The Digital Evidence Collection in an Enterprise Environment (DECEE) is designed to train criminal investigators (or those that routinely serve as part of the investigative team) to identify, search, seize and acquire digital media in a network environment. Investigators are routinely finding that the evidence they need in the furtherance of any investigation may be found on servers regardless of the type of investigation they are conducting. The purpose of this program is to give investigators an understanding of how to identify the server software in question, navigate this system, and collect evidence in a forensically sound manner.
The software and hardware issued during DECEE has been researched and tested in the classroom and in the field. Students will be trained on the use of this equipment during class. At the conclusion of this two-week program, the training participant will have demonstrated, through the successful completion of several practical exercises that they have a functional knowledge of:
Windows 2012 Servers
- Procedures and software used when searching, seizing and analyzing data from a network server running Windows 2012 R2 Server software while maintaining the integrity and authenticity of the evidence.
- Procedures used to bypass logon security common security to Windows servers.
- Procedures and software used to acquire users and group information from Work Group Servers or the Active Directory of a Domain Server.
- Procedures for navigating a Windows Exchange Server for the purpose of obtaining individual users email.
- Procedures using F-Response Tactical as the forensic platform to access, search and obtain the Windows Server for live acquisitions.
- Procedures and software used when searching, seizing and acquiring data from a Macintosh server running OSX, while maintaining the integrity and authenticity of the evidence.
- Use of the Macintosh MacBook Pro laptop and/or F-Response Tactical as the forensic platform for live acquisitions.
- File, folder, and partition structure of a computer using the Linux operating system. Students will learn to navigate through a computer using Linux from the GUI or through the command shell.
- Procedures using F-Response Tactical to access, search, and obtain an image of a Linux suspect computer, device, or server using forensic imaging software.
- Procedures used in the installation and configuration of VMware software products including VMware workstation, VMware server, VMware player and VMware Fusion.
- File artifacts related to VMware, Microsoft virtual machine VMs, Hyper-V and Virtualbox software.
Applicant must be a law enforcement officer/agent with arrest authority in the prevention, detection, apprehension, detention and/or investigation of felony and/or misdemeanor violations of federal, state, local, tribal, or military criminal laws; or Direct Law Enforcement Support Personnel (DLESP); or employees of a federal, state, local, tribal or international agency who perform functions directly related to a law enforcement or Department of Homeland Security (DHS) mission but do not necessarily have the authority to carry and use firearms, make arrests and/or conduct searches with or without a warrant. This category of personnel may also include military personnel preparing for deployment. Must have successfully completed the Digital Evidence Acquisition Specialist Training (DEASTP) and the Seized Computer Evidence Recovery Specialist (SCERS) Training Program or equivalent for admission to the DECEE. This program is part of the FLETC's Cybercrime Track (FCT) or the Electronic Surveillance (ELSUR) Track. By entering FCT or ELSUR into the search window, other related Cyber Division programs can be found.
Required Training Materials
During DECEE students will be issued the following computer hardware and software items which they will take with them upon completion of the course:
- MacBook Pro 13" with Retina display
- Thunderbolt/USB3.0 External 2.5” hard drive
- F-response Tactical
- Windows 10 Professional x64
- VMware Fusion
- Windows Network Forensics and Investigations - Book
- Electronic Law and Evidence
- Network Investigations
- Forensic acquisition of digital data in a Microsoft Windows, OSX and Linux environment
Program Contact Info
Glynco: (912) 267-2485
Digital Evidence Acquisition Specialist Training Program
Seized Computer Evidence Recovery Specialist Training Program