Skip Navigation
If you can't find what you are looking for,
please call us at 703-993-2109.

Home >> Programs >>  Online >> Gatlin >> Forensic Computer Examiner
   
Home
About OCPE
Programs
Search
Course Catalog
View Courses:
Alphabetically
By Subject
By Location
 Certificate Programs
Seminars & Workshops
Online Courses
Calendar
Enroll Now
Student Services
Contact Us
Maps & Directions
Site Navigation


 

GATL 0402: Forensic Computer Examiner
Gatlin Education Online Course

Course Description
Features
Topic Highlights
Certificate Requirements
Course Objectives
PDF Brochure
Instructors
Who Should Attend
PC Requirements
FAQ

COURSE DESCRIPTION

The forensic computer examiner field has grown tremendously in the past few years. For many years, law enforcement officers have been the primary forensic computer examiners, however, as criminal defense attorneys, and later civil attorneys, encountered the law-enforcement examiners, the need for qualified civilian forensic computer examiners grew. Currently, there is a huge demand for certified, qualified forensic computer examiners. Some trained examiners have started their own businesses, some work for large companies, such as Deloitte and Touche, and others work for law-enforcement agencies, such as the FBI CART teams.

This comprehensive online program prepares individuals for a career in this emerging field. Through this training, students learn to retrieve evidence and prepare reports, based on that evidence, which will stand up in a court of law. A section on the ethics of computer forensics and on the preparation and analysis of investigation results is also included.

The primary certification for civilian forensic computer examiners is the Certified Computer Examiner (CCE®) certification. The online Forensic Computer Examiner program is an authorized CCE training course and thoroughly prepares students to take the CCE certification exam.

 
Registration
Start at any time, and work at your own pace.

Click here to download the registration form.
Demo
Click here for a demonstration.
Fee

$3,195
Length

150 Hours

CEUs

15 CEUs
Included Materials

Students will be provided with some forensic software that was written specifically for forensic examiners. Each registered student will receive:

  • A fast and thorough wiping program.
  • A fast checksum program.
  • A fast program that documents files (including deleted files) on a drive.
  • A program that allows examination of unallocated space.
  • A program that makes exact forensic copies of floppy diskettes.
  • An excellent forensic "carving" utility.
  • The Passware Kit from Lost Password.com.
Contact Info.
  • Online contact form
  • Address:
      George Mason University
    Office of Continuing Professional Education
      4400 University Drive, MS 2G2
      Fairfax, VA 22030
  • Telephone: 703-993-2113
  • Fax: 703-993-2121
    		•


    Obtaining a quality forensic computer-examiner education is the best way to prepare for the profession. This online, self-paced program prepares students for CCE certification. Students will be paired with an instructor for one-on-one assistance.

    Back to top

    FEATURES

    This nationally recognized forensic computer examiner online training course is for the aspiring forensic computer examiner. For many years, law enforcement officers have been the primary forensic computer examiners, however the need for qualified civilian forensic computer examiners is growing faster than ever. This forensic computer examiner online training course is offered only in partnership with major colleges and universities.

