Personal tools
You are here: Home Training Programs Technical Operations Division Computer Network Investigations Training Program (CNITP)
Document Actions

Computer Network Investigations Training Program (CNITP)

Up one level

The CNITP is designed to train criminal investigators (or those that routinely serve as part of the investigative team) to identify, search, seize and analyze magnetic media in a network environment. Investigators are routinely finding that the evidence they need in the furtherance of any investigation may be found on servers regardless of the type of investigation they are conducting. The purpose of this course is to give investigators an understanding of how to identify the server software in question, navigate this system, and collect evidence in a forensically sound manner.

The software and hardware issued during CNITP has been researched and tested in the classroom and in the field. Students will be trained on the use of this equipment during class.

During CNITP students will be issued the following computer hardware and software items which they will take with them upon completion of the course:

  • MacBook Pro 15" laptop computer
  • Thunderbolt External hard disk

  • Paraben Network Email Examiner

  • F-response

  • Windows 7 Professional x64

  • VMware Fusion

  • Windows Network Forensics and Investigations - Book

Type: Advanced

Length: The training program encompasses 2 weeks (76 Hours), beginning on a Monday and ending on the second Friday, with the graduation scheduled at approximately 11:00 to 11:30 a.m. Travel days are Sunday and Friday after 12pm.

Curriculum

At the conclusion of this two week program, the training participant will have demonstrated, through the successful completion of several practical exercises that they have a functional knowledge of:

Windows 2008 Servers:

  • Procedures and software used when searching, seizing and analyzing data from a network server running Windows 2008 Server software while maintaining the integrity and authenticity of the evidence.
  • Procedures used to bypass logon security and data encryption common to Windows servers.
  • Procedures and software used to acquire users and group information from Work Stations, Work Group Servers or the Active Directory of a Domain Server.
  • Procedures for navigating a Windows 2007 Exchange Server for the purpose of obtaining individual users email.

MacIntosh:

  • Procedures and software used when searching, seizing and analyzing data from a MacIntosh server running OS X, while maintaining the integrity and authenticity of the evidence.
  • Use of the Macintosh MacBook Pro laptop as the forensic platform for live analysis and acquisitions.

Linux/UNIX:

  • Procedures used in the installation of a Linux operating system configured to enhance forensic examination.
  • File, folder, and partition structure of a computer using the Linux operating system. Students will learn to navigate through a computer using Linux from the GUI or through the command shell.
  • Procedures and software used to image/analyze data from a Network Server using Linux server software.
  • Procedures in the use of a bootable Linux CD to access, search, and image a suspect computer, device, or server using Linux or Windows server software.

Virtualization:

  • Procedures used in the installation and configuration of VMware software products including VMware workstation, VMware server, VMware player and VMware Fusion.
  • File artifacts related to both VMware and Microsoft virtual machine VMs.

Program of Instruction

  • Current legal trends in network investigations
  • Network Terminology and Topology
  • Peer to Peer Networking Issues
  • Computer Network Live Acquisitions
  • Windows 2008 R2 Server Concepts and Search Analysis/Procedures
  • Investigations in a Virtual Environment
  • Email Server Investigations
  • Introduction to Apple Macintosh Operating System Concepts and use in Live Search-Analysis Procedures
  • Linux Operating System Concepts and Search/Analysis Procedures
  • Wireless Technology Investigations
  • CNITP Written Exam
  • CNITP Final Practical Exercise for Windows

Prerequisites for Attendance

Successful completion of FLETC's Seized Computer Evidence Recovery Specials (SCERS) Training Program is recommended for admission to the CNITP. Applicants that have not attended FLETC's SCERS Training Program may attend the CNITP if they have experience and knowledge, acquired through formal education or on-the-job training, which is equivalent to what is presented within the SCERS. Participants are expected to have experience in the search, seizure and analysis of a computer system.

Contact Information

Training Technician
Technical Operations Training Facility
Bldg. 217
Federal Law Enforcement Training Center
Glynco, GA 31524
Phone: (912) 267-2702
Fax: (912) 267-2797
Fletc-TechnicalOpsTrngFacility@dhs.gov

Training Dates

CNITP-303 / Glynco, GA -- Jun 03, 2013 to Jun 14, 2013
CNITP-304 / Glynco, GA -- Aug 05, 2013 to Aug 16, 2013