Skip Navigation
If you can't find what you are looking for,
please call us at 703-993-2109.

Home >> Programs >>  Online >> Gatlin
   
Home
About OCPE
Programs
Search
Course Catalog
View Courses:
Alphabetically
By Subject
By Location
 Certificate Programs
Maintain Your Credential
Seminars & Workshops
Online Courses
Calendar
Enroll Now
Student Services
Contact Us
Maps & Directions
Site Navigation


 

GATL 0402: Forensic Computer Examiner
Gatlin Education Online Course

About Gatlin Education Program
Course Description
Features
Topic Highlights
Certificate Requirements
Course Objectives
PDF Brochure
Instructors
Who Should Attend
PC Requirements
FAQ

Forensics (image of man in a suit working with a high tech background)

COURSE DESCRIPTION

The forensic computer examiner field has grown tremendously in the past few years. For many years, law enforcement officers have been the primary forensic computer examiners, however, as criminal defense attorneys, and later civil attorneys, encountered the law-enforcement examiners, the need for qualified civilian forensic computer examiners grew. Currently, there is a huge demand for certified, qualified forensic computer examiners. Some trained examiners have started their own businesses, some work for large companies, such as Deloitte and Touche, and others work for law-enforcement agencies, such as the FBI CART teams.

This comprehensive online program prepares individuals for a career in this emerging field. Through this training, students learn to retrieve evidence and prepare reports, based on that evidence, which will stand up in a court of law. A section on the ethics of computer forensics and on the preparation and analysis of investigation results is also included.

The primary certification for civilian forensic computer examiners is the Certified Computer Examiner (CCE®) certification. The online Forensic Computer Examiner program is an authorized CCE training course and thoroughly prepares students to take the CCE certification exam.

 
Registration
Start at any time, and work at your own pace.

Click here to download the registration form.
Demo
Click here for a demonstration.
Fee

$3,195
Length

150 Hours

CEUs

15 CEUs
Included Materials

Students will be provided with some forensic software that was written specifically for forensic examiners. Each registered student will receive:

  • A fast and thorough wiping program.
  • A fast checksum program.
  • A fast program that documents files (including deleted files) on a drive.
  • A program that allows examination of unallocated space.
  • A program that makes exact forensic copies of floppy diskettes.
  • An excellent forensic "carving" utility.
  • The Passware Kit from Lost Password.com.
Contact Info.
  • Online contact form
  • Address:
      George Mason University
    Office of Continuing Professional Education
      4400 University Drive, MS 2G2
      Fairfax, VA 22030
  • Telephone: 703-993-2113
  • Fax: 703-993-2121
    		•


    Obtaining a quality forensic computer-examiner education is the best way to prepare for the profession. This online, self-paced program prepares students for CCE certification. Students will be paired with an instructor for one-on-one assistance.

    Back to top

    FEATURES

    This nationally recognized forensic computer examiner online training course is for the aspiring forensic computer examiner. For many years, law enforcement officers have been the primary forensic computer examiners, however the need for qualified civilian forensic computer examiners is growing faster than ever.

