Windows Forensic Analysis

Provided by

About the course

Instructor: Kevin Ripa
6,275 EUR 6,025 EUR paid by Aug 7

GCFE Certification
Affiliate Pricing
36 CPEs
Laptop Required

Masters Program

Master Windows Forensics - "You Can't Protect What You Don't Know About."

All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
Focus your capabilities on analysis instead of on how to use a particular tool
Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

FOR500 is continually updated. The course starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows step-by-step the tools and techniques that each investigator should employ to solve a forensic case.

Windows Forensics Course Topics:

Windows Operating Systems Focus (Windows 7, Windows 8/8.1, Windows 10, Server 2008/2012/2016)
Windows File Systems (NTFS, FAT, exFAT)
Advanced Evidence Acquisition Tools and Techniques
Registry Forensics
Shell Item Forensics
Shortcut Files (LNK) - Evidence of File Opening
Shellbags - Evidence of Folder Opening
JumpLists - Evidence of File Opening/Program Exec
Windows Artifact Analysis
Facebook, Gmail, Hotmail, Yahoo Chat, and Webmail Analysis
EmailMicrosoft Office Document Analysis
System Resource Usage Database
Windows 10 Timeline Database
Windows Recycle Bin Analysis
File and Picture Metadata Tracking and Examination
Ten Different Application Execution Artifacts Including Several New to Windows 10
Email Forensics (Host, Server, Web), Including Office 365
Event Log File Analysis
Firefox, Chrome, Edge, and Internet Explorer Browser Forensics
Deleted Registry Key and File Recovery
Recovering Missing Data From Registry and ESE Database .Log Files
String Searching and File Carving
Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
Media Analysis and Exploitation Involving:
Tracking User Communications Using a Windows PC (Email, Chat, IM, Webmail)
Identifying If and How a Suspect Downloaded a Specific File to the PC
Determining the Exact Time and Number of Times a Suspect Executed a Program
Showing When Any File Was First and Last Opened by a Suspect
Determining If a Suspect Had Knowledge of a Specific File
Showing the Exact Physical Location of the System
Tracking and Analyzing External and USB Devices
Showing How the Suspect Logged on to the Machine via the Console, RDP, or Network
Recovering and Examining Browser Artifacts, Even Those Used in a Private Browsing Mode

Discovering Utilization of Anti-Forensics, Including File Wiping, Time Manipulation, and Program Removal

The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10, and Server 2008/2012/2016 Techniques

Course Syllabus

FOR500.1: Windows Digital Forensics And Advanced Data Triage
FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items
FOR500.4: Core Windows Forensics - Part III: Email, Key Additional Artifacts, and Event Logs
FOR500.5: Core Windows Forensics - Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
FOR500.6: Windows Forensic Challenge

Related article

Cyber security – why bother? Most people’s perception of cyber-attacks are either of someone in a darkened room trying to take down web sites, or c...