Windows 11 Forensic Exploitation
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Rob Attoe
Lead Developer
Rob is a frequent presenter at esteemed international digital forensics conferences, including events hosted by the High Technology Crime Investigation Association, Department of Defense Cyber Crime, F3 Annual Workshops, and the Internet Crimes Against Children Taskforce. His expertise extends to contributing to digital forensic publications, and he acts as a subject matter expert for various courses within the ATA program managed by the State Department in the USA.
Course Objectives
The Advanced Windows® 11 Forensic Exploitation Analysis course is an intensive expert-level training program designed for experienced examiners in the field of digital forensics. The course aims to enhance their understanding and proficiency in advanced forensic techniques using a wide range of third-party tools, specifically tailored for the latest Microsoft operating system.
Throughout this week-long training event, participants will delve into the comprehensive study of various applications and utilities, equipping them with the skills to effectively identify, process, comprehend, and document critical Windows® 11 artifacts. The course covers essential topics such as analyzing the latest chromium-based Edge browser, handling BitLocker encryption, examining the Windows® Photos app, investigating Windows obscured apps, exploiting the Windows Subsystem for Linux and Android, and exploring other specific artifacts unique to Windows® 11. Additionally, participants will learn to review data in the updated Notepad application.
The training includes in-depth exploration of Windows 11 virtualized security, understanding new functions and transaction logging in Registry files, extraction of data from Helium-based sources, and thorough analysis of core Windows artifacts. The course concludes with an extensive examination of OneDrive offline storage and synchronization processes between trusted devices authenticated by the user account. Scripting and data exploitation for SQLite forensics will also be covered in detail.
Throughout the course, students will engage in hands-on labs and exercises, employing a combination of open-source and leading forensic applications to examine key artifacts. This practical approach ensures a comprehensive understanding of the subject matter, allowing participants to apply their newfound knowledge effectively in real-world scenarios.
Primary Learning Objectives
Windows 11 Forensic Exploitation - Day 1
Day 1 of the Spyder Forensics Windows 11 Forensic Exploitation course begins with an overview of the course along with an introduction to the Instructor.
It also gives the participants the opportunity to introduce themselves to the Instructor and also to their fellow students, this however is not obligatory.
During this module we will be reviewing the latest artifact updates on the current version Windows 11 and reviewing the changes Microsoft has implement to core Operating System functionality throughout the lifecycle of Windows 11. Students will get a first look at Windows Recall as well as practical knowledge on how to handle a WIndows 11 device from a 1st reponder perspective.
- Learn what is new in the Microsoft Operating Systems
- Learn of the default security processes deployed in Windows 11
- Walkthrough Windows 11 from a user perspective
- Explorer updates
- Visual changes
- Learn of Windows Recall and analysis challenges
- First Responder considerations
- Operating System Access
- Shut down options
- Dealing with mounted encrypted volumes (BitLocker)
The instructor-led lab provides an in-depth examination of the version characteristics between Windows® 11 operating systems and explores the new features introduced in Microsoft OS. It includes a walkthrough of Windows 11 from a user perspective, highlighting updates to the Explorer, visual changes, and modifications to existing artifacts. The lab also covers system and core application updates, as well as automated data deletions.
Windows 11 Forensic Exploitation - Day 2
During day 2 of the course we will begin to look in-depth at system artifacts and dealing with encrypted data and virualized sub-systems.
The instructor-led lab covers the implementation of BitLocker on system partitions and removable media, teaching participants how to locate and read metadata objects within the encrypted volume. It also includes an overview of BitLocker To Go, a review of recovery options when BitLocker fails, and workflows for analyzing a BitLocked volume.
During this module, we will explore techniques in reviewing the data in the BitLocked volume and the story it can tell us about volume usage.
We’ll review what has changed with Windows 11 updates and explore workflows in the successful examination of data from within encrypted volume and examination techniques in recovering deleted data at the physical layer of the volume.
- Learn how BitLocker is implemented on system partitions and removable media
- Locate and read the metadata objects located in the encrypted volume
- Describe the BitLocker To Go
- Review recovery options when BitLocker fails
- Workflows in the analysis of a BitLocked volume
This module will focus on performing Windows 11 subsystem forensic analysis.
Digital forensic investigators typically employ a range of techniques and tools specific to each subsystem. These may include file system analysis tools, command history analysis, virtual machine forensics tools, PowerShell scripting , and Linux forensic utilities. This module will expand on what an examiner will be able to process with any sub-system has been utilized.
- Overview of virtualization technology
- Explore Windows Sandbox usage and analysis techniques
- Examine Remote Desktop cached data using PowerShell
- Explore the uses of Linux Sub-systems (WSL) built into Windows 11
- Examine user options for WSL installation
- Examine WSL and Sandbox host-based artifacts
During the Instructor led Lab students will explore the Linux and Sanbox subsystems followed by indpeth analysis of data left behind through user and system activity.
The instructor-led lab defines the Windows Registry and discusses its forensic benefits. It explores Windows 11 account types and updates, dives deep into methods for tracking removable hardware across a Windows 11 system, and examines user interactions with the system.
