Forensics Prague 2012

Prague, Czech Republic | Sun, Oct 7 - Sat, Oct 13, 2012

FOR408: Computer Forensic Investigations - Windows In-Depth

Overall the course continues to be chock full of megalicious forensicness. Thanks a bunch for the key knowledge.
Vincent Bryant, Blue Cross Blue Shield of Tennessee

I was really looking forward to Windows in-depth and that is exactly what we are getting!
Joshua Hoover, Charles Schwab

Master computer forensics. Learn critical investigation techniques. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threats, industrial espionage, and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve these cases, organizations are hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in these cases.

FOR408: Computer Forensic Investigations - Windows In-Depth focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic and media exploitation methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as Access Data's Forensic Toolkit (FTK), Guidance Software's EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.

FOR408: Computer Forensic Investigations - Windows In-Depth is the first course in the SANS Computer Forensic Curriculum. If this is your first computer forensics course with SANS we recommend that you start here.


Computer Forensic Investigations - Windows In-Depth course topics

  • Windows File System Basics
  • Evidence Acquisition Tools and Techniques
  • Law Enforcement Bag and Tag
  • Evidence Integrity
  • Registry Forensics

Windows Artifact Analysis

  • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
  • E-mail Forensics (Host, Server, Web)
  • Microsoft Office Document Analysis
  • Windows Link File Investigation
  • Windows Recycle Bin Analysis
  • File and Picture Metadata Tracking and Examination
  • Prefetch Analysis

  • Event Log File Analysis
  • Firefox and Internet Explorer Browser Forensics
  • Deleted File Recovery
  • String Searching and Data Carving
  • Examine cases involving Windows XP, VISTA, and Windows 7

Media Analysis And Exploitation Involving:

  • Tracking user communications using a windows PC (email, chat, IM, webmail)
  • Tell if and how the suspect downloaded a specific file to the PC
  • Determine the exact time and the number of times a suspect executed a program
  • Show when any file was first and last opened by a suspect
  • Determine if a suspect had knowledge of a specific file
  • Show the exact physical location of the system
  • USB device tracking and analysis
  • Show how the suspect logged into the machine via the console, RDP, or network
  • Recover and examine browser artifacts even those used in private browsing mode
  • Fully Updated to include full Windows 7 and Server 2008 Examinations

Course Syllabus
Course Contents InstructorsSchedule
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  FOR408.2: Core Windows Forensics Part I - String Search, Data Carving, and Email Forensics Chad Tilbury Tue Oct 9th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  FOR408.3: Core Windows Forensics Part II - Registry and USB Device Analysis Chad Tilbury Wed Oct 10th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  FOR408.4: Core Windows Forensics Part III - Artifact and Log File Analysis Chad Tilbury Thu Oct 11th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  FOR408.5: Core Windows Forensics Part IV - Web Browser Forensics Chad Tilbury Fri Oct 12th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  FOR408.6: Digital Forensic Challenge and Mock Trial Chad Tilbury Sat Oct 13th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

Additional Information
  Laptop Required


Download Laptop Requirements:

A properly configured computer system is required for each student participating in this course. Before coming to class, download the forensic installation document that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to accomplish many of the in-class exercises.

You will use VMware with preconfigured virtual forensic workstation built in a Windows 7 Home Premium environment that will enable you to perform hands-on analysis during class. You must download and install VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download.


Very Important: Student must bring a Retail, OEM, or MSDN Microsoft Windows 7 Home Premium License Key with them to class at the beginning of the first day.

  • Do not bring a license key that is already in use on another system as it will likely not work.
  • You can purchase licenses from
  • The key will look like XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Corporate, Site, Volume, and Group Licenses are not acceptable as they will fail the Windows Genuine Advantage Test.



  • CPU: 64bit based 2.0 GHz or higher CPU is required (Multi-Core recommended)
  • DVD/CD Combo Drive
  • Wireless 802.11 B/G/N Networking Capability
  • 4 Gigabyte of RAM minimum (More RAM is recommended)
  • 100 Gigabytes of free space on your Host System Hard Drive
  • Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host


  • One External USB 2.0 or Firewire Hard Drive (Formatted NTFS)
  • Large Capacity 150GB or larger preferred
  • One USB Thumb Drive (2-4 GB in size)
  • One new, old, used, or out-of-computer IDE, SATA, or laptop hard disk drive from:
  • Hard drive purchased from EBAY or craigslist
  • Hard drive from used PC at home/work
  • Local computer show
  • New/Old hard drive from any computer store
  • During an image acquisition exercise, we use the drive for imaging only


  • Download Laptop Requirements:
  • Write down and bring with you a MS Windows 7 Home Premium License Key (XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
  • Bring the proper laptop hardware and software configuration
  • Install VMware Workstation, Player, or Fusion
  • Bring the proper mandatory additional items

FOR408 Laptop Setup F.A.Q. (Frequently Asked Questions)

