Difference between pages "Training Courses and Providers" and "Carver 2.0 Planning Page"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(License)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]]. Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
This page is for planning Carver 2.0.
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
Please, do not delete text (ideas) here. Use something like this:
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
<s>bad idea</s>
! Title
+
:: good idea
! Date/Location
+
</pre>
! Website
+
 
! Limitation
+
This will look like:
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
<s>bad idea</s>
|Nov 19-22, Frankfurt, Germany
+
:: good idea
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
= License =
|AccessData&reg; BootCamp
+
 
|Nov 19-21, Redwood City, CA
+
BSD-3.
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
:: [[User:Joachim Metz|Joachim]] library based validators could require other licenses
|-
+
 
|AccessData&reg; Applied Decryption
+
= OS =
|Nov 19-21, St Louis, MO
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
Linux/FreeBSD/MacOS
|-
+
: Shouldn't this just match what the underlying afflib & sleuthkit cover? [[User:RB|RB]]
|EnCase&reg; v6 Computer Forensics II
+
:: Yes, but you need to test and validate on each. Question: Do we want to support windows? [[User:Simsong|Simsong]] 21:09, 30 October 2008 (UTC)
|Nov 20-23, Toronto, Canada
+
:: [[User:Joachim Metz|Joachim]] I think we would do wise to design with windows support from the start this will improve the platform independence from the start
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
:::: Agreed; I would even settle at first for being able to run against Cygwin. Note that I don't even own or use a copy of Windows, but the vast majority of forensic investigators do. [[User:RB|RB]] 14:01, 31 October 2008 (UTC)
|-
+
 
|AccessData&reg; Internet Forensics
+
= Name tooling =
|Nov 20-22, Canberra, ACT, Australia
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[User:Joachim Metz|Joachim]] A name for the tooling I propose coldcut
|-
+
:: How about 'butcher'? ;)  [[User:RB|RB]] 14:20, 31 October 2008 (UTC)
|Macintosh Forensic Survival Course (MFSC)
+
:: [[User:Joachim Metz|Joachim]] cleaver ( scalpel on steroids ;-) )
|Nov 26-30, St. Louis, MO
+
 
|http://www.phoenixdatagroup.com/cart/index.php
+
= Requirements =
|-
+
 
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
[[User:Joachim Metz|Joachim]] Could we do a MoSCoW evaluation of these.
|Nov 27-30, Sydney, Australia
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* AFF and EWF file images supported from scratch. ([[User:Joachim Metz|Joachim]] I would like to have raw/split raw and device access as well)
|-
+
:: If we base our image i/o on afflib, we get all three with one interface. [[User:RB|RB]]
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
* [[User:Joachim Metz|Joachim]] volume/partition aware layer (what about carving unpartioned space)
|Nov 27-30, Houston, TX
+
* File system aware layer.  
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
** By default, files are not carved. (clarify: only identified? [[User:RB|RB]]; I guess that it operates like [[Selective file dumper]] [[User:.FUF|.FUF]] 07:00, 29 October 2008 (UTC))
|-
+
* Plug-in architecture for identification/validation.
|EnCase&reg; v6 Computer Forensics I
+
** [[User:Joachim Metz|Joachim]] support for multiple types of validators
|Nov 27-30, Washington DC
+
*** dedicated validator
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
*** validator based on file library (i.e. we could specify/implement a file structure for these)
|-
+
*** configuration based validator (Can handle config files,like Revit07, to enter different file formats used by the carver.)
|EnCase&reg;  eDiscovery with v6
+
* Ship with validators for:
|Nov 27-30, Los Angeles, CA
+
[[User:Joachim Metz|Joachim]] I think we should distinguish between file format validators and content validators
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
** JPEG
|-
+
** PNG
|EnCase&reg; v6 Computer Forensics II
+
** GIF
|Nov 27-30, Sao Paulo, Brazil
+
** MSOLE
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
** ZIP
|-
+
** TAR (gz/bz2)
|EnCase&reg; v6 Computer Forensics I - Private Sector
+
 
