Advanced Bootcamp Details
IXTK 3-Day Advanced Bootcamp Training Course
SiQuest Professional Series Training
The IXTK 3-Day Advanced Bootcamp in-class training course has been designed to provide students with a solid understanding of the comprehensive user interface, extensible features and capabilities of IXTK; artifacts supported and manageable by IXTK; the unique FaceDNATM biometric facial recognition functionality; online Internet investigation and evidence features; and the built-in case tracking, workflow and auditing components in IXTK that rival other Internet forensic tools. Student practical exercises, based on real world scenarios, are designed to reinforce concepts learned. All course instructors are veteran investigators with extensive practical experience in law enforcement or private industry.
- » Proper installation and usage of IXTK
- » Supported search options and data source types
- » Best practices for selecting, managing and searching for artifacts
- » Managing, organizing and reporting case evidence
- » Working with filters, custom queries, keywords and dictionaries
- » Using IXTK built-in viewers and video analysis tools
- » Effective online investigations and data collection
- » Use FaceDNATM to extract, identify and match faces
- » Use domain research tools to track, locate and identify POI
WHO SHOULD ATTEND
The 3-Day IXTK Advanced Bootcamp course caters to digital forensic investigation and information security practitioners from law enforcement, government, military and private industry. Students who are new to IXTK, or who might already be users of IXTK without any formal training, will walk away with a solid understanding of the full features and functionality of IXTK, and appreciate how IXTK can add value to existing case workflows. Students will learn how to search and recover Internet artifacts from physical disks, memory dump files, mobile device data repositories, and cloud based resources.
Module 1: Introduction and Product Installation
In this first module, students will be provided with background information about SiQuest and product history for Internet Examiner® Toolkit. Strategies for future product updates and features, licensing options, and support resources will be covered. Proper installation and configuration of SiQuest software, including a review of course materials, will be reviewed.
Module 2: Internet Examiner® Toolkit (IXTK) Main User Interface
In this module, students will explore the four main panes in the user interface: the Navigation Pane, the Data Pane, the Record Details Pane, and the Viewer Pane; the top menu bar (File, View, Tools, Help); the New Search window (Disk Sectors, Free Space, Logical Files, Network Files and Find Faces); and how to create and open case files. Students will also be shown how to natively mount and explore common forensic disk image formats (Ex01, Lx01, E01, L01, Raw, DD) and identify common target files (pagefile.sys, hiberfile.sys, User accounts, volume shadow copies). With IXTK™ version 5, data is managed in different panes and these panes can be detached or undocked and then floated or expanded to occupy a second display. Students will learn how to re-dock, pin and hide panes.
Module 3: Create and Configuring New Projects
Students will learn how to create a new project (case) file and how to configure options via the main Options Window (Agency Details, Error Tracing, Event Tracking, Time Zone, Performance Settings, FaceDNA™, Cloud API). A close look at the internal construct of the SQLite database that is the backbone of the project file will help students understand the complex and extensibility of IXTK. The accompanying project sub-folders and their importance will be reviewed and discussed in detail. Having a solid understanding of what is going on in behind the scenes is an important lesson to learn as it builds confidence in knowing how IXTK™ is really working with the evidence. Students will quickly come to realize that IXTK™ is definitely NOT a push-button forensic tool and will come to appreciate how IXTK™ differs in large respects from competitor products.
Module 4: Importing and Viewing Data
To get things started, students will be importing sample data for testing and experimentation purposes. This will include sample artifacts derived from browser cache, history, email, chat, pictures, movies and mobile device apps. Students will observe how IXTK parses and inserts evidence into the case file; how Records can be viewed in a variety of different formats (Text, Hex, HTML, Picture, Video); how to use the Hex Viewer and its built-in hex decoder to manually validate parsed evidence; and finally, how to use the different Viewer context menu functions to drill down into the evidence.
