Statement of Work

1.  Background.  Digital Intelligence is the manufacturer of the forensic toolkit, Forensic Recovery Evidence Device (FRED).  This is a very specific toolkit which will enables MARSOC to create bit-stream duplicate copies of drives for incidents and investigations. The FRED toolkit includes a tower with Intel Core i7-4820k CPU Quad processor, 64 GB DDR3 1600MHz memory, Single Raid Chassis, Hardware write blocking, removable hard drive bays, all necessary adapters, cables, and a complete kit of software which will provide MARSOC an all-in-one Forensic Toolkit Solution to conduct evidence recovery, original evidence duplication and bit stream copying of data to prove an authentic true copy of original digital evidence. Training is needed to efficiently operate this device and utilize it's full potential.

2.  Requirement.  Performance of the training listed in this section requires contractor personnel with expertise in specific subject matters. Training is categorized as follows:

• FRED's Hardware ◦ Motherboard
• Processor
• Expansion slots
• Memory
• PATA and SATA channels
• RAID
• Connections
• Drive bays
• BIOS, operating systems and boot menus
• Overview of PATA, SCSI and SATA
• Introduction to floppy and hard drives
• Floppy CHS numbering
• Hard drive CHS numbering
• LBA
• Partitions ◦ Primary
• Extended
• Partition table entries
• Write blockers ◦ UltraBay, UltraKit and FireFly hardware write blockers
• FAT File System
• NTFS File System
• Preparing a duplicate image
• Install and configure FTK and its components, FTK Imager, PRTK and its components, Registry Viewer and LicenseManager.
• Use FTK Imager to preview evidence, export evidence files, create forensic images and convert existing images.
• Review Registry Viewer functions, including accessing the Protect Storage System Provider and hidden keys, indexing the registry, creating reports and integrating those reports with your FTK case report.
• Create a case in FTK.
• Use FTK to process and analyze documents, metadata, graphics and e-mail.
• Use bookmarks and check marks to efficiently manage and process case data.
• Update and customize the KFF database.
• Create and apply file filters to manage evidence in FTK.
• Use regular expressions to perform live searches.
• Import search lists for Indexed searches in FTK.
• Use the FTK Data Carving feature to recover files from unallocated disk space.
• Create and customize reports.
• Use custom dictionaries and dictionary profiles to recover passwords in PRTK.
• Utilize the index in FTK to create custom dictionaries in PRTK.
• Create regular expressions.
• Use the Registry Viewer to locate evidentiary information in Windows 2K and XP registry files.
• Integrate Registry Viewer with FTK.
• Recover forensic information from Recycle Bin INFO2 files.
• Recover forensic information from the following Windows XP artifacts:
• Thumbs.db files
• Metadata
• Link and Spool Files
• Alternate Data Streams
• Windows XP Prefetch
• Use a FTK word list to create a custom dictionary, profile, and biographical dictionary in PRTK.
• Add SAM and Syskey values to PRTK to recover passwords and decrypt encrypted files.
• Recover EFS encrypted files on Windows 2000 and XP systems.

3. Place of Performance.  Four (4) vouchers will be provided to attend one of the scheduled courses on site at the vendor location. 

4. Period of Performance.  Varies depending on the scheduled courses of the vendor.

5. Travel. Travel will not be required from the vendor since students will attend training on-site at the vendor location, there are only a few vouchers being ordered so it would not be cost effective to bring the gear and instructors to Camp Lejeune.

(End of Statement of Work)

Bid Protests Not Available