|Nov 27-30, Hong Kong
+
[[User:Joachim Metz|Joachim]] For a production carver we need at least the following formats
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
** Grapical Images
|-
+
*** JPEG (the 3 different types with JFIF/EXIF support)
|EnCase&reg; v6 Advanced Computer Forensics
+
*** PNG
|Nov 27-30, United Kingdom
+
*** GIF
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
*** BMP
|-
+
*** TIFF
|Basic Data Recovery and Acquisition(BDRA)
+
** Office documents
|Nov 27-30, Rancho Cordova, CA
+
*** OLE2 (Word/Excell content support)
|http://www.nw3c.org/ocr/courses_desc.cfm
+
*** PDF
|Limited to Law Enforcement
+
*** Open Office/Office 2007 (ZIP+XML)
|-
+
** Archive files
|AccessData&reg; Internet Forensics
+
*** ZIP
|Nov 27-30, Manchester, United Kingdom
+
*** 7z
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
*** gzip
|-
+
*** bzip2
|AccessData&reg; Applied Decryption
+
*** tar
|Nov 27-29, Vancouver, BC, Canada
+
*** RAR
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
** E-mail files
|-
+
*** PFF (PST/OST)
|AccessData&reg; BootCamp
+
*** MBOX (text based format, base64 content support)
|Nov 27-29, Albany, NY and Birmingham, AL
+
** Audio/Video files
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
*** MPEG
|-
+
*** MP2/MP3
|Secure Techniques for Onsite Preview(STOP)
+
*** AVI
|Nov 27-28, Beaumont, TX, Kansas City, MO
+
*** ASF/WMV
|http://www.nw3c.org/ocr/courses_desc.cfm
+
*** QuickTime
|Limited to Law Enforcement
+
*** MKV
|-
+
** Printer spool files
|Neutrino-Mobile Phone Forensics
+
*** EMF (if I remember correctly)
|Nov 27-28, Los Angeles, CA
+
** Internet history files
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
*** index.dat
|-
+
*** firefox (sqllite 3)
|Identifying and Seizing Electronic Evidence(ISEE)
+
** Other files
|Nov 29, Kansas City, MO
+
*** thumbs.db
|http://www.nw3c.org/ocr/courses_desc.cfm
+
*** pagefile?
|Limited to Law Enforcement
+
 
|-
+
* Simple fragment recovery carving using gap carving.
|Computer Network Investigation Training Program (CNITP)
+
** [[User:Joachim Metz|Joachim]] have hook in for more advanced fragment recovery?
|Dec 03-14, Glynco, GA
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
** [[User:Joachim Metz|Joachim]] I would propose a generic fragment detection and recovery
|Limited to Law Enforcement
+
* Autonomous operation (some mode of operation should be completely non-interactive, requiring no human intervention to complete [[User:RB|RB]])
|-
+
** [[User:Joachim Metz|Joachim]] as much as possible, but allow to be overwritten by user
|Internet Investigations Training Program (IITP)
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
|Dec 03-07, Glynco, GA
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time) [[User:RB|RB]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
** [[User:Joachim Metz|Joachim]] have multiple carving phases for precision/speed trade off?
|Limited to Law Enforcement
+
* Parallelizable
|-
+
** [[User:Joachim Metz|Joachim]] tunable for different architectures
|Windows Internet Trace Evidence(INET)
+
* Configuration:
|Dec 03-07, Fairmont, WV
+
** Capability to parse some existing carvers' configuration files, either on-the-fly or as a one-way converter.
|http://www.nw3c.org/ocr/courses_desc.cfm
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
|Limited to Law Enforcement
+
** [[User:Joachim Metz|Joachim]] The validator should deal with the file structure the carving algorithm should not know anything about the file structure (as in revit07 design)
|-
+
**  Either extend Scalpel/Foremost syntaxes for extended features or use a tertiary syntax ([[User:Joachim Metz|Joachim]] I would prefer a derivative of the revit07 configuration syntax which already has encountered some problems of dealing with defining file structure in a configuration file)
|Macintosh Forensic Survival Course (MFSC)
+
* Can output audit.txt file.
|Dec 03-07, Philadelphia, PA
+
* [[User:Joachim Metz|Joachim]] Can output database with offset analysis values i.e. for visualization tooling
|http://www.phoenixdatagroup.com/cart/index.php
+
* [[User:Joachim Metz|Joachim]] Can output debug log for debugging the algorithm/validation
|-
+
* Easy integration into ascription software.
|SMART for Linux
+
** [[User:Joachim Metz|Joachim]] I'm no native speaker what do you mean with "ascription software"?
|Dec 03-06, Austin, TX
+
:: I think this was another non-native requesting easy scriptability. [[User:RB|RB]] 14:20, 31 October 2008 (UTC)
|http://asrdata.com/training/training2.html
+
:::: [[User:Joachim Metz|Joachim]] that makes sense ;-)
|-
+
 
|Handheld Forensic Course
+
= Ideas =
|Dec 03-06, San Diego, CA
+
* Use as much TSK if possible. Don't carry your own FS implementation the way photorec does.
|http://www.paraben-training.com/schedule.html
+
** [[User:Joachim Metz|Joachim]] using TSK as much as possible would not allow to add your own file system support (i.e. mobile phones, memory structures, cap files) I would propose wrapping TSK and using it as much as possible but allow to integrate own FS implementations.  
|-
+
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
|Introduction to Cyber Crime
+
** [[User:Joachim Metz|Joachim]] this poses an interesting addition to the carver do we want to support (let's call it) 'recursive in file carving' (for now) this is different from embedded files because there is a file system structure in the file and not just another file structure
|Dec 03-05, Mississippi State University
+
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 20:51, 28 October 2008 (UTC)
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
** This has the opportunity to be extended to the concept of "point at blob FOO and interpret it as BAR"
|Limited to Law Enforcement
+
 