    Back to top

    TOPIC HIGHLIGHTS

    1. Module 1
      1. Overview of what types of crimes might be solved with computer evidence.
      2. Dealing with clients and employers.
      3. Initial determination of the scope of the examination.
      4. Determining what must be done and how to proceed in an examination.
      5. Overview of reasons to use trained forensic examiners and what they may expect to encounter.
      6. Software ethics.
      7. Forensic ethical standards.
      8. Forensic examination procedures.
      9. Preparing and verifying forensically sterile examination media.
      10. Note taking and report writing.
      11. Personal computer construction, hardware and software with focus on the BIOS, BIOS limitations, hard disk translation schemes and effect on forensic examinations.
      12. A very broad overview of several operating systems including:
        1. Windows NT/2000
        2. Novell
        3. Unix/Linux
        4. DOS
        5. Windows 95/98
      13. Broad overview of networks.
      14. Acquisition, collection and seizure of magnetic media.
      15. Best method of acquiring, collecting, or seizing the various operating systems.
      16. Legal and privacy issues.
      17. Establishing a sound "chain of custody."
      18. Beginning logical structures of the Microsoft operating system FAT file system.
      19. Recovering simple deleted files.
      20. Four practical exercises in preparing and verifying forensically sterile media.
      21. Using a "carving" utility to recover data from unallocated space
      22. Manual recovery of simple deleted files.
      23. Written examination on the material covered in this module.
    2. Module 2
      1. DOS and Windows boot process.
      2. Creating and storing files-continued.
      3. Recovering more complex deleted files.
      4. Determining the creation date.
      5. Significance of the creation date.
      6. Determining the last accessed date and the modification date and time.
      7. Significance of the last accessed date and the modification date and time.
      8. Storing Windows long file names.
      9. Consequences of deleting Windows long file names.
      10. Recovering Windows long file names.
      11. Storing sub-directories.
      12. Consequences of deleting sub-directories.
      13. Recovering a deleted sub-directory and its files.
      14. Consequences of formatting a diskette or hard disk drive.
      15. Recovering files, sub-directories and data from formatted disks.
      16. Determining which files had been deleted prior to formatting.
      17. Definition of file slack and recovering data from file slack.
      18. Five practical exercises on the logical structure of FAT file systems, file storage and the recovery of fragmented deleted files, the recovery of long file names, the recovery of deleted sub directories and the recovery of formatted disks.
      19. A written examination on the material covered in this module.
    3. Module 3
      1. An in-depth exploration of NTFS logical structures (nothing similar is available anywhere), including:
        1. The partition table
        2. The boot record
        3. Bitmaps
        4. The root directory
        5. The MFT
        6. Headers
        7. Attributes
        8. Resident files
        9. Non-resident files
        10. Run lists, etc.
        11. Alternate data streams
        12. File storage
        13. The various dates and times stored in attributes
        14. File deletion
        15. File recovery
        16. Directory storage
        17. Tracing files/directories
        18. The NTFS registry "hive"
        19. Examining NTFS drives
      2. A practical exercise involving the detailed exploration of the NTFS logical structures on a specially prepared NTFS drive.
      3. A written examination regarding the material covered in this module.
    4. Module 4
      1. Making a Windows 98 forensic boot disk
      2. Making "exact" images of media-the various imaging methods
      3. Using Firewire write blockers
      4. The significance, location and recovering data from:
        1. Swap Files
        2. Temporary Files
        3. Internet Cache Files
        4. Email files
        5. Internet Cookies
        6. Internet Sites Visited
      5. Basic Internet issues. Doing a basic "whois" and similar Internet checks.
      6. Preserving the original media.
      7. Preventing inadvertent writes to the original media, virus introduction to the original media, and activation of "booby traps" on the original media.
      8. Making bitstream (exact copies) of the original media.
      9. Safe handling of the media by the forensic examiner.
      10. The most common situations that an examiner may encounter during an examination.
      11. Finding and documenting normal data or graphical files.
      12. How people commonly try to hide data.
      13. Finding and documenting data and files in unallocated space.
      14. Finding hidden data.
      15. An overview of password protection and unlocking passwords.
      16. Accessing and interpreting "metadata" in MS Office documents.
      17. Three practical exercises on recovering data from swap files, temporary files, etc., determining registration of a URL, finding and documenting normal data on magnetic media, finding hidden data and unlocking passwords, unlocking passwords and accessing metadata.
      18. A written examination regarding the material covered in this module.
    5. Module 5
      1. Data formats and types.
      2. Basic data format conversion.
      3. Examining CDR media and accessing multiple unclosed sessions.
      4. Managing data.
      5. Presenting the data to the client in a useful format.
      6. Presenting data in court or other proceedings in a clear and understandable manner.
      7. Marking, storage, and transmittal of evidence.
      8. Basic use of automated forensic suites (Access Data's Forensic Tool Kit (FTK))
      9. A practical exercise in which the students examine a specially prepared hard-disk drive, draw the appropriate conclusions, write a good report and present the evidence found in a manner that is clear and understandable.
      10. A written examination regarding the material covered in this module.
    6. Additional resources provided
      1. Detailed handout for each module covered-usable as a reference manual.
      2. Sample reports
      3. Additional practical exercises.
      4. DOS primer
      5. Diskedit primer and other useful information and applications.
      6. Subscription to a forensic listserver that provides both administrative and technical information.
      7. Continuing access to updated material via the GES web site, even after course completion.