Module 5: Exploring the Artifact Framework and Custom Keywords
The Artifact Framework™ is a proprietary profiling system that allows IXTK to grow its support for new artifacts quickly, efficiently, and consistently. In this module, the various artifact categories will be reviewed in detail and the terms “Trace Artifact” and “File Artifacts” will be defined. Students will practice searching for various artifacts and keywords and observe how IXTK uses multi-threading to enforce concurrent discovery tasks, and manage search threads via the Thread Status Window. This module will serve as a brief introduction to Regular (Grep) Expressions which are common implements for wildcard value searching techniques. Students will also try their hand at creating custom artifacts and learn how they are managed within the Artifact Framework™ and then exposed within the IXTK user interface.
Module 6: Filtering, Managing and Organizing Evidence
In this module, students will start with filtering evidence using the Filters tab in the Navigation Pane while then exploring Records using the different Data Tabs (Table, Gallery, List). Organizing and describing data will be demonstrated and practiced ( Tag, Bookmark, Label, Exclude, Quarantine, Hide). Students will also learn how to tailor their search results using the built-in filter bar on the Table Tab, as well as, how to export records to Excel. An introduction to the global processing options (via the Process button on the toolbar) will demonstrate how to create case-wide dictionaries of keywords and internet search terms.
Module 7: Working with Large Dataset and Building Custom Queries
Internet Examiner Toolkit is capable of storing Terabytes of data which equates to hundreds of thousands or even millions of records. In order to optimize the performance of the software, the use of Paginated Recordsets is used widely within the program, at least wherever data is viewed as records (Table, Gallery). Understanding how to work with the Pagination Toolbars is essential to working efficiently with large volumes of data. The second most important thing students must learn is how to create custom queries in order to drill down on data and hone in on key pieces of evidence. Using the Customer Query Builder, students will learn how to define new queries; access and re-run already run queries; copy and edit existing queries; and saving queries. During this module, basic SQL syntax will be taught and students will be start to write their own queries in raw SQL.
Module 8: Exploring Filters
As students become more familiar with filtering data, they will need to know and learn about some vey particular filters and how to use effectively (My Tagged Records, My Bookmarks, My Keywords, My Labels, Explore Timeline, Explore Hosts, etc). The specialize Aggregate Records function will be practiced, as well as manually Refreshing Filter Hit Counts and Reloading the tree.
Module 9: Conducting Online Investigations
IXTK is the first and only Internet forensics tool that provides an integrated Google Chrome based browser to investigate “live” Internet resources in “real time”. Students will learn how to capture web pages and web page contents (html, css, js, pictures, downloads) using a variety of built-in techniques (Snip Tool, Snapshot, Web Capture), and how to rebuild web pages from browser cache. Retrieving Facebook photos, Twitter photos, and YouTube videos will be covered. The new domain research tools using the integrated domainIQ.com API will be used extensively track, locate and identify cyber criminals, associates and web site/domain contacts using API functions (WhoIs, Domain IP WhoIs, Reverse IP, Reverse DNS, Reverse MX, Email Search, Name Search). Students will learn how IXTK automatically tracks investigator activities as part of the case workflow and how this saves time by writing notes for them. Finally, sifting through the results and reporting on the evidence will be practiced.
Module 10: Timeline Analysis
In this module, students will learn in detail how time is managed by Windows and how Coordinated Universal Time (UCT) plays a vital role in the study of events and artiact chronology. The new Device Time capture in IXTK will also be discussed and how its use can help demystify time discrepancies between real-time and out-of-sync search targets (Computers, Notebooks). Time Zones and the impact of times originating from regions in the Northern and Southern hemispheres will be discussed in great detail. A series of practical exercises will drive home the importance of this module.
Module 11: FaceDNA™ Biometric Facial Recognition
For many law enforcement agencies, the investigation of crimes against children often result in the seizure and forensic examination of prodigious amounts of multimedia based evidence (pictures, movie files). By conventional practice, forensic practitioners have typically had to sift through these files one at a time in an attempt to categorize the evidence, but more importantly, to identify potential victims and suspects. In this module, students will learn about biometric facial recognition and how FaceDNA™ functionality in IXTK™ can extract, identify and match faces. Proper and effective use of this technology can have a profound time savings effect on cases. Moreover, when used properly a the onset of an investigation, it can help identify know victims, as well as reveal not-before-known victims.