|-
+
== Configuration language/specification ==
|InfinaDyne CD &amp; DVD Forensics
+
.FUF added:
|Dec 04-05, Phoenix, AZ
+
The main idea is to allow users to define structures, for example (in pascal-like form):
|http://www.infinadyne.com/training.html
+
 
|-
+
<pre>
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
Field1: Byte = 123;
|Dec 04-07, Hong Kong
+
SomeTextLength: DWORD;
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
SomeText: string[SomeTextLength];
|-
+
Field4: Char = 'r';
|EnCase&reg; Enterprise v6 - Phase I
+
...
|Dec 04-07, Los Angeles, CA
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
This will produce something like this:
|EnCase&reg; v6 Computer Forensics I
+
<pre>
|Dec 04-07, Chicago, IL; Houston, TX; Los Angeles, CA and United Kingdom
+
Field1 = 123
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
SomeTextLength = 5
|-
+
SomeText = 'abcd1'
|EnCase&reg; v6 Computer Forensics II
+
Field4 = 'r'
|Dec 04-07, Austin, TX;  Washington DC; Leipzig, Germany; and Toronto, Canada
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
(In text or raw forms.)
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
 
|Dec 04-07, Washington DC
+
Opinions?
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
Opinion: Simple pattern identification like that may not suffice, I think Simson's original intent was not only to identify but to allow for validation routines (plugins, as the original wording was). As such, the format syntax would need to implement a large chunk of some programming language in order to be sufficiently flexible. [[User:RB|RB]]
|AccessData&reg; BootCamp
+
 
|Dec 04-06, Solna, Sweden
+
[[User:Joachim Metz|Joachim]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
In my option your example is too limited. Making the revit configuration I learned you'll need a near programming language to specify some file formats.
|-
+
A simple descriptive language is too limiting. I would also go for 2 bytes with endianess instead of using terminology like WORD and small integer, it's much more clear. The configuration also needs to deal with aspects like cardinality, required and optional structures.
|AccessData&reg; Applied Decryption
+
 
|Dec 04-06, Nashville, TN
+
Please take a look at the revit07 configuration. It's not there yet but goes a far way. Some things currently missing:
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* bitwise alignment
|-
+
* handling encapsulated streams (MPEG/capture files)
|AccessData&reg; Windows Forensics
+
* handling content based formats (MBOX)
|Dec 04-06, Coraopolis, PA; Sharon Hill, PA; and London, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
=Caving algorithm =
|-
+
[[User:Joachim Metz|Joachim]]
|Forensics Tools and Techniques
+
* should we allow for multiple runs?
|Dec 05-07, Mississippi State University
+
* should we allow for multiple algorithms?
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
* does the algorithm passes data blocks to the validators?
|Limited to Law Enforcement
+
* does a validator need to maintain a state?
|-
+
* does a validator need to revert a state?
|AccessData&reg; Vista Forensics
+
* do we use the assumption that a data block can be used by a single file (with the exception of embedded/encapsulated files)?
|Dec 07, London, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
==Caving scenarios ==
|-
+
[[User:Joachim Metz|Joachim]]
|EnCase&reg; v6 Network Intrusion Investigations - Phase II
+
* normal file (file structure, loose text based structure (more a content structure?))
|Dec 10-13, Washington DC
+
* fragmented file (the file entirely exist)
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* a file fragment (the file does not entirely exist)
|-
+
* intertwined file
|EnCase&reg; Enterprise v6 - Phase II
+
* encapsulated file (MPEG/network capture)
|Dec 10-13, Los Angeles, CA
+
* embedded file (JPEG thumbnail)
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* obfuscation ('encrypted' PFF) this also entails encryption and/or compression
|-
+
* file system in file
|Network Incident Response
+
 
|Dec 10-13, Potomac Falls, VA
+
=File System Awareness =
|http://www.paraben-training.com/schedule.html
+
==Background: Why be File System Aware?==
|-
+
Advantages of being FS aware:
|ILook® Automated Forensic Application(ILook)
+
* You can pick up sector allocation sizes
|Dec 10-14, Tulsa, OK
+
:: [[User:Joachim Metz|Joachim]] do you mean file system block sizes?
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* Some file systems may store things off sector boundaries. (ReiserFS with tail packing)
|Limited to Law Enforcement
+
* Increasingly file systems have compression (NTFS compression)
|-
+
* Carve just the sectors that are not in allocated files.
|Intermediate Data Recovery and Analysis(IDRA)
+
 
|Dec 10-14, Albuquerque, NM
+
==Tasks that would be required==
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
==Discussion==
|-
+
:: As noted above, TSK should be utilized as much as possible, particularly the filesystem-aware portion. If we want to identify filesystems outside of its supported set, it would be more worth our time to work on implementing them there than in the carver itself. [[User:RB|RB]]
|Windows NT Operating System and NT File System(NTx)
+
 