    Back to top

    CERTIFICATE REQUIREMENTS

    Sample George Mason University Certificate of Completion

    A 70% or better must be achieved in order to receive a Certificate of Completion.

    Back to top

    COURSE OBJECTIVES

    After successful completion of the Forensic Computer Examiner online program, students will:

    • Understand what makes an examiner a good examiner.
    • Be able to explain to clients why trained forensic examiners should be used.
    • Understand what a forensic examiner may expect to encounter during an examination.
    • Understand software licensing and how it affects forensic examiners.
    • Understand forensic ethical standards as they apply to forensic examiners.
    • Understand basic forensic examination procedures.
    • Be able to prepare and verify forensically sterile examination media.
    • Understand the importance and methodology of note taking and reports.
    • Understand basic PC hardware identification.
    • Have a basic understanding of the legal privacy issues relating to the examination of magnetic media.
    • Understand when a legal opinion may be necessary to prevent privacy issues from interfering with the examination or causing a valid lawsuit.
    • Have a basic understanding of how to properly acquire, collect, or seize magnetic media.
    • Understand how to properly establish and maintain the physical "chain of custody" of media and evidence.
    • Make exact forensic copies of original floppy-diskette media.
    • Use our FSUITE forensic utilities.
    • Understand the logical structures of DOS and Windows 95/98
    • Understand where the creation and modification dates and times are stored in a directory entry.
    • Understand the significance of the creation and modification dates and times.
    • Understand how to recover data from unallocated space.
    • Understand and explain how files are created.
    • Understand and explain what happens when a file is deleted.
    • Understand, explain, and manually recover DOS legal single and multiple cluster deleted files.
    • Understand, explain, and manually recover DOS legal multiple cluster fragmented deleted files.
    • Understand how to determine the Last Accessed Date and the Modification Date and Time, their significance and when they are modified.
    • Understand how Windows long file names are stored, what happens when they are deleted, and how to restore long file names.
    • Understand how sub-directories are stored, what happens when they are deleted and how to recover deleted sub-directories.
    • Understand what happens when a diskette or hard-disk drive is formatted and how to recover files, sub-directories, and data from formatted disks.
    • Understand the NTFS partition table, boot record, and root directory.
    • Understand bitmaps.
    • Understand the MFT.
    • Understand NTFS headers and attributes.
    • Understand resident and non-resident files.
    • Understand run lists, etc.
    • Understand alternate data streams.
    • Understand NTFS file storage.
    • Understand the various dates and times stored in attributes.
    • Understand file deletion and recovery.
    • Understand directory storage.
    • Understand tracing files/directories.
    • Understand the NTFS registry "hive."
    • Understand examining NTFS drives.
    • Understand how to make a Windows 98 forensic boot disk.
    • Understand the basic imaging methods and how to make "exact copies" of media.
    • Understand the significance of, location of and how to recover data from swap files, temporary files, Internet cache files, Internet cookies, mail files, and Internet sites visited.
    • Understand basic Internet issues such as, doing a basic "whois."
    • Understand how to preserve the original media.
    • Understand how to prevent inadvertent writes.
    • Understand how to prevent virus introduction and how to prevent activation of "booby traps."
    • Understand how to safely handle media.
    • Understand how to find and document normal data and graphical files.
    • Understand how people commonly try to hide data.
    • Understand how to find and document data in unallocated space.
    • Understand how to find hidden data.
    • Understand password protection schemes and how to lock and unlock many passwords.
    • Understand how to access MS Word metadata.
    • Understand the basic use of automated forensic suites (FTK).
    • Understand basic data formats and types.
    • Understand how to conduct basic data-format conversions.
    • Understand the basic issues in examining CDR media.
    • Understand how to present recovered and evidence data to the client in a useful format.
    • Understand how to manage data.
    • Understand how to present data in court or other proceedings in a clear and understandable manner.
    • Have conducted an examination of a hard disk drive that covers the full range of forensic issues found in this training course.

    Back to top

    PDF BROCHURE

    Please click here to download the PDF brochure for the Gatlin online courses offered by OCPE.

