Windows 11 Forensic Exploitation
32 Hours / 4-DayThis Advanced course is designed for the examiner who wants to advance their knowledge and skills in digital forensic examinations where databases contain much of the data and alternate methods of exploitation are required.

Windows® 11 Artifact Overview
- Examine the version characteristics between Windows® 11 Operating systems
- What is new in the Microsoft OS
- Walkthrough Windows 11 from a user perspective
- Explorer updates
- Visual changes
- Changes to Existing Artifacts
- System updates
- Core Application updates
- Automated data deletions

BitLocker Encryption
- Learn how BitLocker is implemented on system partitions and removable media
- Locate and read the metadata objects located in the encrypted volume
- Describe BitLocker To Go
- Review recovery options when BitLocker fails
- Workflows in the analysis of a BitLocked volume

Windows 11 sub-system Analysis
- What is new in the Microsoft Sub-systems
- Explore the uses of Linux Sub-systems on Windows Operating Systems
- Learn of the Android Sub-System introduced with Windows 11
- Examine host-based artifacts through the use of WSL and WSA

Exercises in Registry analysis on a Windows 11 system
- Define the Windows Registry
- Discuss Forensic benefits of the Registry
- Explore Windows 11 Account types and updates
- Review how to track removable hardware across a Windows 11 system
- Examine user interactions with the system

Windows® Action Center
- Notifications Analysis
- Introduction to Windows Notifications
- Review of the backend storage locations
- Identify data of interest within the backend SQLite database
- Exploit records using SQLite scripting

Recent File Interactions
- Introduction to Windows Shell Links
- Windows 11 Jump Lists
- Jump List Analysis
- Introduction to Windows 11 Recent File lists
- Examination of backend databases
- The exploitation of data fields using comprehensive scripting techniques

OneDrive on Windows 11
- Microsoft OneDrive solution overview
- Review the different options for OneDrive
- Locate key folders of interest
- User files
- Synchronization log files
- User settings
- Learn interpretation of stored settings files

Chromium Based Browsers
- Review the Chromium Edge Browser application
- Locate key folders of interested within the user profile
- Extract browsing artifacts from various SQLite databases
- Learn techniques in the extraction and analysis of JSON encoded artifacts
- Explore Alternate databases using Python
- Introduction to LevelDB’s and Analysis

Windows 11 Mail
- Windows Mail and examination techniques
- Learn of the function of the Windows Mail client
- Locations of Trusted and Untrusted data
- Review the Comms folder and ESE database
- Extract key data from the Store.vol ese database
- Review the storage of email data within the sub-folders of the Comms and storage folders
Course Information
$2,495
- 40hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
Prerequisites
To get the most out of this class, you should:
- Have 6 months of experience in forensic examinations.

Request the Syllabus
Contact Spyder Forensics for more details of the course.

Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.
Ready to get started?
25 July - 28 July
Manassas, VA
Tuesday
Windows 11 Forensic Exploitation – (Manassas, VA Live on-site) – July 2023
10021 Balls Ford Road, Suite 260 Manassas, VA 20109
29 August - 01 September
Zurich, Switzerland
Tuesday
Windows 11 Forensic Exploitation – (Zurich, Switzerland – Live on-site) – August 2023
Westhive Zürich, Hardturm Hardturmstrasse 161, 8005 Zürich Schweiz
05 September - 08 September
Live Remote Training
Tuesday
16 October - 19 October
Singapore
Monday
23 January - 26 January
London, UK
Tuesday
27 February - 01 March
Live Remote Training
Tuesday
No event found!