|Dec 10-14, Myrtle Beach, SC
+
:::: I guess this tool operates like [[Selective file dumper]] and can recover files in both ways (or not?). Recovering files by using carving can recover files in situations where sleuthkit does nothing (e.g. file on NTFS was deleted using ntfs-3g, or filesystem was destroyed or just unknown). And we should build the list of filesystems supported by carver, not by TSK. [[User:.FUF|.FUF]] 07:08, 29 October 2008 (UTC)
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
:: This tool is still in the early planning stages (requirements discovery), hence few operational details (like precise modes of operation) have been fleshed out - those will and should come later. The justification for strictly using TSK for the filesystem-sensitive approach is simple: TSK has good filesystem APIs, and it would be foolish to create yet another standalone, incompatible implementation of filesystem(foo) when time would be better spent improving those in TSK, aiding other methods of analysis as well. This is the same reason individuals that have implemented several other carvers are participating: de-duplication of effort. [[User:RB|RB]]
|-
+
 
|Basic Data Recovery and Acquisition(BDRA)
+
[[User:Joachim Metz|Joachim]] I would like to have the carver (recovery tool) also do recovery using file allocation data or remainders of file allocation data.
|Dec 10-13, Hays, KS
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
[[User:Joachim Metz|Joachim]]
|Limited to Law Enforcement
+
I would go as far to ask you all to look beyond the carver as a tool and look from the perspective of the carver as part of the forensic investigation process. In my eyes certain information needed/acquired by the carver could be also very useful investigative information i.e. what part of a hard disk contains empty sectors.
|-
+
 
|Enterprise Data Forensics
+
=Supportive tooling=
|Dec 10-12, Austin, TX
+
[[User:Joachim Metz|Joachim]]
|http://asrdata.com/training/training2.html
+
* validator (definitions) tester (detest in revit07)
|-
+
* tool to make configuration based definitions
|Secure Techniques for Onsite Preview(STOP)
+
* post carving validation
|Dec 10-11, Richmond, VA
+
* the carver needs to provide support for fuse mount of carved files (carvfs)
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
=Testing =
|-
+
[[User:Joachim Metz|Joachim]]
|EnCase&reg; v6 Computer Forensics II
+
* automated testing
|Dec 11-14, Chicago, IL;  Houston, TX; Los Angeles, CA;  Melbourne, Australia; and United Kingdom
+
* test data
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=Validator Construction=
|EnCase&reg; v6 Advanced Computer Forensics
+
Options:
|Dec 11-14, Washington DC
+
* Write validators in C/C++
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
** [[User:Joachim Metz|Joachim]] you mean dedicated validators
|-
+
* Have a scripting language for writing them (python? Perl?) our own?
|AccessData&reg; BootCamp
+
** [[User:Joachim Metz|Joachim]] use easy to embed programming languages i.e. Phyton or Lua
|Dec 11-13, Mexico City, Mexico
+
* Use existing programs (libjpeg?) as plug-in validators?
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
** [[User:Joachim Metz|Joachim]] define a file structure api for this
|-
+
 
|AccessData&reg; BootCamp
+
=Existing Code that we have=
|Dec 11-13, Orlando, FL and West Lafayette, IN
+
[[User:Joachim Metz|Joachim]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
Please add any missing links
|-
+
 
|AccessData&reg; Windows Forensics
+
Documentation/Articles
|Dec 11-13, Houston, TX and Madison, WI
+
* DFRWS2006/2007 carving challenge results
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* DFRWS2008 paper on carving
|-
+
 
|AccessData&reg; Vista Forensics
+
Carvers
|Dec 14, Houston, TX
+
* DFRWS2006/2007 carving challenge results
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* photorec (http://www.cgsecurity.org/wiki/PhotoRec)
|-
+
* revit06 and revit07 (http://sourceforge.net/projects/revit/)
|Core Skills for the Investigation of Computer Crime
+
* s3/scarve
|Dec 17-21, Las Vegas, NV
+
 
|http://www.search.org/programs/hightech/calendar.asp
+
Possible file structure validator libraries
|Limited To Law Enforcement
+
* divers existing file support libraries
|-
+
* libole2 (inhouse experimental code of OLE2 support)
|EnCase&reg; v6 NTFS
+
* libpff (alpha release for PFF (PST/OST) file support) (http://sourceforge.net/projects/libpff/)
|Dec 17-20, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Input support
|-
+
* AFF (http://www.afflib.org/)
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
* EWF (http://sourceforge.net/projects/libewf/)
|Dec 17-20, Washington DC
+
* TSK device & raw & split raw (http://www.sleuthkit.org/)
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
Volume/Partition support
|EnCase&reg; v6 Advanced Computer Forensics
+
* disktype (http://disktype.sourceforge.net/)
|Dec 17-20, Chicago, IL and  Los Angeles, CA
+
* testdisk (http://www.cgsecurity.org/wiki/TestDisk)
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* TSK
|-
+
 
|EnCase&reg; v6 Advanced Internet Examinations
+
File system support
|Dec 17-20, Washington DC and United Kingdom
+
* TSK
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* photorec FS code
|-
+
* implementations of FS in Linux/BSD
|Advanced Cell Phone/SIM Card Forensics
+
 
