Windows Forensics
Access Data Windows Forensics Advanced Forensic Training - XP
This course provides students with the knowledge and skills necessary to conduct an effective Windows based investigation. Attendees should already be conducting computer based investigations and be familiar with the AccessData suite of tools.
In addition to using advanced search and filtering techniques, students will use the Ultimate Toolkit (with the new Registry Viewer) to address the following Windows artifacts:
The Recycled / Recycler Bin --- (deleted files, place-holders and INFO2 databases)
File Meta Data and OLE Items --- (dates and times and file summary data)
Print Spools and Remnants --- (print jobs and temp files that remain behind)
Unallocated Data Carving --- (recovering files from unallocated and embedded space)
Windows Log & Link Files --- (other system device access / login records)
Registry File Data - Using the new Registry Viewer - specifically:
NTUSER.DAT / SYSTEM files --- (protected storage data / user info)
SAM / SOFTWARE / SECURITY / SYSTEM --- (machine time bias / USER-SID / login)
Students will also learn how to gain access to files that have been encrypted with the Microsoft Encrypted File System (EFS) component, parse thumbnail lists from Windows and other popular applications, and more. This advanced level, hands-on intensive course is intended for Forensic Investigators, Law Enforcement Personnel and security and network administrators who desire a greater understanding of the Windows registry and other various operating system artifacts as they relate to computer forensic investigations.
The Windows Forensics course includes an optional Practical Skills Assessment (PSA) that requires participants to apply concepts presented during the course to complete a practical exercise. Participants who successfully complete this exercise receive a certificate of PSA completion.
Access Data Windows Forensics Advanced Forensic Training - Vista
This advanced AccessData workshop provides the knowledge and skills necessary to analyse Microsoft® Windows Vista™ operating system artifacts and file system mechanics using Forensic Toolkit (FTK), FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer.
During this three-day workshop, participants will review the following:
o GUID Partition Tables. (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme.
o File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure.
o BitLocker-Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive.
Windows Vista Artifacts such as:
o Vista EFS -- Updated EFS Algorithms
o Recycle Bin -- Updated File Recovery Mechanics
o Thumbcache -- Enhanced Thumbs.db Functionality
o Activity History -- Local Machine and Browser Indices
o Link and Spool Files -- Structure and Content Changes
o Windows Event Logs -- Enhanced XML Output and Viewing
o Volume Shadow Copy -- Previous File Version Recovery (SVI)
o Windows Vista Registry
o NTUser.DAT Changes -- MRU and UserAssist Changes
o SAM Hive User Changes -- Domain and User Value Additions
o System USBStor Information -- Device Identification and Protection
o Auto Complete & Search Terms -- Updated for Vista & Internet Explorer 7
The workshop includes multiple hands-on labs that allow students to apply what they have learned in the workshop.
Prerequisites:
To obtain the maximum benefit from this workshop, attendees should be familiar with:
o Windows XP forensic analysis
o Windows NT file system (NTFS) mechanics
o FTK, FTK Imager and Registry Viewer
Access Data Windows Forensics Advanced Forensic Training - Registry
In the continually evolving Windows Forensics series, the Windows registry continues to be a major source of Windows related artifact and information storage. Having the proper knowledge of registry based artifacts can make or break an investigation. In this course, attendees will utilise AccessData technology while being exposed to:
• Registry hive, cell and “hbin” block construction
• Live registry file capture from a Windows environment
• Carving registry key information from dumped memory files
• Registry testing, analysis and reporting technology
• Registry back-ups (system Volume Information and Restore Points)
• Tracking Trojan Horse programs through a suspect registry
• Tracking file associations and class ID information
• Analyzing mounted device association (USB and other devices)
• Discovering machine compromise through registry infiltration
Dates available in 2008 | Course Type | Venue |
26-28 Feb | Windows Forensics - Vista | London |
01-03 Apr | Windows Forensic - Vista | Manchester |
20-22 May | Windows Forensic - XP | London |
24-26 June | Windows Forensic - XP | Manchester |
15-17 July | Windows Forensic - Vista | London |
2-4 Sept | Windows Forensic - Vista | London |
28-30 Oct | Windows Forensic | Manchester |
02-04 Dec | Windows Forensic - Vista | London |
Please call on 01296 621121 or email jackie@dataduplication.co.uk to make a reservation
