FOR408: Computer Forensic Investigations - Windows In-Depth
Master Windows Forensics. Learn Critical Analysis Techniques.
With todays ever-changing technologies and environments it is inevitable that every organization will deal with cybercrime, including fraud, insider threats, industrial espionage, and phishing. Government agencies also need the skills to perform media exploitation and recover key intelligence available on adversary systems. To help solve these cases, organizations are hiring digital forensic professionals and relying on cybercrime law enforcement agents to piece together what happened.
FOR408: COMPUTER FORENSIC INVESTIGATIONS - WINDOWS IN-DEPTH focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation.
This course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. In addition to in-depth technical knowledge of Windows Digital Forensics (Windows XP through Windows 8 and Server 2012), you will learn about well-known computer forensic tools such as Access Datas Forensic Toolkit (FTK), Guidance Softwares EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.
FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
Computer Forensic Investigations - Windows In-Depth course topics
COMPUTER FORENSIC INVESTIGATIONS - WINDOWS IN-DEPTH COURSE TOPICS
- Windows File System Foundations
- Evidence Acquisition Tools and Techniques
- Law Enforcement Bag and Tag
- Evidence Integrity
- Registry Forensics
- Windows Artifact Analysis
- Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
- E-Mail Forensics (Host, Server, Web)
- Microsoft Office Document Analysis
- Windows Link File Investigation
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Prefetch Analysis
- Event Log File Analysis
- Firefox, Chrome, and Internet Explorer Browser Forensics
- Deleted File Recovery
- String Searching and Data Carving
- Examination of Cases involving Windows XP, VISTA, and Windows 7, and Windows 8
- Media Analysis And Exploitation involving:
- Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
- Identifying if and how the suspect downloaded a specific file to the PC
- Determining the exact time and number of times a suspect executed a program
- Showing when any file was first and last opened by a suspect
- Determining if a suspect had knowledge of a specific file
- Showing the exact physical location of the system
- Tracking and analysis of USB devices
- Showing how the suspect logged on to the machine via the console, RDP, or network
- Recovering and examining browser artifacts, even those used in private browsing mode
- Forensic Analysis Report Writing
- Fully Updated to include Windows 8 and Server 2012 Examinations
|FOR408.1: Digital Forensics Fundamentals and Evidence Acquisition||Nick Klein, Rob Lee||
Thu Jul 11th, 2013
9:00 AM - 5:00 PM
Focus: Investigations begin with firm knowledge of proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.
At first, investigating a case appears to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence can prove a case. On day one, students become familiar with fundamental forensic topics that every investigator should know.
Securing or "bagging and tagging" digital evidence can be tricky. Each computer forensics examiner should be familiar with different methods of successfully acquiring and maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence-handling procedures, you will learn firsthand the best methods to obtain evidence in a case. You will use the Wiebetech Forensic Ultradock v5 Write Blocker, part of your Windows SIFTkit, to obtain evidence from a hard drive using the most popular tools in the field. You will learn how to use toolkits to obtain memory, encrypted or unencrypted hard disk images, and protected files from a computer system that is running or powered off.
CPE/CMU Credits: 6
|FOR408.2: Core Windows Forensics Part I: String Search, Data Carving, and E-mail Forensics||Nick Klein, Rob Lee||
Fri Jul 12th, 2013
9:00 AM - 5:00 PM
Focus: Moving quickly from evidence acquisition, you will begin your investigation using the same cutting-edge tools used by the pros. You will learn how major forensic suites can facilitate and expedite the investigative process. In addition, you will learn how to recover and analyze e-mail, the most popular form of communication. Client-based, server-based, mobile, and web-based email forensic analysis is discussed in-depth and students use their knowledge to solve a realistic spam e-mail case.
The section begins with the analysis of electronic evidence using commercial and freely available tools packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from evidence, perform string searches using a word list, and begin to piece together the events that occurred. Todays course is critical to anyone performing digital forensics and provides the most up-to-date techniques to acquire and analyze digital evidence.
Forensics investigations involving e-mail occur every day. However, e-mail examinations require the investigator to pull data locally or from an e-mail server, or even recover web-based e-mail fragments from temporary files left by a web browser. Students will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes e-mail stores.
This course is very hands-on. Students will acquire a disk image and begin analysis of a case that will require them to use the skills presented throughout the section.
CPE/CMU Credits: 6
|FOR408.3: Core Windows Forensics Part II - Registry and USB Device Analysis||Nick Klein, Rob Lee||
Sat Jul 13th, 2013
9:00 AM - 5:00 PM
FOCUS: Focus on Windows XP, Windows 7, and Windows 8 Registry Analysis and USB Device Forensics.
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed key word searches, ran specific programs, opened and saved files, perused folders, and used removable devices.
Removable storage device investigations are often a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 8, Windows 7, Vista, and Windows XP machines. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
Throughout the section, investigators will use their skills in a real hands-on case, exploring evidence and analyzing evidence.
