Advanced Windows Forensics32 Hours / 4-Day
Learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows artifacts that are vitally important to forensic investigations.
The Advanced Windows Forensics training class is a four-day course that will introduce the participant to the many forensically relevant artifacts on a Microsoft 10 Windows system.
Students will learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows artifacts that are vitally important to forensic investigations. Students will gain knowledge in identifying where and why Windows stores information in Registry files, Recycle Bin, Recent folder, User directory
NTFS File System Review
- List file system support for each NT operating system
- Identify NTFS Metadata Files
- List the function of each Metadata file
- Describe a File Record Entry
- List the components of an NTFS Attribute
- Describe the history of exFAT
- Identify the system areas of the volume
- Breakdown the Volume Boot Record
- File Allocation Table
- Describe the function of Bitmap
- Breakdown a directory entry
Operating Systems Overview
- Review the differences between NT operating systems
- List the key artifacts contained on modern Windows-based systems
- Review common folders on an NT Operating System.
Windows System Artifacts
- Examine how Desktop Search stores data
- Learn recovery options from the windows
- Learn recovery options from the windows
- Examine different backup option on Windows 10 systems and how to recover data in the ShadowCopy stores.
- Define the Windows Registry
- Discuss Forensic benefits of the Registry
- Examine a Registry block structure
- Define a Registry key structure
- Locating deleted registry data
- Explore the many evidentially relevant data found in the following registry files:
- SAM–User Account information
- SYSTEM–Hardware data
- SOFTWARE–Installed application settings
- NTUSER.DAT–User preferences and recent activity
- Settings.dat–Immersive application preferences.
- Review of Windows Shortcuts
- Link File Anatomy
- Jump Lists
- Deep dive into Jump List Analysis
- Learn of the intricate link with the NT filesystem.
Windows Immersive Applications review
- Describe the purpose of Live Tiles
- Examine backend structures of Immersive apps
- Describe the function of each folder location storing user cached data.
Download the Syllabus for complete course outline.
Windows® 10 Notifications and Timeline Analysis
- Learn of the Action Centre functionality
- Review the backend storage locations of notifications
- Explore the Timeline function and artifacts
- Gain knowledge on how SQLite databases function
- Explore artifacts stored in the backend SQLite database
- Describe the correlation between displayed images on live tiles and backend storage
- Learn of Microsoft digital assistant
- Identify storage location of hosted data
- Identify key folder locations of collected data
- Review data stored in txt and
cfgfiles pertaining to Cortana
- Discuss cloud integration and synchronization processes.
Edge Browser Forensics
- Review the Edge Browser application
- Locate key folders of interested within the user profile
- Identify cached data from untrusted and trusted sites
- Learn of Edge Recovery stores and processing techniques
- Discover registry data and explain synchronization concerns
- Review processing techniques.
Windows 10 Mail
- Learn of the function of the default Mail client
- Explore the locations of Trusted and Untrusted data
- Review the “Comms” folder and ESE structured database
- Extract key data from the Store.vol
- Review the storage of email data within the sub-folders of the Comms and S0 folders
Photo’s Application Artifacts
- Review the Photo’s application from a user perspective
- Identify storage locations of cached data
- Learn of key artifacts identified within the SQL database.
OneDrive – Cloud Synchronization
- Review the function of the OneDrive processes
- Locate key folders of interest
- Identify the locations of user files
- Explore the many artifacts located in the Synchronization logs
- Learn how to interoperate user settings
- Learn interpretation of stored settings files
- Discover Office 365 cloud integration
- Use the registry to locate recent file interaction
- Interpret stored data in the subkeys.
Introduction to Office 365 data
- Learn of the many artifacts hosted on the local system pertaining to user activity while using the office 365 suite.
- 32hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
To get the most out of this class, you should:
- Have 6 months experience o forensic examinations.
- Be familiar with Windows Operating systems.
Download the Syllabus
Download a printable copy of the course description and key learning points.
If you are interested in hosting this, or any of our courses at your facility, contact us.