  1. Can I use Win7 Professional or Ultimate for the class? No, only Win7 Home Premium will work.
  2. Where can I purchase the license online without having to head to the store? Will any retail version of Win7 Home Premium work? You can also purchase or bring licenses from Microsoft Store, or MSDN. Overall, any retail version of Win7 Home Premium will work.
  3. My company already has Win7 Professional Site license, can I use that license? Unfortunately, even though your organization might have a site license, we would still need you to bring a separate retail license. Retail licenses and Site/Enterprise licenses are incompatible.
  4. Why don't you include the Win7 Home Premium license in the class even if it increased the price of the course? When we have asked previous classes, many students had a license already and did not want to spend money on another copy. It was overwhelming in favor that each student should bring his or her own version as a result. We are looking at ways in the future to have an optional purchase of the license. But in the meantime, you can purchase the Win7 Home Premium online at the Microsoft online store.
  5. My company refuses to pay for Win7 Home Premium license because we have a site license, what options do I have? With a Site/Enterprise license each organization gets access to MSDN. I guarantee the Win7 Home Premium keys are probably not in use. I recommend calling your IT Support and asking to bring one of the MSDN Win7 Home Premium keys with you.
  6. I have a workstation already installed with Win7 Home Premium; can I use the license key with two computers? No, it will not work.

If you have additional questions about the laptop specifications, please contact

  Who Should Attend
  • Information technology professionals who wish to learn the core concepts in computer forensics investigations
  • Incident Response Team Members who are new to responding to security incidents and need to utilize computer forensics to help solve their cases
  • Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
  • Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by an individual. They will be able to specifically determine how the individual used their system, who they communicated with, and files they have downloaded, edited, or deleted.
  • Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
  • Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
  • Anyone interested in computer forensic investigations with a background in information systems, information security, and computers
  Why Take This Course?


  What You Will Receive
  • Windows version of the SIFT Workstation Virtual Machine
  • License to FTK and EnCase for 3 months
  • Write Blocker Kit

    • SATA/IDE Write Blocker with cables and power adapter
  • Course DVD loaded with case examples, tools, and documentation
  You Will Be Able To

⢠Perform proper windows forensics analysis, deter- mine how and who placed an artifact on the system by applying key analysis techniques covering Win- dows XP through Windows 8

⢠Use full scale forensic analysis tools and analysis methods to detail every action a suspect accomplished on a windows system â and determine program execu- tion, file/folder opening, geo-location, browser his- tory, USB devices, and more.

⢠Uncovertheexacttimethataspecificuserlastexecut- ed a program over time that is key to proving intent in many cases such as intellectual property theft, hacker breached systems, and traditional crimes through registry analysis, windows artifact analysis, and email analysis.

⢠Demonstrate every time a file has been opened by a suspect through IE browser forensics, shortcut file analysis (LNK), email analysis and registry parsing us- ing regripper.

⢠Using automated analysis techniques via AccessDataâs Forensic ToolKit (FTK), identify key words searched for by a specific user on a windows system that can be used to identify files that the suspect was interested in finding.

⢠Using shellbags analysis tools, articulate every folder and directory that a user opened up while he was browsing through their hard drive

⢠Determine each time a unique and specific USB de- vice is attached to the windows system, the files and folders that were accessed on it, and who plugged it in via tools parsing key windows artifacts such as the registry and log files.

⢠Using the Win8 SIFT Workstation, examine how a user logged into a windows system through a remote session, at the keyboard, or simply unlocking their screensaver by viewing the logon types in the win- dows security event logs.

⢠Using FTK Registry Viewer, pinpoint geo-location of a windows system through the examination of the networks they have connected to, browser search terms, and cookie data to determine where a crime was committed.

⢠Using Webhistorian, recover browser history of a suspect who has attempted to clear their trail using in-private browsing through the recovery of session restore points and flash cookies.


Author Statement

After 25 years in law enforcement, when I think of what makes a great digital forensic analyst, three things immediately rise to the top of my list. Superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408, Windows In-Depth was designed around imparting these critical skills to the students. Unlike many other forensics training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel every forensicator needs a variety of tools in their arsenal so they can pick and choose the best tool for each task. But we also understand that a great forensics analyst is not great because of the tool(s) they use; they are great because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 is designed to teach and allow each student to apply digital forensic methodologies for a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, this course is designed to teach and demonstrate problem-solving skills necessary to be a truly successful forensicator. Almost immediately after starting your forensic career, you learn each forensic analysis presents its own unique challenges. A technique that worked flawlessly in previous exams may not work in the next. A good forensicator must be able to overcome obstacles through advanced trouble shooting and problem solving. FOR408 gives students the foundation that will allow them to solve future problems, overcome obstacles and become great forensicators. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must have course. - Ovie Carroll

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their digital forensic skills in very real situations. Graduates of Computer Forensic Investigations - Windows In-Depth are the front line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the this course at SANS helps prepare students to fight and solve crime. - Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for those investigators working to repel computer intrusions, stop intellectual property theft, and put the bad guys in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, and with frequent updates I am confident this course provides the most up to date training available -- whether you are just starting out or are looking to add to your forensic arsenal. - Chad Tilbury