CPE/CMU Credits: 6
|FOR408.4: Core Windows Forensics Part III - Artifact and Log File Analysis||Nick Klein, Rob Lee||
Sun Jul 14th, 2013
9:00 AM - 5:00 PM
Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, Windows prefetch, pagefile/system memory, and more. The latter part of the section centers on examining Windows log files, demonstrating their usefulness in both simple and complex cases.
Continuing from the previous section, the investigator will focus on key files found on the Windows operating system containing evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult-to-access locations that can offer the critical data for your case. Examine key evidentiary links to pictures, printed office documents, and files copied to a removable device.
Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many investigators overlook these files because they do not have adequate knowledge or tools to get the job done. The last part of the section will arm each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.
CPE/CMU Credits: 6
|FOR408.5: Core Windows Forensics Part IV: Web Browser Forensics- Firefox, Internet Explorer, and Chrome||Nick Klein, Rob Lee||
Mon Jul 15th, 2013
9:00 AM - 5:00 PM
Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.
With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspects system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.
Throughout the section, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.
CPE/CMU Credits: 6
IE Key forensic file locations
Examination of browser artifacts
Day 5 exercises
|FOR408.6: Windows Digital Forensic Challenge and Mock Trial||Nick Klein, Rob Lee||
Tue Jul 16th, 2013
9:00 AM - 5:00 PM
Focus: This section revolves around the Windows Vista/7-based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. The section is a capstone for every artifact discussed in the class. You will use this section to consolidate the skills that you have learned over the past week.
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. All the teams will work on the case with the objective of discovering critical pieces of evidence to present during the trial.
The complex case presented will involve an investigation of one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use the skills from each of the previous sections.
The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge and the case!
The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.
CPE/CMU Credits: 6
!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.
VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR408 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY FOR408 SYSTEM SOFTWARE REQUIREMENTS:
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
MANDATORY FOR408 ADDITIONAL ITEMS:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|Why Take This Course?|
What you will learn
Perform proper windows forensics analysis, determine how and who placed an artifact on the system by applying key analysis techniques covering Windows XP through Windows 8
Using full scale forensic analysis tools and analysis methods detail every action a suspect accomplished on a windows system determine program execution, file/folder opening, geo-location, browser history, USB devices, and more.
Uncover the exact time that a specific user last executed a program over time that is key to proving intent in many cases such as intellectual property theft, hacker breached systems, and traditional crimes through registry analysis, windows artifact analysis, and email analysis.
Demonstrate every time a file has been opened by a suspect through IE browser forensics, shortcut file analysis (LNK), email analysis and registry parsing using regripper.
Using automated analysis techniques via AccessDatas Forensic ToolKit (FTK), identify key words searched for by a specific user on a windows system that can be used to identify files that the suspect was interested in finding.
Using shellbags analysis tools, articulate every folder and directory that a user opened up while he was browsing through their hard drive
Determine each time a unique and specific USB device is attached to the windows system, the files and folders that were accessed on it, and who plugged it in via tools parsing key windows artifacts such as the registry and log files.
Using the Win8 SIFT Workstation, examine how a user logged into a windows system through a remote session, at the keyboard, or simply unlocking their screensaver by viewing the logon types in the windows security event logs.
Using FTK Registry Viewer, pinpoint geo-location of a windows system through the examination of the networks they have connected to, browser search terms, and cookie data to determine where a crime was committed.
Using Webhistorian recover browser history of a suspect who has attempted to clear their trail using in-private browsing through the recovery of session restore points and flash cookies
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
This is a very high intensity course with extremely current course material that is not available anywhere else in my experience. -Alexander Applegate, Auburn University
"Best forensics class I've had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det Det. Juan C. Marquez Prince William County Police Dept
"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days! -Jason Jones, USAF
Course Review: SANS FOR408 Computer Forensic Investigations Windows In-Depth - www.ethicalhacker.net/content/view/459/24/
"I took SANS FOR408 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell - Information Security Architect, Airlines Reporting Corporation (ARC)
"As a member of the IR team, this course will aid in investing compromised hosts". - Mike Piclher, URS Corp
"FOR408 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence
Best forensics course Ive taken to date. Vast amounts of information. - Ellen Clark, FBI
Call me a geek, but this is FUN! - Frank Dixon, The Babcock & Wilcox Company
Overall the course continues to be chockfull of megalicious forensicness. Thank a bunch for the key knowledge. - Vincent Bryant, Blue Cross Blue Shield of Tennessee
If you werent interested in forensics before, you will be after this class. For those who already love it, its reassurance that youre doing the right thing with your life. - Cleora Madison, Walt Disney Theme Parks and Resorts
The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks! - Michael Mimo, JP Morgan
I was really looking forward to Windows in-depth and thats exactly what were getting! - Joshua Hoover, Charles Schwab
I have been using forensics tools for years. I never professed to know it all; however, I did not expect to learn as much as I did. - Jody Hawkins, Cook Childrens Health Care System
"I really appreciate the prebuilt and configured SIFT workstation. The For 408 class materials and instruction were outstanding." Clint Modesitt, LSUHSC
FOR408 is absolutely necessary for any computer forensic type career. Excellent information! - Rebecca Passmore, FBI