Windows Forensics

Windows Forensics

Windows Forensics

Access Data Windows Forensics Advanced Forensic Training - XP

This course provides students with the knowledge and skills necessary to conduct an effective Windows based investigation. Attendees should already be conducting computer based investigations and be familiar with the AccessData suite of tools.

In addition to using advanced search and filtering techniques, students will use the FTK to address the following Windows artifacts:
 

The Recycled / Recycler Bin --- (deleted files, place-holders and INFO2 databases)
File Meta Data and OLE Items --- (dates and times and file summary data)
Print Spools and Remnants --- (print jobs and temp files that remain behind)
Unallocated Data Carving --- (recovering files from unallocated and embedded space)
Windows Log & Link Files --- (other system device access / login records)

Registry File Data - Using the new Registry Viewer - specifically:

NTUSER.DAT / SYSTEM files --- (protected storage data / user info)
SAM / SOFTWARE / SECURITY / SYSTEM --- (machine time bias / USER-SID / login)
 

Students will also learn how to gain access to files that have been encrypted with the Microsoft Encrypted File System (EFS) component, parse thumbnail lists from Windows and other popular applications, and more. This advanced level, hands-on intensive course is intended for Forensic Investigators, Law Enforcement Personnel and security and network administrators who desire a greater understanding of the Windows registry and other various operating system artifacts as they relate to computer forensic investigations. 

The Windows Forensics course includes an optional Practical Skills Assessment (PSA) that requires participants to apply concepts presented during the course to complete a practical exercise. Participants who successfully complete this exercise receive a certificate of PSA completion.

click here for PDF on WF XP

 Access Data Windows Forensics Advanced Forensic Training - Vista

This advanced AccessData workshop provides the knowledge and skills necessary to analyse Microsoft® Windows Vista™ operating system artifacts and file system mechanics using Forensic Toolkit (FTK), FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer.

During this three-day workshop, participants will review the following:
o GUID Partition Tables. (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme.
o File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure.
o BitLocker-Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive.

Windows Vista Artifacts such as:
o Vista EFS -- Updated EFS Algorithms
o Recycle Bin -- Updated File Recovery Mechanics
o Thumbcache -- Enhanced Thumbs.db Functionality
o Activity History -- Local Machine and Browser Indices
o Link and Spool Files -- Structure and Content Changes
o Windows Event Logs -- Enhanced XML Output and Viewing
o Volume Shadow Copy -- Previous File Version Recovery (SVI)
o Windows Vista Registry
o NTUser.DAT Changes -- MRU and UserAssist Changes
o SAM Hive User Changes -- Domain and User Value Additions
o System USBStor Information -- Device Identification and Protection
o Auto Complete & Search Terms -- Updated for Vista & Internet Explorer 7

The workshop includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

Prerequisites:
To obtain the maximum benefit from this workshop, attendees should be familiar with:
o Windows XP forensic analysis
o Windows NT file system (NTFS) mechanics
o FTK, FTK Imager and Registry Viewer

click here for PDF on WF Vista

Access Data Windows Forensics Advanced Forensic Training - Registry

In the continually evolving Windows Forensics series, the Windows registry continues to be a major source of Windows related artifact and information storage. Having the proper knowledge of registry based artifacts can make or break an investigation. In this course, attendees will utilise AccessData technology while being exposed to:

• Registry hive, cell and “hbin” block construction
• Live registry file capture from a Windows environment
• Carving registry key information from dumped memory files
• Registry testing, analysis and reporting technology
• Registry back-ups (system Volume Information and Restore Points)
• Tracking Trojan Horse programs through a suspect registry
• Tracking file associations and class ID information
• Analysing mounted device association (USB and other devices)
• Discovering machine compromise through registry infiltration

click here for PDF on WF Registry

Access Data Windows Forensics 7 - Advanced Forensic Training 

This advanced course provides the knowledge and skills necessary to analyze Microsoft® Windows7® operating system artifacts and file system mechanics using Forensic Toolkit (FTK 3), FTK Imager and Registry Viewer. During this three-day course, participants will review GUID partition tables (GPT), and BitLocker full-volume encryption (FVE),and BitLocker ToGO. Students will review Windows 7 artifacts, such as Jump Lists, User Account Control, Libraries, Home Groups, Solid State Drive, event logs and Virtual Hard Drives. Registry artifacts will be explored as well.

click here for PDF on Windows 7 Forensic

 

 Dates available in 2012

 Course Type

 Venue

 17 Jan - 19 Jan

Windows Forensic XP 

 London

 07 Feb - 09 Feb

 Windows Forensic Registry

 London

 24 Apr - 26 Apr

Windows Forensic Vista 

 London 

 15 May - 17 May

Windows Forensic 7 

 London 

 03 Jul - 05 Jul

 Windows Forensic XP

 London 

 09 Oct - 11 Oct

Windows Forensic Registry 

 London 

 04 Dec - 06 Dec

Windows Forensic XP 

 London

 11 Dec - 13 Dec

Windows Forensic 7 

 London 

Please call on 01296 621121 or email jackie@dataduplication.co.uk to make a reservation