During this module we will be examining core registry files and exploiting information typically relevant to most examinations.
We will use multiple files to gain full insight into when the accounts have interacted with the system, when devices were installed how to interpret dates and times related to all types of interactions.
- Review the forensic importance of the Windows registry
- Learn how transaction logging functions and its impact on forensic analysis
- Explore Windows 11 Account types and reporting techniques
- Examine hardware tracking in the Windows 11 Registry and Event log files
- Explore software registrations and how it can be exploited in digital examinations
Windows 11 Forensic Exploitation - Day 3
Day 3 of the course begins the process of exploring activities the user has interated with and workflows in the analysis of data.
We will also look at more advanced techniques which go beyond simply viewing data.
During this module we will look at how an examiner can successfully navigate the forensic landscape and extract relevant evidence to support their investigation.the various forms, including actual items of interest or supporting artifacts that indicate the suspect’s knowledge and interaction with the data.
- Review of Windows Shell Links
- Examination of the new Windows 11 Jump List function
- Gain an understanding of the function of Automatic Vs. Custom jumplist
- Learn how cloud-based files are tracked in Jumplists
- Deep dive into Jump List Analysis and timelining of user activity
- Examination of backend JumpList databases
- Learn of the new Windows Search function on Windows 11
- Explore techniques in extraction of data from the new SQLite search database files
- Co-Pilot interactions and forensic analysis
The instructor-led lab provides a comprehensive review of Windows Shell Links and an in-depth examination of the new Windows 11 Jump List function, including the distinctions between automatic and custom jumplists. Participants will learn how cloud-based files are tracked in jumplists and delve into jump list analysis and the timelining of user activity. The lab also covers the examination of backend jumplist databases, the new Windows Search function on Windows 11, and techniques for extracting data from the new SQLite search database files. Additionally, the lab explores Co-Pilot interactions and forensic analysis.
The instructor-led lab provides an overview of immersive application folder structures and explores typical forensic artifacts associated with a Helium-based application. Participants will review application tab cached data, examine the function of core Helium-based Windows apps, and analyze new registry data. The lab also covers handling corrupted registry files, combining MRU data between different registry files, and introduces the examination of SQLite databases, including exploiting stored data using SQLite scripts.
During this module, we will look at the forensics artifacts that reside on the host system including an SQLite database that contains a wealth of information that can be useful during an examination.
We will focus on the latest versions of Helium based application and the complex nature of virtulized and fragmented data.
- Overview of Immersive application folder structures
- Explore typical forensic artifacts associated with a Helium based application
- Review application Tab cached data
- Review the function of core Helium based Windows apps
- Examining new registry data
- Handing corrupted registry files
- Learn how to combine MRU data between different registry files
- Introduction to the Examine the SQLite databases
- Exploiting stored data using SQLite Scripts
Windows 11 Forensic Exploitation - Day 4
On day 4 of the course we will bring all of the learnt knowledge together and look deeper into cloud based artifacts and user activing using Chromium based appications.
Traditional forensic examinations are focused on the artifacts only located on host systems (host-based forensics) however many of these items may be replicated across different devices if the custodian is using a cloud-based solution to store their data. Many existing digital forensic tools are challenged by the artifacts they discover in these areas and how to read the story these offline files tell. We will also dive into OneDrive cloud storage options and how to examine locally stored items and the extraction of data in synchronization logs.
- Microsoft OneDrive cloud based solution overview
- Locate key folders of interest
- User files
- Synchronization log files
- User settings
- Learn the interpretation of stored settings files
- Exploitation of SQLite databases containing file deletion records and synchronization data
- Workflows in the identification of files hosted in the cloud vs. locally stored data
The instructor-led lab provides an overview of Microsoft’s OneDrive cloud-based solution, focusing on locating key folders of interest, including user files, synchronization log files, and user settings. Participants will learn to interpret stored settings files and exploit SQLite databases containing file deletion records and synchronization data. The lab also covers workflows for identifying files hosted in the cloud versus locally stored data.
The instructor-led lab reviews the Chromium application data, focusing on locating key folders of interest within the user profile and extracting browsing artifacts from various SQLite databases. It introduces LevelDBs and their analysis, covers the extraction of data from the new Outlook Chromium-based email client, and examines the new Edge Browser WebCache View folder structure. Additionally, the lab reviews other applications using the new EBWebView process.
During this module we will review the functionality of the Chromium based applications on a Windows 11 system.
Throughout the module we will dive deeper in the prolific use of this application engine and perform hands-on exercises to demonstrate the front end pricess and back end storeage locations
By the end of this module, you will have gained a comprehensive understanding of Chromium-based browsers’ functionality on Windows 11 and the necessary skills to extract, analyze, and interpret the associated artifacts for forensic investigations.
- Review the Chromium Edge Browser application
- Locate key folders of interest within the user profile
- Extract browsing artifacts from various SQLite databases
- Introduction to LevelDBs and Analysis
- Extraction of the new Outlook chromium based email client data
- Examination of the new Edge Browser WebCache View folder structure
- Review other applications using the new EBWebView process