    Back to top

    TOPIC HIGHLIGHTS

    1. Module 1
      1. Overview of what types of crimes might be solved with computer evidence.
      2. Dealing with clients and employers.
      3. Initial determination of the scope of the examination.
      4. Determining what must be done and how to proceed in an examination.
      5. Overview of reasons to use trained forensic examiners and what they may expect to encounter.
      6. Software ethics.
      7. Forensic ethical standards.
      8. Forensic examination procedures.
      9. Preparing and verifying forensically sterile examination media.
      10. Note taking and report writing.
      11. Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
      12. A very broad overview of several operating systems including:
        1. Windows NT/2000
        2. Novell
        3. Unix/Linux
        4. DOS
        5. Windows 95/98
      13. Broad overview of networks.
      14. Acquisition, collection and seizure of magnetic media.
      15. Best method of acquiring, collecting, or seizing the various operating systems.
      16. Legal and privacy issues.
      17. Establishing a sound "chain of custody."
      18. Beginning logical structures of the Microsoft operating system FAT file system.
      19. Recovering simple deleted files.
      20. Four practical exercises in preparing and verifying forensically sterile media.
      21. Using a "carving" utility to recover data from unallocated space
      22. Manual recovery of simple deleted files.
      23. Written examination on the material covered in this module.
    2. Module 2
      1. DOS and Windows boot process.
      2. Creating and storing files-continued.
      3. Recovering more complex deleted files.
      4. Determining the creation date.
      5. Significance of the creation date.
      6. Determining the last accessed date and the modification date and time.
      7. Significance of the last accessed date and the modification date and time.
      8. Storing Windows long file names.
      9. Consequences of deleting Windows long file names.
      10. Recovering Windows long file names.
      11. Storing sub-directories.
      12. Consequences of deleting sub-directories.
      13. Recovering a deleted sub-directory and its files.
      14. Consequences of formatting a diskette or hard disk drive.
      15. Recovering files, sub-directories and data from formatted disks.
      16. Determining which files had been deleted prior to formatting.
      17. Definition of file slack and recovering data from file slack.
      18. Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
      19. A written examination on the material covered in this module.
    3. Module 3
      1. An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
        1. The partition table
        2. The boot record
        3. Bitmaps
        4. The root directory
        5. The MFT
        6. Headers
        7. Attributes
        8. Resident files
        9. Non-resident files
        10. Run lists, etc.
        11. Alternate data streams
        12. File storage
        13. The various dates and times stored in attributes
        14. File deletion
        15. File recovery
        16. Directory storage
        17. Tracing files/directories
        18. The NTFS registry "hive"
        19. Examining NTFS drives
      2. A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
      3. A written examination regarding the material covered in this module.
    4. Module 4
      1. Making a Windows 98 forensic boot disk
      2. Making "exact" images of media-the various imaging methods
      3. Using Firewire write blockers
      4. The significance, location and recovering data from:
        1. Swap Files
        2. Temporary Files
        3. Internet Cache Files
        4. Email files
        5. Internet Cookies
        6. Internet Sites Visited
      5. Basic Internet issues. Doing a basic "whois" and similar Internet checks.
      6. Preserving the original media.
      7. Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
      8. Making bitstream (exact copies) of the original media.
      9. Safe handling of the media by the forensic examiner.
      10. The most common situations that an examiner may encounter during an examination.
      11. Finding and documenting normal data or graphical files.
      12. How people commonly try to hide data.
      13. Finding and documenting data and files in unallocated space.
      14. Finding hidden data.
      15. An overview of password protection and unlocking passwords.
      16. Accessing and interpreting "metadata" in MS Office documents.
      17. Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
      18. A written examination regarding the material covered in this module.
    5. Module 5
      1. Data formats and types.
      2. Basic data format conversion.
      3. Examining CDR media and accessing multiple unclosed sessions.
      4. Managing data.
      5. Presenting the data to the client in a useful format.
      6. Presenting data in court or other proceedings in a clear and understandable manner.
      7. Marking, storage, and transmittal of evidence.
      8. Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
      9. A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
      10. A written examination regarding the material covered in this module.
    6. Additional resources provided
      1. Detailed handout for each module covered-usable as a reference manual.
      2. Sample reports
      3. Additional practical exercises.
      4. DOS primer
      5. Diskedit primer and other useful information and applications.
      6. Subscription to a forensic listserver that provide both administrative and technical information.
      7. Continuing access to updated material via the GES website, even after course completion.

    Back to top

    CERTIFICATE REQUIREMENTS

    A 70% or better must be achieved in order to receive a Certificate of Completion.

    Back to top

    COURSE OBJECTIVES

    After successful completion of the Forensic Computer Examiner online program, students will:

