Computer Forensics Training & Experience

Presentations given:

Continuing Legal Education Society of BC: “Computer Forensics”

• Paul Pearson: Faculty, Course Chair; Michael Mulligan: Faculty, Course Chair
• Full day course instructed lawyers on an introduction to computer forensic concepts, examination techniques, as well as practical and legal issues.
• Date: June 2011

Continuing Legal Education Society of BC: “Criminal Law: Special Issues”

• Michael Mulligan: Faculty, Paul Pearson: Faculty
• Mr. Mulligan and Mr. Pearson conducted the “Police use of computer forensics: an introduction for lawyers” session at a multi-topic CLE
• Date: February 2011

CBA Criminal Section: Vancouver: “Introduction to Computer Forensics”

• Michael Mulligan and Paul Pearson, presenters
• Two hour session introduced criminal practicioners to computer forensic concepts and special criminal law considerations.
• Date: Sept, 2010

CBA Criminal Section: Victoria: “Introduction to Computer Forensics”

• Michael Mulligan and Paul Pearson, presenters
• Two hour session introduced criminal practicioners in Victoria to computer forensic concepts and special criminal law considerations.
• Date: June 2010

Training taken:

Neutrino – Mobile Phone Forensics – Los Angeles California

• overview of mobile phone networks
• how to identify mobile phones
• how to work with various service providers
• proper seizure techniques
• a detailed understanding of all components that make up EnCase Neutrino
• acquire data from mobile phones
• acquire and examine SIM cards
• examine the data that they have acquired
• learn how to create logical evidence files with EnCase Neutrino
• an overview of mobile phone data storage
• how to use conditiona in EnCase Neutrino
• how to report their findings

Advanced Internet Examinations – Washington DC

• the history, operation and artifacts associated with peer-to-peer file-sharing applications such as BitTorrent™, LimeWire™ and BearShare.
• the impact of Trojan viruses through examination of:
  • Defense issues
  • The Windows® Registry
  • Hash analysis
• Anti-virus scanning and virus analysis using the EnCase® Virtual File System (VFS) Module and the EnCase® Physical Disk Emulator (PDE) Module
• how to examine system monitors and key loggers
• how to identify artifacts from instant message clients such as AOL® IM (AIM®) and Yahoo! ® Messenger
• the operation of the Microsoft® Internet Explorer web browser with regards to typed URLs, password and form-data storage, cookies, Internet history and cache content
• how web pages are constructed and will use this information, together with their new-found knowledge of cached Internet Explorer web content, to correctly rebuild web pages
• artifacts introduced with Microsoft® Internet Explorer 7
• the operation of web search engines
• web-based email
• Microsoft® Outlook PST structure and about viewing Lotus® Notes email data
• the history, operation and artifacts associated with Mozilla-based web browsers (including Firefox)

Network Intrusion Investigations training – London England

• The hacker mind and methodology
• Common tool knowledge and hash sets
• Incident response techniques and considerations
• Understanding and processing volatile data
• Networking 101
• Network-based attacks
• Network hardware devices
• Firewall
• TCP/IP overview
• Core protocols and layering
• Host enumeration and port and vulnerability scanning
• Windows® file sharing and vulnerabilities
• Hiding and manipulating data
• Web server attacks
• Remote access Trojans
• Internet Relay Chat (IRC) bots
• Windows rootkits
• Buffer overflows
• DCOM vulnerabilities
• The Metasploit framework
• SQL database attacks
• Binary analysis

Advanced Computer Forensics training – Los Angeles California

• Analysis of NT File System (NTFS) artifacts in Windows operating systems
• Advanced NTFS data recovery
• Examination of the Microsoft Windows Registry
• Analysis and recovery of Microsoft Windows event log files
• Hardware and software RAID technology, acquisition and examination
• Principles of encrypted data recovery
• Understanding and examining Windows BitLocker™ volumes
• Linux and UNIX operating and file system artifacts
• Linux partition recovery
• Data acquisition using Linux
• Understanding and examination of Macintosh disk and file system structure
• Forensic examination of Macintosh computers
• Macintosh OS X® operating system artifacts
• Reinforcement of the EnCase® computer forensic methodology
• Introduction to EnScript programming

Computer Forensics II training – Chicago Illinois

• How to create and use of logical evidence files
• How to locate and recover deleted partitions and folders
• How to conduct keyword searches and advanced searches using GREP
• Students will gain an understanding of the EnCase Virtual File System (VFS) and Physical Disk Emulator (PDE)
• Students will learn about the Windows® Registry
• Students will learn how to deal with compound file types
• How to export files, directories and entire volumes
• How to identify files using hash values and building hash libraries
• How to identify Windows XP operating system artifacts such as link files, recycle bin, and user folders
• How to prepare reports and evidence for presentation in court
• How to recover artifacts such as swap files, file slack, and spooler files
• How to recover printed and faxed pages

Computer Forensics I training – Houston Texas

• What constitutes digital evidence and how computers work
• An overview of the EnCase Computer Forensic Methodology
• Basic structures of the FAT and NTFS file systems
• How to create a case and how to preview/acquire media
• How to conduct basic keyword searches
• How to analyze file signatures and view files
• How to restore evidence
• How to archive files and data created through the analysis process
• How to prepare evidence for presentation in court
• How to verify the evidence file