|Dec 17-20, Mississauga, Ontario, Canada
+
Content support
|http://www.paraben-training.com/schedule.html
+
 
|-
+
=Implementation Timeline=
|DEK: Data Exploitation
+
# gather the available resources/ideas/wishes/needs etc. (I guess we're in this phase)
|Dec 17-20, Potomac Falls, VA
+
# start discussing a high level design (in terms of algorithm, facilities, information needed)
|http://www.paraben-training.com/schedule.html
+
## input formats facility
|Restricted Enrollment
+
## partition/volume facility
|-
+
## file system facility
|X-Ways Forensics
+
## file format facility
|Dec 17-19, Singapore
+
## content facility
|http://www.x-ways.net/training/SGP.html
+
## how to deal with fragment detection (do the validators allow for fragment detection?)
|-
+
## how to deal with recombination of fragments
|AccessData&reg; Applied Decryption
+
## do we want multiple carving phases in light of speed/precision tradeoffs
|Dec 17-19, Lynnwood, WA
+
# start detailing parts of the design
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
## Discuss options for a grammar driven validator?
|-
+
## Hard-coded plug-ins?
|AccessData&reg; Windows Forensics
+
## Which existing code can we use?
|Dec 17-19, Des Moines, IA
+
# start building/assembling parts of the tooling for a prototype
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
## Implement simple file carving with validation.
|-
+
## Implement gap carving
|EnCase&reg; v6 Computer Forensics II-Private Sector
+
# Initial Release
|Dec 18-21, Houston, TX
+
# Implement the ''threaded carving'' that [[User:.FUF|.FUF]] is describing above.
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
[[User:Joachim Metz|Joachim]] Shouldn't multi threaded carving (MTC) not be part of the 1st version?
|AccessData&reg; BootCamp
+
The MT approach makes for different design decisions
|Dec 18-20, New York City, NY and Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Forensic Fundamentals
+
|Dec 18-20, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 18-20, New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 18-20, Los Angeles, CA; New York City, NY; and Washington, DC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Vista Forensics
+
|Dec 21, Lynnwood, WA; New York City, NY; and Washington, DC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2008 EVENTS__**
+
|_______2008_______
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Jan 07-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Jan 07-11, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jan 07-11, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 07-11, Los Angeles, CA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Advanced Cell Phone/SIM Card Forensics
+
|Jan 07-10, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 07-08, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jan 08-11, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 08-11, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 08-11, Houston, TX;  Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jan 08-11, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jan 08-10, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 09-10, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jan 14-17, Nashville, IN
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Introduction to Cyber Crime
+
|Jan 14-16, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 15-18, Houston, TX and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jan 15-18, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 15-18, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jan 15-17, Columbia, SC and Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jan 15-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Jan 16-18, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 16-17, Honolulu, HI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 22-25, Washington DC and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 22-25, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 22-25, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jan 22-25, Honolulu, HI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jan 22-24, Richland, WA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData's Windows Forensics
+
|Jan 22-24, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Cellular/GPS Signal Analysis
+
|Jan 24-25, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jan 28-Feb 08, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 28-Feb 01, Fairmont, WV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 28-29, Cleburne, TX
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jan 29-Feb 01, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jan 29-Feb 01, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jan 29-Feb 01, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jan 29-Feb 01, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jan 29-Feb 01, Washington DC and  Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jan 29-Feb 01, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jan 30-31, Cleburne, TX
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Feb 04-08, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|E-Discovery: E-mail & Mobile E-mail Devices
+
|Feb 04-07, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Feb 04-07, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Feb 04-07, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 05-07, Ft Lauderdale, FL; St Paul, MN; and Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg;  eDiscovery with v6
+
|Feb 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Feb 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 05-08, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 05-08, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Feb 05-06, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Basics
+
|Feb 06-08, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Feb 11-15, Birmingham, AL
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Introduction to Cyber Crime
+
|Feb 11-13, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Wireless Forensics
+
|Feb 11-12, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Feb 12-15, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 12-15, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 12-15, Chicago, IL and  Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Feb 12-14, Twinsburg, OH
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 12-14, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|Forensics Tools and Techniques
+
|Feb 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Feb 19-22, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Feb 19-22, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 19-22, Houston, TX and  Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Feb 19-22, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 19-22, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Feb 19-21, Melbourne, VIC, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Mobile Device Investigations Program (MDIP)(Pilot)
+
|Feb 25-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Feb 25-29, Phoenix, AZ
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Network Incident Response
+
|Feb 25-28, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Feb 25-26, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Feb 26-29, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Feb 26-29, Houston, TX;  Los Angeles, CA; and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Feb 26-29, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Feb 26-28, Wellington, New Zealand
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Feb 26-28, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Feb 26-27, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Feb 27-28, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Handheld Forensic Course
+
|Mar 03-06, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Mar 04-07, Chicago, IL, Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Mar 04-07, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 04-07, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg;  eDiscovery with v6
+
|Mar 04-07, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 04-07, Houston, TX and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 04-06, Indianapolis, IN; New York City, NY; Canberra, ACT, Australia; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Mar 10-21, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Mar 10-14, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|E-Discovery: E-mail & Mobile E-mail Devices
+
|Mar 10-13, Potomac Falls, VA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Introduction to Cyber Crime
+
|Mar 10-12, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Cellular/GPS Signal Analysis
+