Module 12: IXTK Reporting
Reporting of the facts in issue is a critical step in the disclosure process. Ensuring that evidence is represented in a manner that ‘makes sense’ is critical in respect of readers that may not possess knowledge of digital forensics. For this reason, IXTK™ features both Custom Reporting and Quick Reporting options. In Custom reporting, students will be able to ‘fine tune’ what data is reported and how the data is laid out in the report (Cardfile, Table, Gallery and Message View). The use of pre-defined and customizable statements that precede the body of the report is referred to as the Preamble or the Synopsis and these are selectable for every report. IXTK™ also provides the ability to save and re-use templates and even offers Speech Recognition for creating the templates. In the end, students will be able to confidently generate powerful and compelling HTML reports and disclose them electronically to key stakeholders.
Module 13: Creating Child Records
What differentiates IXTK™ from other forensic tools is how it approaches the idea of “bookmarking”. Conventional approaches utilize pointers to the evidence (a location somewhere on a fixed or mounted disk) and those pointers are what are called bookmarks. While IXTK™ too offers a similar implementation by allowing records to be bookmarked, it goes one step further to remove the inter-dependency between pointers and the source evidence container (e.g., a disk image file like an E01). Using some sample data and viewing it in the Hex Viewer, students will learn how to sweep ranges of bytes and carve them back into the case file as Child Records. This innovative approach to bookmarking goes beyond pointers as it provides a tangible working copy of the bookmarked data. With Child Records, all of the same applicable features and analysis options are available as with any other Record in the case. This unique way bookmarking evidence is almost infinite with possibilities as it is not constrained by the need to have the original disk image file available.
Module 14: Multimedia Analysis and Categorization Techniques
In almost any type of investigation, multimedia files and files that contain multimedia (pictures, videos, PDF, PSD, DOCX) can be of immense value, especially in cases that involve crimes against children. In such cases, investigators are often required (mandated) to categorize the evidence and view video evidence in their entirety. These tasks come at an in immense cost, both in time and computing resources. In this module, students will learn to apply industry standardized data management and grouping techniques (Evidentiary Value Scoring (EVC), Video & Image Classification Standard (VICS)) to group evidence using a valuation scale (0 to 5). In addition, profound time savings features will be practiced and discussed (Video Frame Extraction, Face Detection, Face Matching). The effectiveness of utilizing Filters for EVS and VICS to better group and organize evidence will become evident. Students will explore the Gallery tab to appreciate how to view, orient and annotate picture evidence (Zoom, Rotate, Notes). And finally, some time will be spent working with the Video Viewer tab to understand and maximize the use of the built-in video player controls and functions (Stop, Pause, Play, Seek by Frame, Seek by Interval, Slider, Speed, Seek Time Index).
Module 15: Working with Notes, Case Timers and Case Tracking
One thing that make IXTK™ stand out is its ability to add notes to Records and Child Records, including extrinsic data such as phone calls, search warrants, emails and meeting minutes. Students will practice creating notes and explore system-generated notes which form part of the built-in case tracking features. To this point, they will also experiment with the Case and Session Timers and understand how IXTK™ can be used to track time spent on a case. Delving into the case database file will provide an in-depth view into the level of detail that goes into Case Tracking (accessing, viewing and annotating records). The power to be able to create and print Investigator-generated and system-generated notes will be realized through practical exercises.
Module 16: Knowledge and Skills Assessment + Certification
At the end of the course, students will be evaluated on their knowledge of the course material and skills learned. Through a mixture of group Q&A, written examination and practical exercises, each student can be eligible to be certified as an Internet Examiner Certified Examiner (IECE) which is valid for 2 years. Having this certification will be beneficial to students who may need to qualify their experience or status as an expert.