Windows 11 Forensic Exploitation

32 Hours / 4-Day

This Advanced course is designed for the examiner who wants to advance their knowledge and skills in
digital forensic examinations where databases contain much of the data and alternate methods of
exploitation are required.

InquireRegister for an upcoming class

Windows® 11 Artifact Overview

  • Examine the version characteristics between Windows® 11 Operating systems
  • What is new in the Microsoft OS
  • Walkthrough Windows 11 from a user perspective
  • Explorer updates
  • Visual changes
  • Changes to Existing Artifacts
  • System updates
  • Core Application updates
  • Automated data deletions

BitLocker Encryption

  • Learn how BitLocker is implemented on system partitions and removable media
  • Locate and read the metadata objects located in the encrypted volume
  • Describe BitLocker To Go
  • Review recovery options when BitLocker fails
  • Workflows in the analysis of a BitLocked volume

Windows 11 sub-system Analysis

  • What is new in the Microsoft Sub-systems
  • Explore the uses of Linux Sub-systems on Windows Operating Systems
  • Learn of the Android Sub-System introduced with Windows 11
  • Examine host-based artifacts through the use of WSL and WSA

Exercises in Registry analysis on a Windows 11 system

  • Define the Windows Registry
  • Discuss Forensic benefits of the Registry
  • Explore Windows 11 Account types and updates
  • Review how to track removable hardware across a Windows 11 system
  • Examine user interactions with the system

Cortana® examinations

  • Learn of Microsoft digital assistant Cortana
  • Identify storage location of hosted data
  • Identify key folder locations of collected data
  • Exploit the data in the SQLite db
  • Review the data in the settings registry file

Windows® Action Center

  • Notifications Analysis
  • Introduction to Windows Notifications
  • Review of the backend storage locations
  • Identify data of interest within the backend SQLite database
  • Exploit records using SQLite scripting

Recent File Interactions

  • Introduction to Windows Shell Links
  • Windows 11 Jump Lists
  • Jump List Analysis
  • Introduction to Windows 11 Recent File lists
  • Examination of backend databases
  • The exploitation of data fields using comprehensive scripting techniques

OneDrive on Windows 11

  • Microsoft OneDrive solution overview
  • Review the different options for OneDrive
  • Locate key folders of interest
  • User files
  • Synchronization log files
  • User settings
  • Learn interpretation of stored settings files

Chromium Based Browsers

  • Review the Chromium Edge Browser application
  • Locate key folders of interested within the user profile
  • Extract browsing artifacts from various SQLite databases
  • Learn techniques in the extraction and analysis of JSON encoded artifacts
  • Explore Alternate databases using Python
  • Introduction to LevelDB’s and Analysis

Windows 11 Mail

  • Windows Mail and examination techniques
  • Learn of the function of the Windows Mail client
  • Locations of Trusted and Untrusted data
  • Review the Comms folder and ESE database
  • Extract key data from the Store.vol ese database
  • Review the storage of email data within the sub-folders of the Comms and storage
    folders

Prerequisites

To get the most out of this class, you should:

  • Have 6 months of experience in forensic examinations.

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?

CONTACT US