AccessData Internet Forensic

This course provides students with the knowledge and skills necessary to conduct an effective Internet application based investigation. Students should already be conducting computer based investigations and be familiar with the AccessData suite of tools. Internet based investigations experience would provide additional background knowledge but is not necessary. This is not an undercover investigations course - it is data recovery focused.

Students begin immediately working a missing person case initiated from an instant message found on the computer screen of the missing person. The case takes the student to several different machines with multiple internet chat, browsing and email platforms. In addition to using Password Recovery Toolkit (PRTK) to break sign-on passwords for the following Internet applications and Messengers:

  • MSN Instant Messenger (including MSN Live)
  • YAHOO Instant Messenger
  • America Online and AOL Instant Messenger
  • Internet Explorer and Firefox Auto-Complete
  • Myspace
  • Skype
  • Internet Explorer 7 Intelliforms artifacts

Students will also utilize Forensic Toolkit (FTK) to locate and decrypt YAHOO Instant Messenger .DAT files, parse Internet Explorer .DAT files (History and Temporary Files) for hit rates, use counts and more - including Firefox history files, the download manager, user favorites, etc. Students will also parse America Online client files for user history, search terms, address books, buddy lists, email and more. Students will use the Registry Viewer to analyze Instant Messenger data such as:

  • Shared file permission status and file transfer information
  • Block or allow information for user contacts (buddy lists)
  • Last user access information and Recent contacts via the messenger
This advanced level, hands-on intensive course is intended for Forensic Investigators, Law Enforcement Personnel and security and network administrators who desire a greater understanding of Internet artifact data recovery.
Courses outside North America include an overview of Peer to Peer file sharing programs such as Limewire and the network architecture on which they operate. America Online course content has been removed providing the ability for delegates to explore such forensic issues as:
  • Examining P2P actvity log files
  • Decrypting Kazaa registry search terms
  • Determining download file sources
  • Determining file and folder share status
  • Decoding URL values for download file comparison by hash value
The Internet Forensics course includes an optional Practical Skills Assessment (PSA) that requires participants to apply concepts presented during the course to complete a practical exercise. Participants who successfully complete this exercise receive a certificate of PSA completion.