    This brochure and the registration form for this course require Adobe Reader. Click here to download the latest version of Adobe Reader.

    Back to top

    WHO SHOULD ATTEND

    Students must have no criminal record. Basic computer skills, including the ability or desire to work outside the Windows GUI interface, are necessary. The ability or desire to remove hard-disk drives from computers and change jumpers is required.

    Note: Students who plan to pursue the Certified Computer Examiner (CCE®) credential must have attended a course like this course or have documented experience in forensic computer examinations or have documented self study.

    PC REQUIREMENTS

    Minimum Computer Requirements

    • PC with latest updates and BIOS (Mac computers may not be used)
    • Windows 98SE, 2000, or XP operating system (Vista and Windows 7 as well as all 64-bit processors are not yet supported)
    • Internet access
    • 1 GB (or more) memory
    • 2 GB or larger hard disk drive for examination purposes
    • 2 open USB 2.0 ports

    Recommended Configuration

    • PC with latest updates and BIOS
    • Windows 2000 or XP operating system (Vista and Windows 7 as well as all 64-bit processors are not yet supported)
    • Internet access - High speed Internet access is recommended.
    • 2 GB (or more) memory
    • 15 GB or larger hard disk drive for examination purposes
    • Integrated PS/2 ports (Not USB keyboard or mouse)
    • 4 open USB 2.0 ports
    • 1 open Firewire/IEEE 1394 port
    • Read/write blocking device such as the 'FireFly Read/Write' device made by Digital Intelligence

    Students may use either a desktop or a laptop computer.

    The material used in this course is based on the concept of teaching computer forensics from a vendor neutral perspective. This course teaches the low level mechanics of commonly encountered file systems. If a student can gain a solid understanding of one file system and how it functions at a low level then that student will be prepared to learn other file systems as well.

    This course material will teach low level mechanics and functions of both the FAT file system and the New Technology File System (NTFS). Although the FAT file system is not available on new computers, it is the default file system on floppy diskettes and USB devices. Many computer forensic incidents involve USB devices and will continue to involve these devices for years to come. Consequently, students studying to become successful forensic computer examiners must understand the FAT file.

    Windows 98 and earlier versions are based on the FAT file system. A computer formatted with Windows 2000, XP, and Vista versions will typically be formatted with the NTFS file system.

    The completion of several practical exercises is a requirement of this course. Some might include floppy diskettes. Although the floppy diskette is no longer commonly encountered in the field, it is the exercise that is significant and any action taken on a floppy diskette can be replicated on a hard drive.

    The Forensic Computer Examiner program will train you to not only thoroughly examine digital media, but also clearly document, control, prepare, and present examination results.

    This program includes instruction on conducting thorough examinations, identifying where and how data is stored, recovering and interpreting data, and drawing appropriate conclusions based on the data.

    A sound understanding of the FAT and NTSF file systems is critical to forensic examination. These file systems are important because they are the base of Windows operating systems, portable flash media, storage devices, and other digital media in use everywhere today. USB drives, mobile phones, laptops, desktops, and cameras are examples of common types of equipment that use these systems. FAT file system logical structures are utilized by DOS and Windows 9.x. NTFS logical structures are utilized by Windows NT, 2000, XP, and Vista.

    Students will be provided a package of forensic industry-standard software bundled with this course. Each registered student will receive

    Back to top

    INSTRUCTORS

    This course is taught by part-time George Mason University, OCPE, Gatlin instructors.

    John Mellon is the president of Key Computer Services and author of the computer-forensic-examination course. He is a retired U.S. Customs Senior Special Agent with 28 years of investigative experience and more than 17 years of experience with computers. He is an IACIS certified forensic-computer examiner. Mr. Mellon had initial experience with the CP-M operating system in 1986. He had initial computer forensic training in 1991 by the International Association of Computer Investigative Specialists (IACIS). He has been an active member of IACIS and is a member of the Board of Directors.

