Certified Virtualization Forensics Examiner

This course takes two enormously challenging areas facing IT security professionals today: incidence response and virtualization and attempts to meld these together. Forensics is at the heart of incidence response, and therefore this training will focus on how to gather evidence relating to an incident – the what, when, where, who and why of an incident – within today’s common virtual environments.   Additionally, this 5 day instructor led course will take a deep dive into the virtual infrastructure, and contrast the various virtual entities against their physical counterparts. This will allow a clear demonstration of the forensically-relevant differences between the virtual and physical environments. The course uses a lab-centric, scenario-based approach to demonstrate how to forensically examine relevant components of a virtual infrastructure for specific use cases.

Participants will be able to apply forensically-sound best practice techniques against virtual infrastructure entities in the following use case scenarios:

• Identifying direct evidence of a crime
• Attributing evidence to specific suspects
• Confirming (or negating) suspect alibis
• Confirming (or negating) suspect statements
• Determining (or negating) suspect intent
• Identifying sources
• Authenticating documents

Upon Completion

Students will:

• Have knowledge to perform virtualization forensic examinations.
• Have knowledge to accurately report on their findings from examinations
• Be ready to sit for the C)VFE Exam

Mile2 is Accredited by the NSA-CNSS, Approved on Homelands Security NICCS Framework, and is on the FBI’s Tier 1-3 Certification Training Chart.

Module 1: Digital Forensics - the what, where, when, how and why

Module 2: Virtual Infrastructure

• Vendor-neutral VI Architecture Principals

• Hypervisors
• Virtual Machines
• Virtual Networks
• Virtual Disks
• Virtual File Systems
• Migration of Virtual Components
  • Vendor-specific VI Architecture
• vSphere
• Hyper-V
• XenServer
  • Key Differences Between Physical and Virtual Infrastructures

Module 3: Forensic Investigation Process

• Physical Infrastructure Best Practices

• Practices Equally Applicable Within Virtual Infrastructures
  • Virtual Infrastructure Best Practices
• Practices Unique To Virtual Infrastructures

Module 4: VI Forensics Scenario 1: Identifying direct evidence of a crime

Module 5: VI Forensics Scenario 2: Attributing evidence to specific suspects

Module 6: VI Forensics Scenario 3: Confirming (or negating) suspect alibis

Module 7: VI Forensics Scenario 4: Confirming (or negating) suspect statements

Module 8: VI Forensics Scenario 5: Determining (or negating) suspect intent

Module 9: VI Forensics Scenario 6: Identifying sources

Module 10: VI Forensics Scenario 7: Authenticating documents

Module 11: Putting it all together – course summary

• Must have a Digital or Computer Forensics
• Certification or equivalent knowledge

• Virtual infrastructure specialists
• Architects
• Engineers
• Administrators
• Forensic Investigators