When working in forensics you will have to keep yourself informed of the latest developments in the field, that’s one of the reasons I started creating this blog. Recently I have been attending several Live Online Training (LOT) courses given by Syntricate (The training branch of AccessData). After having attended over 7 courses I thought I would be nice to share my experiences with others who might be considering signing up.
The signing up procedure is very simple, in my case, I contacted a sales person at AccessData and told them what course I wanted to join. The website of Syntricate has a useful training calendar that outlines all the courses and the available dates. They also provide a Syllabus per training which indicates the course prerequisites, required class materials and software and the learning objectives. The basic classes like FTK Bootcamp don’t require any prior knowledge of the software and is an excellent course for people just starting. The more advanced classes like Mac Forensics and Applied Decryption classes require basic knowledge of forensics and might be hard to grasp if it isn’t your day job. The teachers, however, do an excellent job of trying to explain everything, answer any questions you might have and making sure everyone gets along at the same pace.
A few days prior to the scheduled course you will receive an e-mail containing links to the training manual in PDF format and to the student materials. Most manuals are recently updated, in some cases just days before the class making sure that the manuals also include the latest changes like the release of a new version of FTK or changes in Windows. The training manual contains the entire course in written text, including the PowerPoint slides and exercises. The Student materials contain all the tools used during the course and also the images that are being examined.
Some courses also include a VM which is used during the course to further explain the mechanics behind an operating system. These virtual machines are not included in the class materials. The e-mail will also contain links to the Cisco WebEx to be used on the day of the training.
Live Online Training
About 30 minutes prior to the start of a training you will be able to log into the WebEx session. During this time it is highly recommended you test your audio to make sure you are able to actively participate during the course. While not required, having the option to use a microphone greatly improves the interactivity of the course. Also during this period, a PowerPoint will be running on repeat explaining basic things like contact information, course schedule and break times.
The course starts at the top of the hour at 9 AM (local time zone of the instructor). Most instructors start with an introduction of themselves and explaining how WebEx works. There is also a short introduction round where all participants get the chance to tell something about themselves, what they do and what they expect from the course, making it a good network opportunity. During the course, you will have the possibility to “raise your hand” if you want to ask a question or use the chatbox. Asking questions is encouraged and will sometimes lead to interesting discussions.
After the introduction, all participants are assigned a computer. Using LogMeIn you will take control of a physical laptop in the instructor’s office. The great thing about this is that during the course the instructor is able to monitor the progress of all participants and is able to quickly help if someone has a problem or a question. All classes start with the installation of the software that is going to be used during the course.
Every instructor has his own way of teaching. Some will be mainly using PowerPoint slides and do the exercises from the training manual while others will have a more hands on approach where the teacher does things and you follow along on your machines. Every hour there will be a short break of 5 to 10 minutes, usually, these breaks are taking place when the computer is processing data so that it’s all done when you return.
At the moment I have attended over 7 courses via the Live Online Training method offered by Syntricate/AccessData and I can highly recommend using this method. In a lot of cases visiting live classes just isn’t a viable option. LOT works great and the instructors make good use of the WebEx functionality.
Working on a machine provided by the instructor means that he is able to monitor your progress and effectively provide assistance when necessary. It also means you don’t need to provide your own machine which is great if you don’t have a spare machine that you can use.
Since the training manual contains the complete training in PDF format, it’s easy to repeat the exercises if you ever want to refresh your memory.
It’s also worth mentioning that while these courses are essentially offered by AccessData (creators of FTK) and thus the main tool you will be using is FTK, it’s certainly not the only tool you will be using. During the course all options are discussed, never did any instructor claim that FTK was the only good tool for the Job. Options like x-ways and encase were also discussed. The courses are not a sales pitch for AccessData products, something which is quite refreshing.
Overal I had a great time during the courses and I am looking forward to the next course.
FTK BootCamp (Instructor: John Minotti)
Great course if you are new to FTK or if you are like me and want to fresh up on your FTK Basics.
Advanced FTK (Instructor: Robert Buhecker)
This course goes into the advanced features of FTK like Visualisation, Cerberus and advanced filter options highly recommended if you want to know more about these features. Robert is also a great instructor who even went out of his way to find out if PhotoDNA was able to detect a picture of a picture by experimenting after class after I asked him about it.
Android Forensics (Instructor: Nick Jenkins)
This course mainly focuses on the inner workings of Android, during this course you will also use the Android SDK to extract data, very informative if you are already into mobile forensics.
Computer Forensics and the Cloud (Instructor: John Minotti)
When I took this course (April 2017) it felt a bit outdated. The guide wasn’t updated in a while and the course didn’t seem to include the latest developments. It’s still a good introduction into cloud forensics. But in my opinion, it was too focussed on extracting data from cloud services. I would have liked to learn more about the artifacts left behind from using cloud services.
Mac Forensics (Instructor: Jim Martin)
This course is great if you want to learn about Mac Forensics, Jim is clearly an avid Mac user and knows the in and outs of the operating system. There are some tools on the market that are better suited to investigating a Mac. But after following this course I’m confident that I will be able to bring any investigation involving Mac’s to a close.
Linux Forensics (Instructor: Jim Martin)
This is a one day workshop. It mainly focusses on what Linux is and how it works. It is highly recommended that you have followed a Windows or Mac class before you take the Linux class since it takes a lot for granted. It’s going to explain where Linux stores its logs and application data. But it isn’t going to explain the application artifacts itself or the working of FTK and PRTK. Jim Martin, however, will always make sure to explain the basics and will also maintain proper forensics procedures, even during a workshop.
Applied Decryption (Instructor: Dustin Hurlbut)
This course is mainly a PRTK/DNA course. PRTK is the Password Recovery ToolKit, a very powerful utility to crack the password for about any file out there from docx files to vera crypt and BitLocker volumes. The course is clearly an advanced course, Dustin is a great instructor and knowledgeable on the subject. I highly recommend this course if you want to know the in and outs of PRTK.