    He is the past chairman of the IACIS DOS Seizure Certification Committee and the past chairman of the IACIS DOS/Windows Processing Certification Committee. He is the past chairman of the Certification Committee and the past Chairman of the IACIS Board of Directors. Mr. Mellon has been a lead instructor at IACIS training conferences and has been involved in the training of hundreds of law-enforcement officers world-wide in computer forensics since 1994. He has taught numerous highly technical subjects including DOS and Windows 95/98 file systems, architecture and the boot process, DOS and Windows 95/98 examination techniques and procedures, recovery of deleted files, recovery of Windows long file names, and date and time stamp alterations. He also has taught recovering formatted disks, the process and problems in making forensic copies of media, file-type identification, and the use of file-viewing applications during examinations, the theory of archived files and compressed disks, examining archived and compressed disks and files, data format conversion, basic Novell theory and the methods for seizing and examining Novell networks, examination of Windows swap and related files and the new IACIS Examination Standards and Forensic Code of Ethics.

    He developed and implemented the IACIS Forensic Examination Standards, the IACIS Code of Ethics, the advanced Windows Processing Certification, the past IACIS Certified Forensic Computer Examiner (CFCE) problems containing numerous technical issues. These problems must be completed to attain the CFCE certification from IACIS. He continues to instruct civilians and law-enforcement officers world-wide in computer forensic examinations.

    Mr. Mellon was the first computer forensic examiner for U.S. Customs in Miami, Florida. In that position, he set up the forensic-examination program in Miami in 1991 and forensically examined many computers between 1991 and 1993.

    He started Key Computer Service in 1993 and has continued to forensically examine computers for U.S. Customs, DEA, local police agencies, attorneys, private companies, and individuals. He has been cited as a computer-forensic expert witness in courts and in affidavits in U.S. District Court, Miami, Florida, and in Atlanta, Georgia.

    William J. Long has been in law enforcement since 1980 and is working for a major state agency. In addition to his duties as Chief Agent, he is also a Certified Forensic Computer Examiner (IACIS) and works with investigations involving all aspects of computers and computer crime. He also serves as an adjunct professor of computer forensics within the Criminal Justice Department of Redlands College in El Reno, Oklahoma, and instructs computer forensics online with the Forensics Training Program of the Key Computer Company, Key Largo, Florida.

    Mr. Long holds an Advanced Law Enforcement Certificate from the Oklahoma Council on Law Enforcement Education and Training (CLEET) as well as a DOS Seizure Certificate (DSC), DOS Processing Certificate (DPC), and Certified Computer Forensic Examiner (CFCE) Certification from the International Association of Computer Investigative Specialists (IACIS) and a BSEE from Fairleigh Dickenson University in New Jersey.

    Wayne Marney, CFCE (IACIS), has been a full-time forensic computer examiner since 1995 for a major law-enforcement agency's computer-crimes unit. He has completed more than 375 forensic exams on stand-alone and networked computer systems.

    Mr. Marney has received forensic computer training from IACIS, New Technologies, Inc., ASRDATA, LLC., and Macintosh data recovery from Symantec, Inc. He has testified at the state level in both civil and criminal cases as an expert witness on computer forensics in Oregon and New York. He as provided forensic computer civil litigation support in Washington, California, Arkansas, Texas, New York, Iowa, and Oklahoma. As a past instructor and coach, as well as a member of the Board of Directors for IACIS, Research and Development, Mr. Marney has been a leader in advancing forensic computer methodology.

    Mr. Marney has been a guest speaker at University of Central Florida and Oregon State University computer science schools. His areas of expertise include: Win 9x, NT 4.0/Windows 2000, and Macintosh operating systems.

    David Riggs is a Certified Forensic Computer Examiner (CFCE) from the International Association of Computer Investigative Specialists (IACIS). Mr. Riggs retired from federal law-enforcement officer after a long and varied career. He has served in the military police and a large-city police department (Washington, D.C.) as a homicide detective. He was an ATF agent and a Special Agent in Charge of Criminal Investigations with the Environmental Protection Agency, which was his position upon retirement.

    Mr. Riggs is an assembly-language computer programmer and software developer, as well as the builder of the forensic computer systems offered for sale on the Gatlin web site. In fact, he has written several of the forensic utilities used by both IACIS and the Gatlin training program. He served as a technical editor of the Gatlin forensic course materials and is currently working on a new module dealing with the NTFS file system.

    Mr. Riggs is a coach/instructor with the IACIS CFCE program and has served as an instructor at the IACIS training conferences. He is very knowledgeable about DOS/Windows internals, FAT and NTFS file systems, and computer hardware. He has authored articles for the IACIS newsletter dealing with operating system internals.

