Windows Forensic Analysis Training

Print Friendly, PDF & Email
Introduction

Windows Forensic Analysis Training Course with Hands-on labs

Windows Forensic Analysis Training; Proper analysis requires real data for students to examine. The completely updated Windows Forensic Analysis Training course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office 365, cloud storage, Sharepoint, Exchange, Outlook). Students leave the Windows Forensic Analysis Training course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows XP systems to just discovered Windows 10 artifacts.

Every organization must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been higher for analysts who can investigate crimes like fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover key intelligence from Windows systems. To help solve these cases, ENO is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation masters capable of piecing together what happened on computer systems second by second.

Windows Forensic Analysis Training focuses on building in-depth digital forensics knowledge of the Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. Learn to recover, analyze, and authenticate forensic data on Windows systems. Understand how to track detailed user activity on your network and how to organize findings for use in incident response, internal investigations, and civil/criminal litigation. Use your new skills for validating security tools, enhancing vulnerability assessments, identifying insider threats, tracking hackers, and improving security policies. Whether you know it or not, Windows is silently recording an unimaginable amount of data about you and your users. Windows Forensic Analysis Training teaches you how to mine this mountain of data.

Duration: 5 days

Windows Forensic Analysis Training Related Courses

 
Windows Forensic Analysis Training - Customize It!

• We can adapt this Windows Forensic Analysis Training course to your group’s background and work requirements at little to no added cost.
• If you are familiar with some aspects of this Windows Forensic Analysis Training course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Windows Forensic Analysis Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Windows Forensic Analysis Training course in manner understandable to lay audiences.

Windows Forensic Analysis Training - Audience / Target Group

• Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations.
• Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases.
• Law enforcement officers, federal agents, or detectives who want to become a deep subject-matter expert on digital forensics for Windows-based operating systems.
• Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX) operations on Windows-based systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
• Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers.

Windows Forensic Analysis Training - Prerequisites

• Windows Forensic Analysis Training is an intermediate level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR408 focuses entirely on in-depth tool agnostic analysis of Windows operating system and artifacts.

Windows Forensic Analysis Training - Objectives:

After completing this Windows Forensic Analysis Training course, attendees will be able to:

• Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012
• Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geo-location, file download, anti-forensics, and detailed system usage
• Focus your capabilities on analysis instead of how to use a specific tool
• Extract key answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

Windows Forensic Analysis Training - Course Content:

Windows Digital Forensics And Advanced Data Triage

Windows Operating System Components
Key Differences in Windows Versions
Windows 7 and Higher
Microsoft Server Variations
Core Forensic Principles
Analysis Focus
Key Questions
Determining Your Scope
Live Response and Triage-Based Acquisition Techniques
RAM Acquisition
Registry Extraction
Creating Custom Content Images
Triage-Based Forensics - Fast Forensic Acquisition - Key Files
Following the Order of Volatility
Triage via Custom Content Extraction
Acquisition Review with Write Blocker
Advanced Acquisition Challenges
Detecting Encrypted Drives
SSD vs. Standard Platter-Based Hard Drives
SSD Acquisition Concerns
Windows Image Mounting and Examination
NTFS File System Overview
Document and File Metadata
File Carving
Principles of Data Carving
Loss of File System Metadata
File Carving Tools
Custom Carving Signatures
Memory, Pagefile, and Unallocated Space Analysis
Artifact Recovery and Examination
Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
IE8-11, Edge, Firefox, Chrome InPrivate/Recovery URLs
Yahoo, Hotmail, G-Mail, Webmail, Email

Core Windows Forensics: Windows Registry Forensics And Analysis

Registry Forensics In-Depth
Registry Core
Hives, Keys, and Values
Registry Last Write Time
MRU Lists
Deleted Registry Key Recovery
Identify Dirty Registry Hives and Recover Missing Data
Rapidly Search and Timeline Multiple Hives
Profile Users and Groups
Discover Usernames and the SID Mapped to Them
Last Login
Last Failed Login
Login Count
Password Policy
Core System Information
Identify Current Control Set
System Name and Version
Timezone
Local IP Address Information
Wireless/Wired/3G Networks
Connected Network Auditing and Device Geolocation
Network Shares and Offline Caching
Last Shutdown Time
Registry-Based Malware Persistence Mechanisms
User Forensic Data
Evidence of File Downloads
Office and Office 365 File History Analysis
Windows 7, Windows 8/8.1, Windows 10 Search History
Typed Paths and Directories
Recent Documents (RecentDocs)
Open-> Save/Run Dialog Boxes Evidence
Application Execution History via UserAssist, Shimcache, RecentApps, AmCache, and BAM/DAM
Tools Used
Registry Explorer
TZWork's CAFAE and YARU (Yet Another Registry Utility)