|Mar 10-11, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 11-14, Houston, TX and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Mar 11-14, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 11-14, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Mar 11-14, Chicago, IL and  Phoenix, AZ
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Mar 11-13, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Mar 11-12, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Mar 12-14, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 12-14, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Wireless Forensics
+
|Mar 13-14, San Diego, CA
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Mar 17-20, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Mar 17-18, Las Vegas, NV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Mar 18-21, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Mar 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Mar 18-20, Las Vegas, NV
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Mar 19-20, Las Vegas, NV
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 24-28, Miami, FL
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fast CyberForensic Triage(FCT)
+
|Mar 24-26, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Mar 25-28, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Mar 25-28, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Mar 25-28, Los Angeles, CA and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Mar 25-28, Chicago, IL;  Houston, TX and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Mar 31-Apr 11, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Mar 31-Apr 02, Meriden, CT and Burlington, KY
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 01-04, Chicago, IL and Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 01-04, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Apr 01-04, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Apr 01-02, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Apr 07-10, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Cyber Crime
+
|Apr 07-09, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 08-11, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 08-11, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 08-11, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Apr 08-11, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 08-10, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Apr 08-10, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Apr 08-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Forensics Tools and Techniques
+
|Apr 09-11, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Apr 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Core Skills for the Investigation of Cellular Telephones
+
|Apr 14-17, Midland, MI
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 15-18, Houston, TX and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Apr 15-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Apr 15-18, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Apr 15-18, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 15-18, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Apr 15-17, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Apr 21-May 02, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Apr 21-24, Vassalboro, ME
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Apr 22-25, Los Angeles, CA and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 22-25, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Apr 22-24, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Advanced Responders - Search and Seizure of SOHO Networks
+
|Apr 22-24, Jacksonville, FL
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Core Skills for the Investigation of Computer Crime
+
|Apr 28-May 02, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Apr 28-May 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Apr 29-May 02, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Apr 29-May 02, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Apr 29-May 02, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Apr 29-May 02, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Apr 29-May 01, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 06-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 06-09, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|May 06-09, Chicago, IL and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|May 06-08, Manchester, United Kingdom andSydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 06-08, New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|May 12-23, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|May 12-16, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Fast CyberForensic Triage(FCT)
+
|May 12-15, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|May 12-15, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|May 12-13, Pullman, WA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|May 13-16, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 13-16, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 13-16, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|May 13-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 13-15, Sydney, NSW, Australia
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|May 13-15, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Advanced Responders - Search and Seizure of SOHO Networks
+
|May 13-15, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|May 14-15, Pullman, WA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic On-Line Technical Skills(BOTS)
+
|May 19, Lynchburg, VA
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|May 19-23, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Core Skills for the Investigation of Computer Crime
+
|May 19-23, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 20-23, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|May 20-23, Houston, TX and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|May 20-23, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|May 20-22, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|May 27-30, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|May 27-29, San Jose, CA
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jun 02-13, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jun 02-06, Vassalboro, ME
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Core Skills for the Investigation of Cellular Telephones
+
|Jun 02-05, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 03-06, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 NTFS
+
|Jun 03-06, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 03-06, Chicago, IL and Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 03-06, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 03-06, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jun 03-05, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Core Skills for the Investigation of Cellular Telephones
+
|Jun 09-12, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Jun 10-12, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jun 10-11, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 10-13, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jun 10-13, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 10-13, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jun 16-27, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Intermediate Data Recovery and Analysis(IDRA)
+
|Jun 16-20, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jun 16-19, Hamilton, NJ
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 17-20, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 17-20, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 17-20, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jun 17-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Jun 23-27, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 23-24, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 24-27, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 24-27, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jun 24-26, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Advanced Responders - Search and Seizure of SOHO Networks
+
|Jun 24-26, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 25-26, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Jun 30-Jul 03, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jul 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Jul 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Applied Decryption
+
|Jul 15-17, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 15-17, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jul 21-Aug 01, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP
+
|Jul 21-25, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 06-10, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Law Enforcement Only
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 14:24, 31 October 2008