    • Understand what makes an examiner a good examiner.
    • Be able to explain to clients why trained forensic examiners should be used.
    • Understand what a forensic examiner may expect to encounter during an examination.
    • Understand software licensing and how it affects forensic examiners.
    • Understand forensic ethical standards as they apply to forensic examiners.
    • Understand basic forensic examination procedures.
    • Be able to prepare and verify forensically sterile examination media.
    • Understand the importance and methodology of note taking and reports.
    • Understand basic PC hardware identification.
    • Have a basic understanding of the legal privacy issues relating to the examination of magnetic media.
    • Understand when a legal opinion may be necessary to prevent privacy issues from interfering with the examination or causing a valid lawsuit.
    • Have a basic understanding of how to properly acquire, collect, or seize magnetic media.
    • Understand how to properly establish and maintain the physical "chain of custody" of media and evidence.
    • Make exact forensic copies of original floppy-diskette media.
    • Use our FSUITE forensic utilities.
    • Understand the logical structures of DOS and Windows 95/98
    • Understand where the creation and modification dates and times are stored in a directory entry.
    • Understand the significance of the creation and modification dates and times.
    • Understand how to recover data from unallocated space.
    • Understand and explain how files are created.
    • Understand and explain what happens when a file is deleted.
    • Understand, explain and manually recover DOS legal single and multiple cluster deleted files.
    • Understand, explain and manually recover DOS legal multiple cluster fragmented deleted files.
    • Understand how to determine the Last Accessed Date and the Modification Date and Time, their significance and when they are modified.
    • Understand how Windows long file names are stored, what happens when they are deleted and how to restore long file names.
    • Understand how sub-directories are stored, what happens when they are deleted and how to recover deleted sub-directories.
    • Understand what happens when a diskette or hard-disk drive is formatted and how to recover files, sub-directories, and data from formatted disks.
    • Understand the NTFS partition table, boot record, and root directory.
    • Understand Bitmaps.
    • Understand the MFT.
    • Understand NTFS Headers and Attributes.
    • Understand Resident and Non-resident files.
    • Understand Run lists, etc.
    • Understand Alternate data streams.
    • Understand NTFS File storage.
    • Understand the various dates and times stored in attributes.
    • Understand File deletion and recovery.
    • Understand Directory storage.
    • Understand Tracing files/directories.
    • Understand the NTFS registry "hive."
    • Understand Examining NTFS drives.
    • Understand how to make a Windows 98 forensic boot disk.
    • Understand the basic imaging methods and how to make "exact copies" of media.
    • Understand the significance of, location of and how to recover data from swap files, temporary files, Internet cache files, Internet cookies, mail files and Internet sites visited.
    • Understand basic Internet issues such as, doing a basic "whois."
    • Understand how to preserve the original media.
    • Understand how to prevent inadvertent writes.
    • Understand how to prevent virus introduction and how to prevent activation of "booby traps."
    • Understand how to safely handle media.
    • Understand how to find and document normal data and graphical files.
    • Understand how people commonly try to hide data.
    • Understand how to find and document data in unallocated space.
    • Understand how to find hidden data.
    • Understand password protection schemes and how to lock and unlock many passwords.
    • Understand how to access MS Word metadata.
    • Understand the basic use of automated forensic suites (FTK).
    • Understand basic data formats and types.
    • Understand how to conduct basic data-format conversions.
    • Understand the basic issues in examining CDR media.
    • Understand how to present recovered and evidence data to the client in a useful format.
    • Understand how to manage data.
    • Understand how to present data in court or other proceedings in a clear and understandable manner.
    • Have conducted an examination of a hard disk drive that covers the full range of forensic issues found in this training course.

    Back to top

    PDF BROCHURE

    Please click here to download the PDF brochure for the Gatlin online courses offered by OCPE.

    This brochure and the registration form for this course require Adobe Reader. Click here to download the latest version of Adobe Reader.

    Back to top

    WHO SHOULD ATTEND

    Students must have no criminal record. Basic computer skills, including the ability or desire to work outside the Windows GUI interface, are necessary. The ability or desire to remove hard-disk drives from computers and change jumpers is required.

    Note: Students who plan to pursue the Certified Computer Examiner (CCE®) credential must have attended a course like this course or have documented experience in forensic computer examinations or have documented self study.

    PC REQUIREMENTS

    This course must be taken from a PC. Students should have a computer capable of booting to Windows 98 and must have Internet access.

    Students will be required to purchase:

    • Norton Utilities Norton Ghost QuickView Plus (a viewing application)
    • A good virus-scanning utility

    Back to top

    INSTRUCTORS

    This course is taught by part-time George Mason University, OCPE, Gatlin instructors.

    John Mellon is the president of Key Computer Services and author of the computer-forensic-examination course. He is a retired US Customs Senior Special Agent with 28 years of investigative experience and more than 17 years of experience with computers. He is an IACIS certified forensic-computer examiner. Mr. Mellon had initial experience with the CP-M operating system in 1986. He had initial computer forensic training in 1991 by the International Association of Computer Investigative Specialists (IACIS). He has been an active member of IACIS and is a member of the Board of Directors.

