Advanced Windows Forensics
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Rob Attoe
Lead Developer
Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.
As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.
Course Objectives
The Advanced Windows® Forensic analysis class is an expert-level training course, designed for examiners who are familiar with the principles of digital forensics and keen to expand their knowledge on advanced forensics using a host of third-party tools to improve their digital investigations techniques.
The Spyder Forensic Advanced Windows® Forensic Analysis course will give participants unbiased knowledge and skills necessary to analyze artifacts left behind through system and user interaction with the host system, utilizing industry standard tools and open-source applications to explore the data in greater depth by learning how applications function and store data in the file system.
Students will learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows artifacts that are vitally important to forensic investigations. The participant will also gain knowledge on how to process Chromium Edge browser history, cookies, and other database analysis including examination of BitLocker encryption, the Windows Action Center, Windows 10 TimeLine and other Windows 10 specific artifacts. The course includes gaining in-depth knowledge of JumpLists, Registry analysis and prefetch files and how they relate to forensic investigations and conclude with an in-depth look at OneDrive and synchronization processes between trusted devices, SQLite forensics plays a big role in the analysis of data therefore students will gain detailed knowledge in scripting and data exploitation.
We will use a variety of open source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.
Primary Learning Objectives
Advanced Windows Forensics - Day 1
Day 1 of the Spyder Forensics Advanced Windows Forensics course begins with an overview of the course along with an introduction to the Instructor.
It also gives the participants the opportunity to introduce themselves to the Instructor and also to their fellow students, this however is not obligatory.
During this module we will be reviewing the latest artifact updates to Windows 10
- Overview of Windows Operating Systems
- Examine the version characteristics between Windows® 10 Operating systems
- Discuss Windows access considerations
- Review the data structure of the Recycle Bin metadata files
- Review other Windows 10 Data Structures being taught throughout the course.
- Examine StorageSense and its effects on locally stored data
Instructor Led Lab
- Review the data structure of the Recycle Bin metadata files
- Review other Windows Data Structures being taught throughout the course.
Instructor Led Lab
- Locate and read the metadata objects located in the encrypted volume
- Review recovery options when BitLocker fails
- Workflows in the analysis of a BitLocked volume
During this module, we will explore techniques in reviewing the data in the BitLocked volume and the story it can tell us about volume usage.
We’ll review what has changed with Windows updates and explore workflows in the successful examination of data from within encrypted volume and examination techniques in recovering deleted data at the physical layer of the volume.
- Learn how BitLocker is implemented on system partitions and removable media
- Locate and read the metadata objects located in the encrypted volume
- Describe the BitLocker To Go
- Review recovery options when BitLocker fails
- First Responder duties
- Workflows in the analysis of a BitLocked volume
Advanced Windows Forensics - Day 2
During Day 2 of the course we will examine user accounts and disuss their importance in any forensic investigation. We will also look at unautorized data access and this along with user accounts will enable us to build a timeline of events.
During this module we will be examining user accounts on a Windows 10 system. We will use multiple files to gain full insight into when the accounts have interacted with the system and where their files will be stored.
- Define the purpose of the Windows Registry
- Describe Operating System access management
- Describe a Security Identifier (SID)
- Describe a Relative Identifier (RID)
- Identify local ‘MSA’ accounts
- User Profile data in NTUSER.DAT file
- User Profile data in SOFTWARE fil
Instructor Led lab
- Describe a Security Identifier (SID)
- Describe a Relative Identifier (RID)
- Identify OneDrive Accounts
- User Profile data in NTUSER.DAT file
- User Profile data in SOFTWARE file
Instructor Led Lab
- Identify the purpose of the SYSTEM registry file
- Review core items of forensic interest
- Learn how Windows tracks
- HDD’s
- USB’s
- Tracking a USB through the system
Identifying storage media data during a forensic examination of a Windows system is crucial because these types of devices can be used to transfer files, introduce malware, or exfiltrate sensitive information. By analyzing registry data, examiners can uncover evidence of unauthorized data access or transfers, track the history of connected devices, and correlate this information with user activity to build a comprehensive timeline of events.
- Identify the purpose of the SYSTEM registry file
- Review core items of forensic interest
- Learn how Windows tracks
- HDD’s
- USB’s
- Tracking a USB through the system
Advanced Windows Forensics - Day 3
Day 3 of the Advanced Windows Forensics course will review the multitude of artifcats on a Windows system that gives the examiner important information that can indicate if the suspect was aware of particular data and importantly if they interacted with it. An important aspect of this are Windows Shortcuts and Jump Lists and we will also examine these.
