The Computer Network Investigations Training Program (CNITP) is designed to train criminal investigators (or those that routinely serve as part of the investigative team) to identify, search, seize and analyze magnetic media in a network environment. Investigators are routinely finding that the evidence they need in the furtherance of any investigation may be found on servers regardless of the type of investigation they are conducting. The purpose of this course is to give investigators an understanding of how to identify the server software in question, navigate this system, and collect evidence in a forensically sound manner.
The software and hardware issued during CNITP has been researched and tested in the classroom and in the field. Students will be trained on the use of this equipment during class. At the conclusion of this two week program, the training participant will have demonstrated, through the successful completion of several practical exercises that they have a functional knowledge of:
Windows 2012 Servers
- Procedures and software used when searching, seizing and analyzing data from a network server running Windows 2012 Server software while maintaining the integrity and authenticity of the evidence.
- Procedures used to bypass logon security common security to Windows servers.
- Procedures and software used to acquire users and group information from Work Group Servers or the Active Directory of a Domain Server.
- Procedures for navigating a Windows Exchange Server for the purpose of obtaining individual users email.
- Procedures using F-Response Tactical as the forensic platform to access, search and obtain the Windows Server for live analysis and acquisitions.
- Procedures and software used when searching, seizing and analyzing data from a Macintosh server running OSX, while maintaining the integrity and authenticity of the evidence.
- Use of the Macintosh MacBook Pro laptop and/or F-Response Tactical as the forensic platform for live analysis and acquisitions.
- Procedures used in the installation of a Linux operating system configured to enhance forensic examination.
- File, folder, and partition structure of a computer using the Linux operating system. Students will learn to navigate through a computer using Linux from the GUI or through the command shell.
- Procedures using F-Response Tactical to access, search, and obtain an image of a Linux suspect computer, device, or server using forensic imaging software.
- Procedures used in the installation and configuration of VMware software products including VMware workstation, VMware server, VMware player and VMware Fusion.
- File artifacts related to VMware, Microsoft virtual machine VMs, Hyper-V and Virtualbox software.
- Applicant must be a law enforcement officer/agent with arrest authority in the prevention, detection, apprehension, detention and/or investigation of felony and/or misdemeanor violations of federal, state, local, tribal, or military criminal laws; or Direct Law Enforcement Support Personnel (DLESP); or employees of a federal, state, local, tribal or international agency who perform functions directly related to a law enforcement or Department of Homeland Security (DHS) mission but do not necessarily have the authority to carry and use firearms, make arrests and/or conduct searches with or without a warrant. This category of personnel may also include military personnel preparing for deployment. Completion of FLETC's Seized Computer Evidence Recovery Specials (SCERS) Training Program is recommended for admission to the CNITP. Applicants that have not attended FLETC's SCERS Training Program may attend the CNITP if they have experience and knowledge, acquired through formal education or on-the-job training, which is equivalent to what is presented within the SCERS. This program is part of the FLETC's Cybercrime Track (FCT) or the Electronic Surveillance (ELSUR) Track. By entering FCT or ELSUR into the search window, other related Cyber Division programs can be found.
Required Training Materials
During CNITP students will be issued the following computer hardware and software items which they will take with them upon completion of the course:
- MacBook Pro 13" with Retina display
- Thunderbolt/USB3.0 External 2.5” hard drive
- F-response Tactical
- Windows 8.1 Professional x64
- Sawmill Log Parser
- VMware Fusion
- Windows Network Forensics and Investigations - Book
- Electronic Law and Evidence
- Network Investigations
- Forensic analysis of digital data in a windows environment
Federal organization personnel should contact their agency training officer to register for training, email questions to FLETCAdmissions@fletc.dhs.gov or telephone 912-267-3344.
State, local and tribal officers requesting training should register online. If organizational support is required or you have additional needs, please email firstname.lastname@example.org or call us at 1-800-743-5382.
International (non-US) personnel should email FLETCemail@example.com or telephone 912-261-4023.
Program Contact Info
Glynco: (912) 267-2702