Windows 10 Advanced Forensics
32 Hours / 4-DayThe Spyder Forensic Advanced Windows® 10 Forensic Analysis course will give participants unbiased knowledge and skills necessary to analyze artifacts left behind through system and user interaction with the host system, utilizing industry standard tools and open source applications to explore the data in greater depth by learning how applications function and store data throughout the system.
Windows® 10 Artifact Overview
- Examine the version characteristics between Windows® 10 Operating systems
- Explore the challenges recent updates have presented to the forensic examiner
BitLocker Encryption
- Learn how BitLocker encryption functions
- Explore System Volume BitLocker implementation and metadata artifacts
- Discuss BitLocker To Go on data volumes and USB devices
- Learn of examination techniques of a
BitLocked volume.
Exercises in Examination Workflows
- Define the forensic importance of Windows® Registry artifacts
- Examine a Registry block structure
- Define a Registry key structure
- Workflow Exercises
- User Account Examination
- Hardware tracking
- Application Usage
Windows® Shell Link Examinations
- Overview of Windows® Shortcuts
- Deep dive into Jump List Analysis
- Learn of the correction between the Distributed Link Tracking Service and Windows® link files
- Learn of the intricate link with the NT filesystem.
- Explore the structure of Jump List data files
- Examine the effects of destructive processes on jump lists
- Learn of File System artifacts associated with user activity on host files and link file creation.
Windows® Timeline
- Learn of the new Timeline feature introduced with Windows® 10 – 1803
- Review the backend storage locations of application data
- Gain knowledge on how SQLite databases function
- Explore artifacts stored in the backend SQLite database
- Compare local account storage configurations Vs. OneDrive and SharePoint accounts
- Examine the SQLite database tables to identify file usage across multiple devices.
Windows® 10 Notifications
- Learn of the Action Centre functionality
- Review the backend storage locations the Notifications database
- Explore artifacts stored in the backend SQLite database
- Write SQLite queries to present data in a clearer format
- Describe the correlation between displayed images on live tiles and backend storage
Photo’s Application Artifacts
- Review the Photo’s application from a user perspective
- Identify storage locations of cached data
- Identify recently viewed files
- Examine the TimeLine Cache data file and its implications
- Learn of key artifacts identified within the SQLite database.
- GeoLocation
- Folderidentification
- DateandTimesofinteractions
- Camera metadata
Cortana Integration
- Learn of Microsoft digital assistant
- Identify storage location of hosted data
- Identify key folder locations of collected data
- Review data stored in txt,
cfg ,ttl and JSON structured files pertaining to Cortana’s collection phases - Discuss cloud integration and synchronization processes.
Chromium Edge Browser Forensics
- Review the Edge Browser application
- Locate key folders of interested within the user profile
- Extract browsing artifacts from various SQLite databases
- Learn techniques in the extraction and analysis of JSON encoded artifacts
- Extensive hands on processing techniques.
OneDrive – Cloud Synchronization
- Review the function of the OneDrive processes
- Locate key folders of interest
- Identify the locations of user files
- Explore the many artifacts located in the Synchronization logs
- Discover Microsoft365 integration
- Use the registry to locate recent file interaction
- Interpret stored data in the subkeys
Course Information
$2595
- 32hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
Prerequisites
To get the most out of this class, you should:
- Have 6 months of experience in forensic examinations.
Request the Syllabus
Contact Spyder Forensics for more details of the course.
Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.
Ready to get started?
19 November - 22 November
Live Remote Training
Tuesday
14 January - 17 January
London, UK
Tuesday
Windows 10 Advanced Forensic Analysis (Live On-Site) – Jan 2025 (London, UK)
56 Commercial Rd, Aldgate, London E1 1LP, United Kingdom
11 March - 14 March
Live Remote Training
Tuesday
No event found!