This page is for planning Carver 2.0.

Please, do not delete text (ideas) here. Use something like this:

<s>bad idea</s>
:: good idea

This will look like:

bad idea

good idea

License

BSD-3.

Joachim library based validators could require other licenses

OS

Linux/FreeBSD/MacOS

Shouldn't this just match what the underlying afflib & sleuthkit cover? RB
Yes, but you need to test and validate on each. Question: Do we want to support windows? Simsong 21:09, 30 October 2008 (UTC)
Joachim I think we would do wise to design with windows support from the start this will improve the platform independence from the start
Agreed; I would even settle at first for being able to run against Cygwin. Note that I don't even own or use a copy of Windows, but the vast majority of forensic investigators do. RB 14:01, 31 October 2008 (UTC)

Name tooling

  • Joachim A name for the tooling I propose coldcut
How about 'butcher'?  ;) RB 14:20, 31 October 2008 (UTC)
Joachim cleaver ( scalpel on steroids ;-) )

Requirements

Joachim Could we do a MoSCoW evaluation of these.

  • AFF and EWF file images supported from scratch. (Joachim I would like to have raw/split raw and device access as well)
If we base our image i/o on afflib, we get all three with one interface. RB
  • Joachim volume/partition aware layer (what about carving unpartioned space)
  • File system aware layer.
    • By default, files are not carved. (clarify: only identified? RB; I guess that it operates like Selective file dumper .FUF 07:00, 29 October 2008 (UTC))
  • Plug-in architecture for identification/validation.
    • Joachim support for multiple types of validators
      • dedicated validator
      • validator based on file library (i.e. we could specify/implement a file structure for these)
      • configuration based validator (Can handle config files,like Revit07, to enter different file formats used by the carver.)
  • Ship with validators for:

Joachim I think we should distinguish between file format validators and content validators

    • JPEG
    • PNG
    • GIF
    • MSOLE
    • ZIP
    • TAR (gz/bz2)

Joachim For a production carver we need at least the following formats

    • Grapical Images
      • JPEG (the 3 different types with JFIF/EXIF support)
      • PNG
      • GIF
      • BMP
      • TIFF
    • Office documents
      • OLE2 (Word/Excell content support)
      • PDF
      • Open Office/Office 2007 (ZIP+XML)
    • Archive files
      • ZIP
      • 7z
      • gzip
      • bzip2
      • tar
      • RAR
    • E-mail files
      • PFF (PST/OST)
      • MBOX (text based format, base64 content support)
    • Audio/Video files
      • MPEG
      • MP2/MP3
      • AVI
      • ASF/WMV
      • QuickTime
      • MKV
    • Printer spool files
      • EMF (if I remember correctly)
    • Internet history files
      • index.dat
      • firefox (sqllite 3)
    • Other files
      • thumbs.db
      • pagefile?
  • Simple fragment recovery carving using gap carving.
    • Joachim have hook in for more advanced fragment recovery?
  • Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
    • Joachim I would propose a generic fragment detection and recovery
  • Autonomous operation (some mode of operation should be completely non-interactive, requiring no human intervention to complete RB)
    • Joachim as much as possible, but allow to be overwritten by user
  • Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
    • Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time) RB
    • Joachim have multiple carving phases for precision/speed trade off?
  • Parallelizable
    • Joachim tunable for different architectures
  • Configuration:
    • Capability to parse some existing carvers' configuration files, either on-the-fly or as a one-way converter.
    • Disengage internal configuration structure from configuration files, create parsers that present the expected structure
    • Joachim The validator should deal with the file structure the carving algorithm should not know anything about the file structure (as in revit07 design)
    • Either extend Scalpel/Foremost syntaxes for extended features or use a tertiary syntax (Joachim I would prefer a derivative of the revit07 configuration syntax which already has encountered some problems of dealing with defining file structure in a configuration file)
  • Can output audit.txt file.
  • Joachim Can output database with offset analysis values i.e. for visualization tooling
  • Joachim Can output debug log for debugging the algorithm/validation
  • Easy integration into ascription software.
    • Joachim I'm no native speaker what do you mean with "ascription software"?
I think this was another non-native requesting easy scriptability. RB 14:20, 31 October 2008 (UTC)
Joachim that makes sense ;-)

Ideas

  • Use as much TSK if possible. Don't carry your own FS implementation the way photorec does.
    • Joachim using TSK as much as possible would not allow to add your own file system support (i.e. mobile phones, memory structures, cap files) I would propose wrapping TSK and using it as much as possible but allow to integrate own FS implementations.
  • Extracting/carving data from Thumbs.db? I've used foremost for it with some success. Vinetto has some critical bugs :( .FUF 19:18, 28 October 2008 (UTC)
    • Joachim this poses an interesting addition to the carver do we want to support (let's call it) 'recursive in file carving' (for now) this is different from embedded files because there is a file system structure in the file and not just another file structure
  • Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat .FUF 20:51, 28 October 2008 (UTC)
    • This has the opportunity to be extended to the concept of "point at blob FOO and interpret it as BAR"

Configuration language/specification

.FUF added: The main idea is to allow users to define structures, for example (in pascal-like form):

Field1: Byte = 123;
SomeTextLength: DWORD;
SomeText: string[SomeTextLength];
Field4: Char = 'r';
...

This will produce something like this:

Field1 = 123
SomeTextLength = 5
SomeText = 'abcd1'
Field4 = 'r'

(In text or raw forms.)

Opinions?

