Email Forensics Training

$1,950.00

Live training on forensic email investigations over the Internet. Approximately 8 hours in duration, spread across two consecutive days. See the details below 👇🏻 for the syllabus.

Instructor: Arman Gungor

No commercial email forensics software is needed. We will provide a list of common/freely-available tools that will be used for the labs ahead of the training.

Have a large group? Contact us to arrange group training.

The price is per seat. If you would like to purchase training for multiple attendees, add one unit per person and provide us with the details of each person.

SKU: MSEFTRN01 Category:

Description

Trainer Profile

The training will be performed by Arman Gungor. Arman is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them. In his role as Director of Forensics at Meridian Discovery, Arman has assisted corporations, law firms, and government entities with the forensic preservation and investigation of email evidence.

Training Details

Duration: Approximately 4 hours per day over two days (~8 hours in total). Please plan to allocate 4.5 hours per day in your schedule in case we go over the allotted time during the labs or while answering questions.
Language: English
Instructor: Arman Gungor
Mode: Live remote instruction over the Internet in group setting
Attendee Provides: Computer with Internet access; a list of tools pre-installed for lab exercises

Course Outline

Anatomy of An Email Message

Where does email live, and what does an email message look like?

— Message Headers

What header fields can be found in an email message, and how they can be used during email investigations.

— Message Body, Attachments, and MIME

What the message body contains and what to look for in the message body during forensic authentication. Different types of timestamps that can be found within the message body.

— Email over The Internet

How does email travel across the Internet? Low-level look at what an email client does to transmit a message.

Sources of Email Evidence

An overview of where email evidence can be found, different device and server types, and how various sources of email evidence complement each other.

Common Hosted Email Services and Protocols

Most frequently encountered hosted email service providers and the protocols that are used to transmit emails over computer networks.

Forensic Email Preservation

How to forensically preserve emails from hosted service providers, on-premises servers, and local devices. What metadata fields should be captured for subsequent analyses. What a forensic examiner should not do during the forensic preservation of emails. Retention and the Recoverable Items Folder in Exchange servers.

Email Storage Formats

Overview of the frequently encountered formats in which emails are stored. How they are different than each other. Which format is best for forensic investigations or eDiscovery.

Server Metadata, Logs, and History Records

What can be collected from email servers in addition to the messages themselves to help with the forensic examination. How History Records can help determine if messages were deleted, if they were read and subsequently marked as “unread”, and when.

MAPI

How to work with MAPI stores to access low-level information.

Forensic Email Authentication

— Authenticating Messages

Strategies for forensically authenticating email messages. What the telltale signs of a fraudulent email are. What to do when all you have is a printout. Working with emails acquired from Microsoft 365/Exchange and Gmail/Google Workspace.

— DKIM, ARC, SPF, and DMARC

How we can use DKIM, ARC, SPF, and DMARC to authenticate messages with a high level of confidence.

— Hidden Metadata

Analysis of hidden metadata such as hidden timestamps, conversation index values, and attachment timestamps.

— Leveraging Server Metadata

How emails can be altered on the server. How to use server metadata to show whether or not an email message is authentic.

Practice Labs

Hands-on labs to practice what we cover during training.

Cancellation Policy

You can cancel your enrollment and receive a full refund until 14 calendar days before the start date of the training by emailing us at support@metaspike.com. In the event that Metaspike cancels the training session due to insufficient attendance, you will have the option to receive a full refund or attend a future training session.

FAQ

Q. Does this course cover Metaspike’s forensic tools (Forensic Email Collector and Forensic Email Intelligence)?
A. No. This course covers forensic email investigations in a vendor-neutral manner.
Q. Will a certificate of completion be provided?
A. Yes, please contact us to request your certificate after you have taken the course.

Questions & Comments?

Please do not hesitate to get in touch regarding group training. If you are interested in this program but the timing of it does not work for you, please let us know so that we can notify you if/when another session is scheduled in the future.