About the course
FOR500: Windows Forensic Analysis
Mon, April 8 - Sat, April 13, 2019
Contents | Additional Info
Instructor: Jason Jordaan
Best course I have taken in 20 years.
Gary Sanders, LWCC
FOR408 (FOR500) is absolutely necessary for any computer forensic type career. Excellent information!
Rebecca Passmore, FBI
Master Windows Forensics - "You Can't Protect What You Don't Know About."
All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.
FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.
Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.
FOR500: Windows Forensic Analysis will teach you to:
- Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
- Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
- Focus your capabilities on analysis instead of on how to use a particular tool
- Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
FOR500 is continually updated. The course starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows step-by-step the tools and techniques that each investigator should employ to solve a forensic case.
Windows Forensics Course Topics:
- Windows Operating Systems Focus (Windows 7, Windows 8/8.1, Windows 10, Server 2008/2012/2016)
- Windows File Systems (NTFS, FAT, exFAT)
- Advanced Evidence Acquisition Tools and Techniques
- Registry Forensics
- Shell Item Forensics
- Shortcut Files (LNK) - Evidence of File Opening
- Shellbags - Evidence of Folder Opening
- JumpLists - Evidence of File Opening/Program Exec
- Windows Artifact Analysis
- Facebook, Gmail, Hotmail, Yahoo Chat, and Webmail Analysis
- EmailMicrosoft Office Document Analysis
- System Resource Usage Database
- Windows 10 Timeline Database
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Ten Different Application Execution Artifacts Including Several New to Windows 10
- Email Forensics (Host, Server, Web), Including Office 365
- Event Log File Analysis
- Firefox, Chrome, Edge, and Internet Explorer Browser Forensics
- Deleted Registry Key and File Recovery
- Recovering Missing Data From Registry and ESE Database .Log Files
- String Searching and File Carving
- Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
- Media Analysis and Exploitation Involving:
- Tracking User Communications Using a Windows PC (Email, Chat, IM, Webmail)
- Identifying If and How a Suspect Downloaded a Specific File to the PC
- Determining the Exact Time and Number of Times a Suspect Executed a Program
- Showing When Any File Was First and Last Opened by a Suspect
- Determining If a Suspect Had Knowledge of a Specific File
- Showing the Exact Physical Location of the System
- Tracking and Analyzing External and USB Devices
- Showing How the Suspect Logged on to the Machine via the Console, RDP, or Network
- Recovering and Examining Browser Artifacts, Even Those Used in a Private Browsing Mode
- Discovering Utilization of Anti-Forensics, Including File Wiping, Time Manipulation, and Program Removal
- The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10, and Server 2008/2012/2016 Techniques
For multi-course live training events, there will be a set up time from 8:30-9:00 am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.
FOR500.1: Windows Digital Forensics And Advanced Data Triage
FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items
FOR500.4: Core Windows Forensics - Part III: Email, Key Additional Artifacts, and Event Logs
FOR500.5: Core Windows Forensics - Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
FOR500.6: Windows Forensic Challenge
"After 30 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR500: Windows Forensic Analysis was designed to impart these critical skills to students. Unlike many other training courses that focus on teaching a single tool, FOR500 provides training on many tools. While there are some exceptional tools available, we feel that all forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best tool for each task. However, we also understand that forensic analysts are not great because of the tools they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR500 teaches students to apply digital forensic methodologies to a variety of case types and situations, enabling them to apply the right methodology to achieve the best outcome in the real world. Finally, the course teaches and demonstrates the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR500 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR500 is a must-have course." - Ovie Carroll
"Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of SANS FOR500: Windows Forensic Analysis are the front-line troops deployed when you need accurate digital forensic, incident response, and media exploitation analysis. From analyzing terrorist laptops, data breaches, to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that the SANS FOR500 course helped prepare them to fight and solve crime." - Rob Lee
"Digital forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal."- Chad Tilbury