Virtual Infrastructure Forensics
Examine. Discover. Report.
This course attempts to marry two enormously challenging areas facing IT security professionals today: incidence response and virtualization. The cat-and-mouse game between policy enforcers and incident perpetrators within traditional, physical enterprises, is even more pronounced as enterprise architects seek to avail the benefits of virtual platforms, operating systems, applications, processes and desktops.
The great news is that we have an opportunity to embed features within the virtual components of our enterprise architecture, so as to make incidence response that much easier. We will discuss these here. And for those alreadyoperating within a virtual environment, we will explore emerging techniques, tools and tips to plan and control virtual incidence response more effectively.
This course takes the point of view that forensics is at the heart of incidence response, and so will focus on how to gather evidence relating to an incident – the what, when, where, who and why of an incident – within common virtual environments today.
Digital forensics is the 'forensically-sound' acquisition of evidence from computers, networks, data repositories and fixed or mobile client devices, to support a specific hypothesis. Techniques and tools have been developed to deal with the various scenarios in which forensics investigators find themselves. Increasingly though, forensics investigators have been called on to forensically examine hybrid infrastructures consisting of both physical and virtual entities; some have been asked to examine purely virtual infrastructures.
Do current techniques and tools, designed for physical infrastructure-based scenarios, lend themselves naturally to virtual infrastructures? Yes, and, no. This course will dive deeply into what is commonly referred to as a "virtual infrastructure" by three vendors (VMware, Microsoft and Citrix), and contrast the various virtual entities against their physical counterparts, clearly demonstrating the forensically-relevant differences therein; we will then utilize a lab-centric, scenario-based approach to demonstrate how to forensically examine relevant components of a virtual infrastructure for specific use cases.
Course Objectives
Participants will be able to apply forensically-sound best practice techniques against virtual infrastructure entities in the following use case scenarios:
- Identifying direct evidence of a crime
- Attributing evidence to specific suspects
- Confirming (or negating) suspect alibis
- Confirming (or negating) suspect statements
- Determining (or negating) suspect intent
- Identifying sources
- Authenticating documents
- Be Prepared to take the CVFE® Exam
Who Should Attend This Course? (Prerequisites)
This course is designed for the following participant types:
- Virtual infrastructure specialists (architects, engineers, administrators) who desire to augment their virtual infrastructure expertise with forensically-sound best practices knowledge and skills; and
- Forensic investigators who wish to investigate virtual infrastructure components with the same degree of skill and use of best practices they apply to the physical infrastructure components they currently investigate
- Must have a Digital or Computer Forensics certification or equivalent knowledge
Course Length
5 Days (9 AM to 5 PM)