    William D. Taylor is a computer investigative specialist/special agent with a federal law-enforcement agency in Nashville, Tennessee. He has served as a full-time forensic computer examiner since 1994. Mr. Taylor is a Certified Forensic Computer Examiner (International Association of Computer Investigative Specialists), a Certified Fraud Examiner, (Association of Certified Fraud Examiners), and holds an associate degree in forensic computer science. In addition, he holds both baccalaureate and master's degrees in criminal justice and is a graduate of the FBI National Academy. Mr. Taylor has over 24 years of investigative law-enforcement experience at the local, state, and federal levels. He served on the IACIS Board of Directors for six years- as Vice-President for one year, and as President, CEO for nearly three years.

    Phil Harrold was employed by the Odessa, Texas, Police Department from 1979-1988. His assignments included Patrol, Narcotics and Crimes Against Property. Mr. Harrold was employed from 1989-2000 by the Monroe County, Florida, Sheriff's Office. His assignments included Patrol, General Investigations, Homicide, and he was also a member of the Bomb Squad.

    Mr. Harrold has been employed from 2000 to the present by the State Attorney's Office, 16th Judicial Circuit, State of Florida, as an Investigator. In this capacity, he conducts in-depth, long-term investigations of Organized Schemes to Defraud, large-scale thefts, and RICO offenses. He also conducts investigations of computer crimes involving sales-tax fraud, child pornography, and trade-secret theft. He also performs forensic examinations of all types of electronic media.

    Back to top

    FAQ

    1. How do I register for a Gatlin online course?

    Please contact our office on the Fairfax campus in Northern Virginia (NOVA) or call 703-993-2113. Click here for more information or to download a copy of the registration form.

    2. How much do Gatlin online courses cost?

    To view the prices for all Gatlin courses that are offered by George Mason University, please click here.

    3. Why do I have to take Gatlin courses through a participating school?

    Gatlin does not offer courses directly to the public. They partner with major colleges and universities to offer their programs.

    4. Do I have to travel to register for or to attend a Gatlin online course?

    All Gatlin courses are delivered entirely online, you do not have to go to a class or travel to a school. If you are unable to visit our office on the Fairfax campus in Northern Virginia (NOVA), please contact us at 703-993-2113 or click here for more information or to register for a course.

    5. How long does it take to complete a Gatlin course?

    All of our Gatlin courses are asynchronous. You can start and finish the course at your own pace. Most courses are designed to be completed within 180 days. You may request an extension if you think you will need more time to complete a course (fees may apply). Please contact us at 703-993-2113 or click here if you have any questions or if you would like to register for a course.

    6. Do I have to buy additional materials?

    Please refer to the green Included Materials box located on the upper right hand side of this page. If materials are included in this course, they will be shipped by Gatlin to you via UPS ground service after you have registered for a course.

    7. Can I get financial aid for Gatlin courses?

    Gatlin courses are non-credit and therefore are not eligible for Federal Student Aid. However there are a number of loan programs that can be used to fund your course. Click here to view a list of these options or call 703-993-2113 for more information. Gatlin also provides a loan opportunity for students (www.collegeloanapplication.com).

    8. What happens when I complete the course?

    If you obtain a final passing grade of 70% or greater in a course, we will award you a George Mason University certificate of completion.

    9. Who will be my instructor?

    Each student is paired up with a facilitator for one-on-one interaction. The facilitator will be available (by e-mail) to answer any questions you may have and to provide feedback on your performance. Facilitators are all successful working professionals in the fields in which they teach.

    10. What are the system requirements in order to take an online course?

    Please see the "PC requirements" section listed for individual courses.

    11. When can I start the course?

    Registrations are rolling. Please send us your registration form at the time you wish to start your course. Registrations take five to seven business days to process.

    Back to top

     
    Spacer

     

    Copyright © George Mason University
    Office of Continuing Professional Education
    4400 University Drive, MS 2G2 · Fairfax, Virginia 22030 · 703-993-2109


    If you can't find what you are looking for, please call us at 703-993-2109.
    George Mason University Home Page Office of Continuing Professional Education Home Page