Instructor Led Lab
- Review Software registrations in the SOFTWARE, SYSTEM and NTUSER.DAT registry files
- UserAssist Analysis
- Review the purpose of BAM
- Identify forensic implications of the registry artifacts
During this module we will be reviewing the many artifacts pertaining to user activity on the host system, leading to proof of knowledge of a file or location as well as interaction with items of evidential interest.
- Review Software registrations in the SOFTWARE, SYSTEM and NTUSER.DAT registry files
- UserAssist Analysis
- Review the purpose of BAM
- Identify forensic implications of the registry artifacts
During any forensic investigation, an examiner’s role is to locate items of evidential value that support the incident, this cooperative information can be the actual item or supporting artifacts that indicate the suspect was aware of the data and interacted with it. Most actions a user account enacts on the host system will leave traces within the Registry, File System and copies of actual file data located across the volume. Examiners must be familiar with typical Windows functions to determine how the items are created and typical locations of system artifacts.
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Jump Lists
- Jump List Analysis
- Examine File System Integration
Instructor Led Lab
- Introduction to Windows Shortcuts
- Shell link functionality
- Link File Anatomy
- Jump Lists
- Jump List Analysis
- Examine File System Integration
Instructor Led Lab
- Introduction to Windows TimeLine functionality
- Introduction to Timeline forensic workflows
- Synchronization options and account types
- Introduction to SQLite Forensics
- Examine Database structures
- Explore Table analysis.
During this module we will discuss the following items relating to TimeLine on a Windows 10 system.
- Introduction to Windows TimeLine functionality
- Introduction to Timeline forensic workflows
- Synchronization options and account types
- Introduction to SQLite Forensics
- Examine Database structures
- Explore Table analysis.
Advanced Windows Forensics - Day 4
The final day of the course we will identify items of interest associated with SQLite databases and also lok at Windows Apps, also known as Immersive Applications. We will follow this with an in-depth look at the Photos app, something that can be of great forensic importance.
During this section we will discuss the following items relating to the Action Center on Windows 10 systems
- Introduction to Windows Notifications features
- Review of the backend storage locations
- Identify data of interested within the SQLite databases
- Examine the Notification table
- Explore the BLOB fields and their forensic relevance
Instructor Led Lab
- Review of the backend storage locations
- Identify data of interested within the SQLite databases
- Examine the Notification table
- Explore the BLOB fields and their forensic relevance
Instructor Led Lab
- Review the Windows Modern UI overview
- Learn of Live Tiles concept
- Examine Immersive Applications
- Frontend view
- Backend structures
- Review the function of the Photo’s app
- Explore the backend folder structure
- Examine the SQLite database
- Explore the many tables of forensic interest
- Review registry artifacts associated with the Photos App
During this module we will first learn of the purpose and backend storage of Windows Apps AKA Immersive applications followed by an in-depth look at the Photos app and its forensic importance.
- Review the Windows Modern UI overview
- Learn of Live Tiles concept
- Examine Immersive Applications
- Frontend view
- Backend structures
- Review the function of the Photo’s app
- Explore the backend folder structure
- Examine the SQLite database
- Explore the many tables of forensic interest
- Review registry artifacts associated with the Photos App
During this module we will examine the Chromium based browser database and learn of the extraction techniques and analysis of JSON encoded artifacts.
- Discuss Typical Browser Artifacts
- Review the Chromium Edge Browser application
- Locate key folders of interested within the user profile
- Extract browsing artifacts from various SQLite databases
- Learn techniques in the extraction and analysis of JSON encoded artifacts
- Review Tab recovery session stores
Instructor Led Lab
- Review the Chromium Edge Browser application
- Locate key folders of interested within the user profile
- Extract browsing artifacts from various SQLite databases
- Learn techniques in the extraction and analysis of JSON encoded artifacts
- Review Tab recovery session stores
Instructor Led Lab
- Locate key folders of interest
- Identify the locations of user files
- Explore the many artifacts located in the Synchronization logs
- Learn how to decrypt several log and data files
- Learn interpretation of stored settings files
During this module we will learn of OneDrive implementation on a Windows 10 system.
- Review the function of the OneDrive processes
- Locate key folders of interest
- Identify the locations of user files
- Explore the many artifacts located in the Synchronization logs
- Learn how to decrypt several log and data files
- Learn interpretation of stored settings files