Description
Trainer Profile
The training will be performed by Arman Gungor. Arman is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them. In his role as Director of Forensics at Meridian Discovery, Arman has assisted corporations, law firms, and government entities with the forensic preservation and investigation of email evidence.
Training Details
Duration: Approximately 4 hours per day over two days (~8 hours in total). Please plan to allocate 4.5 hours per day in your schedule in case we go over the allotted time during the labs or while answering questions.
Language: English
Instructor: Arman Gungor
Mode: Live remote instruction over the Internet in group setting
Attendee Provides: Computer with Internet access; a list of tools pre-installed for lab exercises
Course Outline
Anatomy of An Email Message
Where does email live, and what does an email message look like?
— Message Headers
What header fields can be found in an email message, and how they can be used during email investigations.
— Message Body, Attachments, and MIME
What the message body contains and what to look for in the message body during forensic authentication. Different types of timestamps that can be found within the message body.
— Email over The Internet
How does email travel across the Internet? Low-level look at what an email client does to transmit a message.
Sources of Email Evidence
An overview of where email evidence can be found, different device and server types, and how various sources of email evidence complement each other.
Common Hosted Email Services and Protocols
Most frequently encountered hosted email service providers and the protocols that are used to transmit emails over computer networks.
Forensic Email Preservation
How to forensically preserve emails from hosted service providers, on-premises servers, and local devices. What metadata fields should be captured for subsequent analyses. What a forensic examiner should not do during the forensic preservation of emails. Retention and the Recoverable Items Folder in Exchange servers.
Email Storage Formats
Overview of the frequently encountered formats in which emails are stored. How they are different than each other. Which format is best for forensic investigations or eDiscovery.
Server Metadata, Logs, and History Records
What can be collected from email servers in addition to the messages themselves to help with the forensic examination. How History Records can help determine if messages were deleted, if they were read and subsequently marked as “unread”, and when.
MAPI
How to work with MAPI stores to access low-level information.
Forensic Email Authentication
— Authenticating Messages
Strategies for forensically authenticating email messages. What the telltale signs of a fraudulent email are. What to do when all you have is a printout. Working with emails acquired from Microsoft 365/Exchange and Gmail/Google Workspace.
— DKIM, ARC, SPF, and DMARC
How we can use DKIM, ARC, SPF, and DMARC to authenticate messages with a high level of confidence.
— Hidden Metadata
Analysis of hidden metadata such as hidden timestamps, conversation index values, and attachment timestamps.
— Leveraging Server Metadata
How emails can be altered on the server. How to use server metadata to show whether or not an email message is authentic.
Practice Labs
Hands-on labs to practice what we cover during training.
Cancellation Policy
You can cancel your enrollment and receive a full refund until 14 calendar days before the start date of the training by emailing us at support@metaspike.com. In the event that Metaspike cancels the training session due to insufficient attendance, you will have the option to receive a full refund or attend a future training session.
FAQ
Q. Does this course cover Metaspike’s forensic tools (Forensic Email Collector and Forensic Email Intelligence)?
A. No. This course covers forensic email investigations in a vendor-neutral manner.
Q. Will a certificate of completion be provided?
A. Yes, please contact us to request your certificate after you have taken the course.
Questions & Comments?
Please do not hesitate to get in touch regarding group training. If you are interested in this program but the timing of it does not work for you, please let us know so that we can notify you if/when another session is scheduled in the future.