Opinion: Simple pattern identification like that may not suffice, I think Simson's original intent was not only to identify but to allow for validation routines (plugins, as the original wording was). As such, the format syntax would need to implement a large chunk of some programming language in order to be sufficiently flexible. RB

Joachim In my option your example is too limited. Making the revit configuration I learned you'll need a near programming language to specify some file formats. A simple descriptive language is too limiting. I would also go for 2 bytes with endianess instead of using terminology like WORD and small integer, it's much more clear. The configuration also needs to deal with aspects like cardinality, required and optional structures.

Please take a look at the revit07 configuration. It's not there yet but goes a far way. Some things currently missing:

  • bitwise alignment
  • handling encapsulated streams (MPEG/capture files)
  • handling content based formats (MBOX)

Caving algorithm

Joachim

  • should we allow for multiple runs?
  • should we allow for multiple algorithms?
  • does the algorithm passes data blocks to the validators?
  • does a validator need to maintain a state?
  • does a validator need to revert a state?
  • do we use the assumption that a data block can be used by a single file (with the exception of embedded/encapsulated files)?

Caving scenarios

Joachim

  • normal file (file structure, loose text based structure (more a content structure?))
  • fragmented file (the file entirely exist)
  • a file fragment (the file does not entirely exist)
  • intertwined file
  • encapsulated file (MPEG/network capture)
  • embedded file (JPEG thumbnail)
  • obfuscation ('encrypted' PFF) this also entails encryption and/or compression
  • file system in file

File System Awareness

Background: Why be File System Aware?

Advantages of being FS aware:

  • You can pick up sector allocation sizes
Joachim do you mean file system block sizes?
  • Some file systems may store things off sector boundaries. (ReiserFS with tail packing)
  • Increasingly file systems have compression (NTFS compression)
  • Carve just the sectors that are not in allocated files.

Tasks that would be required

Discussion

As noted above, TSK should be utilized as much as possible, particularly the filesystem-aware portion. If we want to identify filesystems outside of its supported set, it would be more worth our time to work on implementing them there than in the carver itself. RB
I guess this tool operates like Selective file dumper and can recover files in both ways (or not?). Recovering files by using carving can recover files in situations where sleuthkit does nothing (e.g. file on NTFS was deleted using ntfs-3g, or filesystem was destroyed or just unknown). And we should build the list of filesystems supported by carver, not by TSK. .FUF 07:08, 29 October 2008 (UTC)
This tool is still in the early planning stages (requirements discovery), hence few operational details (like precise modes of operation) have been fleshed out - those will and should come later. The justification for strictly using TSK for the filesystem-sensitive approach is simple: TSK has good filesystem APIs, and it would be foolish to create yet another standalone, incompatible implementation of filesystem(foo) when time would be better spent improving those in TSK, aiding other methods of analysis as well. This is the same reason individuals that have implemented several other carvers are participating: de-duplication of effort. RB

Joachim I would like to have the carver (recovery tool) also do recovery using file allocation data or remainders of file allocation data.

Joachim I would go as far to ask you all to look beyond the carver as a tool and look from the perspective of the carver as part of the forensic investigation process. In my eyes certain information needed/acquired by the carver could be also very useful investigative information i.e. what part of a hard disk contains empty sectors.

Supportive tooling

Joachim

  • validator (definitions) tester (detest in revit07)
  • tool to make configuration based definitions
  • post carving validation
  • the carver needs to provide support for fuse mount of carved files (carvfs)

Testing

Joachim

  • automated testing
  • test data

Validator Construction

Options:

  • Write validators in C/C++
    • Joachim you mean dedicated validators
  • Have a scripting language for writing them (python? Perl?) our own?
    • Joachim use easy to embed programming languages i.e. Phyton or Lua
  • Use existing programs (libjpeg?) as plug-in validators?
    • Joachim define a file structure api for this

Existing Code that we have

Joachim Please add any missing links

Documentation/Articles

  • DFRWS2006/2007 carving challenge results
  • DFRWS2008 paper on carving

Carvers

Possible file structure validator libraries

Input support

Volume/Partition support

File system support

  • TSK
  • photorec FS code
  • implementations of FS in Linux/BSD

Content support

Implementation Timeline

  1. gather the available resources/ideas/wishes/needs etc. (I guess we're in this phase)
  2. start discussing a high level design (in terms of algorithm, facilities, information needed)
    1. input formats facility
    2. partition/volume facility
    3. file system facility
    4. file format facility
    5. content facility
    6. how to deal with fragment detection (do the validators allow for fragment detection?)
    7. how to deal with recombination of fragments
    8. do we want multiple carving phases in light of speed/precision tradeoffs
  3. start detailing parts of the design
    1. Discuss options for a grammar driven validator?
    2. Hard-coded plug-ins?
    3. Which existing code can we use?
  4. start building/assembling parts of the tooling for a prototype
    1. Implement simple file carving with validation.
    2. Implement gap carving
  5. Initial Release
  6. Implement the threaded carving that .FUF is describing above.

Joachim Shouldn't multi threaded carving (MTC) not be part of the 1st version? The MT approach makes for different design decisions