    He is the past chairman of the IACIS DOS Seizure Certification Committee and the past chairman of the IACIS DOS/Windows Processing Certification Committee. He is the past chairman of the Certification Committee and the past Chairman of the IACIS Board of Directors. Mr. Mellon has been a lead instructor at IACIS training conferences and has been involved in the training of hundreds of law-enforcement officers world-wide in computer forensics since 1994. He has taught numerous highly technical subjects including DOS and Windows 95/98 file systems, architecture and the boot process, DOS and Windows 95/98 examination techniques and procedures, recovery of deleted files, recovery of Windows long file names, and date and time stamp alterations. He also has taught recovering formatted disks, the process and problems in making forensic copies of media, file-type identification and the use of file-viewing applications during examinations, the theory of archived files and compressed disks, examining archived and compressed disks and files, data format conversion, basic Novell theory and the methods for seizing and examining Novell networks, examination of Windows swap and related files and the new IACIS Examination Standards and Forensic Code of Ethics.

    He developed and implemented the IACIS Forensic Examination Standards, the IACIS Code of Ethics, the advanced Windows Processing Certification, the past IACIS Certified Forensic Computer Examiner (CFCE) problems containing numerous technical issues. These problems must be completed to attain the CFCE certification from IACIS. He continues to instruct civilians and law-enforcement officers world-wide in computer forensic examinations.

    Mr. Mellon was the first computer forensic examiner for US Customs in Miami, Florida. In that position, he set up the forensic-examination program in Miami in 1991 and forensically examined many computers between 1991 and 1993.

    He started Key Computer Service in 1993 and has continued to forensically examine computers for US Customs, DEA, local police agencies, attorneys, private companies and individuals. He has been cited as a computer-forensic expert witness in courts and in affidavits in US District Court, Miami, Florida, and in Atlanta, Georgia.

    William J. Long has been in law enforcement since 1980 and is working for a major state agency. In addition to his duties as Chief Agent, he is also a Certified Forensic Computer Examiner (IACIS) and works investigations involving all aspects of computers and computer crime. He also serves as an Adjunct Professor of Computer Forensics within the Criminal Justice Department of Redlands College in El Reno, Oklahoma, and instructs Computer Forensics on line with the Forensics Training Program of the Key Computer Company, Key Largo, Florida.

    Mr. Long holds an Advanced Law Enforcement Certificate from the Oklahoma Council on Law Enforcement Education and Training (CLEET) as well as a DOS Seizure Certificate (DSC), DOS Processing Certificate (DPC) and Certified Computer Forensic Examiner (CFCE) Certification from the International Association of Computer Investigative Specialists (IACIS) and a BSEE from Fairleigh Dickenson University in New Jersey.

    Wayne Marney, CFCE (IACIS), has been a full-time forensic computer examiner since 1995 for a major law-enforcement agency's computer-crimes unit. He has completed more than 375 forensic exams on stand-alone and networked computer systems.

    Mr. Marney has received forensic computer training from IACIS, New Technologies, Inc., ASRDATA, LLC., and Macintosh data recovery from Symantec, Inc. He has testified at the state level in both civil and criminal cases as an expert witness on computer forensics in Oregon and New York. He as provided forensic computer civil litigation support in Washington, California, Arkansas, Texas, New York, Iowa and Oklahoma. As a past instructor and coach, as well as a member of the Board of Directors for IACIS, Research and Development, Mr. Marney has been a leader in advancing forensic computer methodology.

    Mr. Marney has been a guest speaker at University of Central Florida and Oregon State University computer science schools. His areas of expertise include: Win 9x, NT 4.0/Windows 2000, and Macintosh operating systems.

    David Riggs is a Certified Forensic Computer Examiner (CFCE) from the International Association of Computer Investigative Specialists (IACIS). Mr. Riggs retired from federal law-enforcement officer after a long and varied career. He has served in the military police and a large-city police department (Washington, D.C.) as a homicide detective. He was an ATF agent and a Special Agent in Charge of Criminal Investigations with the Environmental Protection Agency, which was his position upon retirement.

    Mr. Riggs is an assembly-language computer programmer and software developer, as well as the builder of the forensic computer systems offered for sale on our web site. In fact, he has written several of the forensic utilities used by both IACIS and our training program. He served as a technical editor of our forensic course materials and is currently working on a new module dealing with the NTFS file system.

