• Online, Instructor-Led
  • Online, Self-Paced
  • Classroom
Course Description

Master Windows Forensics - "You Can't Protect What You Don't Know About."

All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

  1. Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
  2. Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
  3. Focus your capabilities on analysis instead of on how to use a particular tool
  4. Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

FOR500 is continually updated. The course starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows step-by-step the tools and techniques that each investigator should employ to solve a forensic case.

Windows Forensics Course Topics:

  • Windows Operating Systems Focus (Windows 7, Windows 8/8.1, Windows 10, Server 2008/2012/2016)
  • Windows File Systems (NTFS, FAT, exFAT)
  • Advanced Evidence Acquisition Tools and Techniques
  • Registry Forensics
  • Shell Item Forensics
    • Shortcut Files (LNK) - Evidence of File Opening
    • Shellbags - Evidence of Folder Opening
    • JumpLists - Evidence of File Opening/Program Exec
  • Windows Artifact Analysis
    • Facebook, Gmail, Hotmail, Yahoo Chat, and Webmail Analysis
    • Microsoft Office Document Analysis
    • System Resource Usage Database
    • Windows 10 Timeline Database
    • Windows Recycle Bin Analysis
    • File and Picture Metadata Tracking and Examination
    • Ten Different Application Execution Artifacts Including Several New to Windows 10
  • Cloud Storage File and Metadata Examinations

    • OneDrive, Dropbox, G Drive, G Suite File Stream, Box
  • Email Forensics (Host, Server, Web), Including Office 365 and G Suite
  • Event Log File Analysis
  • Firefox, Chrome, Edge, and Internet Explorer Browser Forensics
  • Deleted Registry Key and File Recovery
  • Recovering Missing Data From Registry and ESE Database .Log Files
  • String Searching and File Carving
  • Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
  • Media Analysis and Exploitation Involving:
    • Tracking User Communications Using a Windows PC (Email, Chat, IM, Webmail)
    • Identifying If and How a Suspect Downloaded a Specific File to the PC
    • Determining the Exact Time and Number of Times a Suspect Executed a Program
    • Showing When Any File Was First and Last Opened by a Suspect
    • Determining If a Suspect Had Knowledge of a Specific File
    • Showing the Exact Physical Location of the System
    • Tracking and Analyzing External and USB Devices
    • Showing How the Suspect Logged on to the Machine via the Console, RDP, or Network
    • Recovering and Examining Browser Artifacts, Even Those Used in a Private Browsing Mode
    • Discovering Utilization of Anti-Forensics, Including File Wiping, Time Manipulation, and Program Removal
  • The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10, and Server 2008/2012/2016 Techniques

Learning Objectives

  • Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7, Windows 8/8.1, and Windows10
  • Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
  • Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
  • Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
  • Audit cloud storage usage, including detailed user activity, identifying deleted files, and even documenting files available only in the cloud
  • Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding and accomplish detailed damage assessments
  • Use Windows Shellbag analysis tools to articulate every folder and directory that a user or attacker opened up while browsing local, removable, and network drives
  • Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and Event Log files
  • Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
  • Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
  • Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts database carving to identify the web activity of suspects, even if privacy cleaners and in-private browsing are used
  • Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.