This means that Directory Volumes can be stored on HTTP or HTTPS servers, as well as regular directories.

ZipFile Volume

The ZipFile implementation stores segments inside a zip archive. If the archive gets too large (over 4Gb) we use the Zip64 extensions to store offsets in 64 bits. This is nice since small volumes can just be opened with windows explorer. Its also really easy to extract the data out. A ZipFile volume uses a FileLikeObject to actually store the zip file.

This means that its possible to write a ZipFile volume directly onto a HTTP server and use the image directly from the server as well.

Example: http://www.pyflag.net/images/test.zip is an example of a small (about 1mb) AFF4 image.

Directory and ZipFile volumes can be easily converted from one to the other (i.e. unzip the ZipFile into a directory to create a Directory volume).

Streams

Streams are the basic interface for storing image data. Streams present a consistent interface which presents the methods of read, seek, tell' and close. (Streams also support write, but thats a bit special because its how you actually create them).

As long as an AFF4 object presents a stream interface its possible to perform random reads within the body of data. Hence its possible to store any image data within the stream. The following section explain some of the specific implementations of streams.

FileBackedObjects

The FileBacked object is a stream which stores data in an actual file on the filesystem. The location of the file is determined from the file's URN. Since a URN is a superset of URLs, URLs are also valid URNs. This means that something like file:///somedirectory/filename is a valid location for a FileBackedObject.

HTTPObject

HTTP is ubiquitous and easy to deploy. Since URLs are also valid URNs, its possible to specify that an AFF4 volume be stored or read from a HTTP server. This implementation uses the Range HTTP header to read specific byte ranges from the server - so network traffic between the client and server is minimal. Its possible to examine a remote image over HTTP without needing to copy the whole thing down.

This is excellent when you just want to have a quick look at a remote image without needing to download the whole thing.

For security reasons its recommended write support be restricted in some way (e.g. passwords, SSL certificates etc). Read support can be provided freely if the volume is encrypted. Securing the web server is outside the scope of AFF4.

Segments

Segments are components stored directly within the Volume. Recall that a volume is simply an object which stores and retrieves segments. Segments also present the stream interface, but practically they should generally be used for smaller streams because it may be expensive to seek within compressed segments.

Segments are particularly useful when you dont have an imaging tool handy and you want to create a logical image of a subset of a filesystem (that is you want to image some files from a filesystem rather than a forensic image of the filesystem itself). This could happen if you can not take the server down for incident response or if the filesystem is just so big and you know most of it will not be relevant.

In that case there is nothing simpler than just to open up windows explorer - right click and send to a compressed folder. A regular zip file is also an AFF4 volume!!! The files within it are stream objects and libaff4 will recognize them as such. Larger segments can be converted to Image streams later (and signed, encrypted etc).

Image streams

Although segments are great for small files, for very large images we cant really use those because we could not compress them efficiently. Therefore we have an image stream.

The Image stream stores the image in chunks. Each chunk (typically 32kb) is compresses and a group of chunks (called bevies) are stored back to back inside a bevy segment. Segments are named according to the scheme: URN_OF_IMAGE_STREAM/0000000, URN_OF_IMAGE_STREAM/0000001 etc.

The offset of each chunk within the bevy is stored in an index segment (with a. idx extension). Here is an example:

    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000000
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000000.idx
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000001
    urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2/00000001.idx

Here is a short python program to unpack an Image stream:

 volume=zipfile.ZipFile(INPUT_FILE)
 outfd = open(OUTPUT_FILE,"w")
 count = 0
 while True:
   idx_segment = volume.read(STREAM+"/%08d.idx" % count)
   bevy = volume.read(STREAM+"/%08d" % count)
   indexes = struct.unpack("<" + "L" * 
       (len(idx_segment)/4), idx_segment)
   for i in range(len(indexes)-1):
       chunk = bevy[indexes[i]:indexes[i+1]]
       outfd.write(chunk.decode('zlib'))
   count += 1


Map Streams

A lot of work in digital forensics involves copying data around. For example, carving files usually results with the carved files copied out of the image for testing. If you image a RAID array separately you end up with 3-5 disk images and typically you will need to copy them into a logical image (unless your favourite software supports RAID reconstruction). When you copy a file out of the image using sleuthkit, you are actually copying bits of data directly from the image.

All these copies are wasteful of disk space. They are also hard to manage because pretty soon you end up with lots of copies of the same data in different ways. There must be a better way!!!

Now there is. By having the underlying forensic format doing all the mapping its possible to use tools which are not capable of doing these transformations themselves. This is all about tool reuse. For example suppose you have a carver which is used to work on dd images. But you want to use it on the virtual memory image of the firefox process. In the past you had to copy the virtual memory out (it could be 2-4gb) then run the carver on it, and possibly end up with about 3 or 4 copies of the same data - for each process address space!!!

Its much easier to have volatility create the initial maps for each process (with zero storage overheads), and then carvers can just use the maps without understanding anything about memory forensics. In this way the AFF4 format is more of an interchange format - allowing tools to be used on the results from other tools.

The map stream is an AFF4 object which contains a segment called map. Here is an example:

 1601536,0,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
 1614848,12288,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
 1879040,274432,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
 2142208,536576,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
 2405376,798720,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2
 2668544,1060864,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2 
 2931712,1323008,urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2


This map was generated by sleuthkit for an ext2 file. The first number of the offset in the image. The second number is the offset in the file and the third number of the URN of the object to read from (the target). The above map basically says that the byte range from 0-12288 in the file should be read from aff4:f3eba626-505a-4730-8216-1987853bc4d2 offset 1601536 to 1614848, etc.

Using the fsbuild tool its possible to create map streams for all files in an image at virtually zero storage requirements. Then its possible to use other tools which may not know how to read filesystems to examine the files.

Following is an example of a 3 disk RAID system which was acquired with into three separate streams:

  0,0,disk1
  1,0,disk0
  2,1,disk2
  3,1,disk1
  4,2,disk0
  5,2,disk2

To make this work we need to tell AFF4 that the map should be repeated. We do this by setting attributes on the map objects:

 aff4:block_size=64k 
 aff4:stream_period=6 
 aff4:target_period=3

See Also

  1. M. I. Cohen, Simson Garfinkel and Bradley Schatz, Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workflow, DFRWS 2009, Montreal, Canada.