Core Windows Forensics: Usb Devices And Shell Items

Shell Item Forensics
Link/Shortcut Files (.lnk) - Evidence of File Opening
Windows7/Windows10 Jump Lists - Evidence of File Opening and Program Execution
Shellbag Analysis - Evidence of Folder Access
USB and Bring Your Own Device (BYOD) Forensic Examinations
Vendor/Make/Version
Unique Serial Number
Last Drive Letter
MountPoints2 - Last Drive Mapping Per User (Including Mapped Shares)
Volume Name and Serial Number
Username that Used the USB Device
Time of First USB Device Connection
Time of Last USB Device Connection
Time of Last USB Device Removal
Auditing BYOD Devices at Scale
Bitlocker -To-Go Encrypted USB Devices

Core Windows Forensics: Email, Key Additional Artifacts, and Event Logs

Email Forensics
Evidence of User Communication
How Email Works
Email Header Examination
Email Authenticity
Determining a Sender's Geographic Location
Extended MAPI Headers
Host-Based Email Forensics
Exchange Recoverable Items
Exchange Evidence Acquisition and Mail Export
Exchange Compliance Search and eDiscovery
Unified Audit Logs in Office 365
Recovering Deleted Emails
Web and Cloud-Based Email
Email Searching and Examination
Mobile Email Remnants
Forensicating Additional Windows OS Artifacts
Windows Search Index Forensics
Extensible Storage Engine (ESE) Database Recovery and Repair
Thumbs.db and Thumbscache Files
Windows Prefetch Analysis (XP, Windows 7-Windows 10)
Windows Recycle Bin Analysis (XP, Windows 7- Windows 10)
Windows 10 Timeline Database
System Resource Usage Monitor (SRUM)
Connected Networks, Duration, and Bandwidth Usage
Applications Run and Bytes Sent/Received Per Application
Application Push Notifications
Energy Usage
Windows Event Log Analysis
Events Logs that Matter to a Digital Forensic Investigator
EVTX and EVT Log Files
Track Account Usage including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
Audit and Analyze File and Folder Access
Prove System Time Manipulation
Track Bring Your Own Device (BYOD) and External Devices
Geo-locate a Device via Event Logs

Core Windows Forensics: Web Browser Forensics for Firefox, Internet Explorer, and Chrome

Browser Forensics
History
Cache
Searches
Downloads
Understanding Browser Timestamps
Internet Explorer
IE Forensic File Locations
History files: Index.dat and WebCache.dat
Cache Recovery and Timestamps
Microsoft Universal Application Artifact
Download History
Credentials Stored in the Windows Vault
Internet Explorer Tab Recovery Analysis
Cross-Device Synchronization, Including Tabs, History, Favorites, and Passwords
Edge
History, Cache, Cookies, Download History, and Session Recovery
Spartan.edb
Reading List, WebNotes, Top Sites, and SweptTabs
Firefox
Firefox Artifact Locations
Mork Format and SQLite FilesFirefox Quantum Updates
Download History
Firefox Cache2 Examinations
Detailed Visit Type Data
Form History
Session Recovery
Firefox Extensions
Chrome
Chrome File Locations
Correlating URLs and Visits Tables for Historical Context
History and Page Transition Types
Chrome Preferences File
Web Data, Shortcuts, and Network Action Predictor Databases
Chrome Timestamps
Cache Examinations
Download History
Chrome Session Recovery
Chrome Profiles Feature
Identifying Cross-Device Chrome Synchronization
Private Browsing and Browser Artifact Recovery
IE and Edge InPrivate Browsing
Chrome and Firefox Private Browsing
Investigating the Tor Browser
Identifying Selective Database Deletion
SQLite and ESE Database CarvingExamination of Browser Artifacts
Super Cookies
DOM and Web Storage Objects
Google Analytics and Universal Cookies
Rebuilding Cached Web Pages
Browser Ancestry
Tools Used
Nirsoft Tools
SQLite Parsers
ESE DatabaseView
Hindsight

Windows Forensic Challenge

Digital Forensic Case
Analysis
Begin with a New Set of Evidence
Following Evidence Analysis Methods Discussed Throughout the Week and Find Critical Evidence
Examine Memory, Registry, Chat, Browser, Recovered Files, and More
Reporting
Focus and Submit the Top Three Pieces of Evidence Discovered and Discuss What They Prove Factually
Document One of the Submitted Pieces of Evidence for Potential Examination During the Mock Trial
Presentation
Each Team Will Be Asked to Prepare the following:
Executive Summary
Short Presentation
Conclusion
The Team Voted to Have the Best Argument and Presentation Proving Its Case Wins the Challenge

Request More Information

Time Frame: 0-3 Months4-12 Months

No Comments Yet.

Leave a comment

0