    Mr. Riggs is a coach/instructor with the IACIS CFCE program and has served as an instructor at the IACIS training conferences. He is very knowledgeable about DOS/Windows internals, FAT and NTFS file systems, and computer hardware. He has authored articles for the IACIS newsletter dealing with operating system internals.

    William D. Taylor is a Computer Investigative Specialist/ Special Agent with a federal law-enforcement agency in Nashville, Tennessee. He has served as a full-time forensic computer examiner since 1994. Mr. Taylor is a Certified Forensic Computer Examiner (International Association of Computer Investigative Specialists), a Certified Fraud Examiner, (Association of Certified Fraud Examiners), and holds an Associate Degree in Forensic Computer Science. In addition, he holds both Baccalaureate and Masters Degrees in Criminal Justice and is a graduate of the FBI National Academy. Mr. Taylor has over 24 years of investigative law-enforcement experience at the local, state, and federal levels. He served on the IACIS Board of Directors for six years-as Vice-President for one year, and as President, CEO for nearly three years.

    Phil Harrold was employed by the Odessa, Texas, Police Department from 1979-1988. His assignments included Patrol, Narcotics and Crimes Against Property. Mr. Harrold was employed from 1989-2000 by the Monroe County, Florida, Sheriff's Office. His assignments included Patrol, General Investigations, Homicide, and he was also a member of the Bomb Squad.

    Mr. Harrold has been employed from 2000 to the present by the State Attorney's Office, 16th Judicial Circuit, State of Florida, as an Investigator. In this capacity, he conducts in-depth, long-term investigations of Organized Schemes to Defraud, large-scale thefts, and RICO offenses. He also conducts investigations of computer crimes involving sales-tax fraud, child pornography and trade-secret theft. He also performs forensic examinations of all types of electronic media.

    Back to top

    FAQ

    1. How do I register for a Gatlin online course?

    Gatlin does not offer courses directly to the public. It offers courses through George Mason University and other colleges and universities. Please contact our office at 703-993-2113 or click here for more information or to register for a course.

    2. How much do Gatlin online courses cost?

    To view the prices for all Gatlin courses that are offered by George Mason University, please click here.

    3. Why do I have to take Gatlin courses through a participating school?

    That is the only way Gatlin Education Services offers its courses. They do not deal directly with the public.

    4. Do I have to travel to register for or to attend a Gatlin online course?

    All Gatlin courses are delivered entirely online, so you do not have to go to a class or travel to a school. Please contact our office at 703-993-2113 or click here for more information or to register for a course.

    5. How long does it take to complete a Gatlin course?

    All of our Gatlin courses are asynchronous. You can start and finish the course at your own pace. Most courses are designed to be completed within 180 days. You may request an extension if you think you will need more time to complete a course. Please contact us at 703-993-2113 or click here if you have any questions or if you would like to register for a course.

    6. Do I have to buy additional materials?

    Please refer to the green Included Materials box located on the upper right hand side of this page. If materials are included in this course, they will be shipped by Gatlin to you via UPS ground service after you have registered for a course.

    7. Can I get financial aid for Gatlin courses?

    George Mason University offers financial assistance through the Sallie Mae Training Loan Program for qualifying students. Call 703-993-2113 for more information. GES also provides a loan opportunity for students (www.collegeloanapplication.com).

    8. What happens when I complete the course?

    If you obtain a final passing grade of 70% or greater in a course, we will award you a George Mason University certificate of completion.

    9. Who will be my instructor?

    Each student is paired up with a George Mason University, OCPE, Gatlin facilitator for one-on-one interaction. The facilitator will be available (by e-mail or by telephone) to answer any questions you may have and to provide feedback on your performance. All of our facilitators are successful working professionals in the fields in which they teach.

    10. What are the system requirements in order to take an online course?

    Please see the "PC requirements" section listed for individual courses.

    11. When can I start the course?

    You can register for a course at any time.

    Back to top

     
    Spacer

     

    Last updated
    Suggestions or comments about this Web site? Please e-mail the webmaster.
    Copyright © George Mason University
    Office of Continuing Professional Education
    4400 University Drive, MS 2G2 · Fairfax, Virginia 22030 · 703-993-2109


    If you can't find what you are looking for, please call us at 703-993-2109.
    George Mason University Home Page Office of Continuing Professional Education Home Page