FOR408: Windows Forensic Analysis
Master Windows Forensics - "You can't protect what you don't know about."
Every organization must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been higher for analysts who can investigate crimes like fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover key intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation masters capable of piecing together what happened on computer systems second by second.
FOR408: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of the Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. Learn to recover, analyze, and authenticate forensic data on Windows systems. Understand how to track detailed user activity on your network and how to organize findings for use in incident response, internal investigations, and civil/criminal litigation. Use your new skills for validating security tools, enhancing vulnerability assessments, identifying insider threats, tracking hackers, and improving security policies. Whether you know it or not, Windows is silently recording an unimaginable amount of data about you and your users. FOR408 teaches you how to mine this mountain of data.
Proper analysis requires real data for students to examine. The completely updated FOR408 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, cloud storage, Sharepoint, Exchange, Outlook,). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows XP systems to just discovered Windows 10 artifacts.
FOR408 Windows Forensic Analysis will teach you to:
- Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012
- Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geo-location, file download, anti-forensics, and detailed system usage
- Focus your capabilities on analysis instead of how to use a specific tool
- Extract key answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
FOR408 is continually updated: This course utilizes a brand-new intellectual property theft and corporate espionage case that took over 6 months to create. You work in the real world and your training should include real practice data. Our development team used incidents from their own experiences and investigations and created an incredibly rich and detailed scenario designed to immerse students in a true investigation. The case demonstrates the latest artifacts and technologies an investigator can encounter while analyzing Windows systems. The incredibly detailed workbook details the tools and techniques step-by-step that each investigator should follow to solve a forensic case.
Windows Forensics Course Topics:
- Windows Operating Systems (XP, Win7, Win8/8.1, Server 2008/2012)
- Windows File Systems (NTFS, FAT, exFAT)
- Advanced Evidence Acquisition Tools and Techniques
- Registry Forensics
- Shell Item Forensics
- Shortcut Files (LNK) - Evidence of File Opening
- Shellbags - Evidence of Folder Opening
- JumpLists - Evidence of File Opening/Program Exec
- Windows Artifact Analysis
- Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
- E-Mail Forensics (Host, Server, Web)
- Microsoft Office Document Analysis
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Prefetch Analysis
- Event Log File Analysis
- Firefox, Chrome, and Internet Explorer Browser Forensics
- Deleted Registry Key and File Recovery
- String Searching and File Carving
- Examination of Cases Involving Windows XP, Vista, Windows 7, and Windows 8/8.1
- Media Analysis and Exploitation involving:
- Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
- Identifying if and how the suspect downloaded a specific file to the PC
- Determining the exact time and number of times a suspect executed a program
- Showing when any file was first and last opened by a suspect
- Determining if a suspect had knowledge of a specific file
- Showing the exact physical location of the system
- Tracking and analysis of external and USB devices
- Showing how the suspect logged on to the machine via the console, RDP, or network
- Recovering and examining browser artifacts, even those used in a private browsing mode
- Discovering utilization of anti-forensics, including file wiping, time manipulation, and program removal
- The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, and Server 2012 Techniques
For multi-course live training events, there will be a set up time from 8:00-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.
|FOR408.1: Windows Digital Forensics and Advanced Data Triage|
The Windows Forensics course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. We will discuss how modern hard drives, such as Solid State Devices (SSD), can affect the digital forensics acquisition process and how analysts need to adapt to overcome the introduction of these new technologies.
Hard drive sizes are increasingly more difficult to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is critically important to every investigator today. Most basic analysts can easily image a hard drive using a write blocker. In this course, we will review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We will demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and key files that will take minutes to acquire instead of the hours or days currently spent on acquisition.
We will also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities that employ both commercial and open-source tool and techniques. Seasoned investigators will need to know how to target the specific data they need in order to begin to answer key questions in their case.
CPE/CMU Credits: 6
|FOR408.2: Core Windows Forensics Part I: Windows Registry Forensics and Analysis|
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed key word searches, ran specific programs, opened and saved files, perused folders, and used removable devices.
Throughout the section, investigators will use their skills in a real hands-on case, exploring evidence and analyzing evidence.
CPE/CMU Credits: 6
|FOR408.3: Core Windows Forensics Part II: USB Devices, Shell Items, & Key Word Searching|
Being able to show the first and last time a file was opened is a critical analysis skill. Utilizing shortcut (LNK) and jumplist databases, we are able to easily pinpoint which file was opened and when. We will demonstrate how to examine the pagefile, system memory, and unallocated space, all difficult-to-access locations that can offer the critical data for your case.
Removable storage device investigations are often a key part of performing digital forensics. We will show you how to perform in-depth USB device examinations on Windows 8, Windows 7, Vista, and Windows XP machines. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
CPE/CMU Credits: 6
|FOR408.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs|
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of e-mail files. Recovered e-mail can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have e-mail that exists locally on their workstation, on their company e-mail server, in the private cloud, and in multiple webmail accounts.
This section discusses what types of information can be relevant to an investigation, where to find e-mail files, and how to use forensic tools to facilitate the analysis process. We will find that the analysis process is similar across different types of e-mail stores, but the real work takes place in the preparation - finding and extracting the e-mail files from a variety of different sources.
Finally, Windows log file analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many investigators overlook these files because they do not have adequate knowledge or tools to get the job done. The last part of the section will arm each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.
CPE/CMU Credits: 6
|FOR408.5: Core Windows Forensics Part IV: Web Browser Forensics - Firefox, Internet Explorer, and Chrome|
With the increasing use of the Web and the shift toward Web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, the investigator will comprehensively explore Web browser evidence created during the use of Internet Explorer, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. The analyst will learn how to examine every major artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these files and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure browser artifacts such as session restore, tracking cookies, and private browsing remnants.
Throughout the section, investigators will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, and Internet Explorer along with Windows Operating System artifacts.
CPE/CMU Credits: 6
|FOR408.6: Windows Forensic Challenge|
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case. Students will be provided evidence to analyze and the exercise will step you through the entire case flow, including proper acquisition, analysis, and reporting in preparation for a possible trial. Teams will work on the case with the objective of profiling computer usage and discovering critical pieces of evidence to present during the trial.
This complex case will involve an investigation into one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use all of the skills gained from each of the previous sections.
The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge...and the case!
CPE/CMU Credits: 6
!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
MANDATORY FOR408 SYSTEM SOFTWARE REQUIREMENTS:
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
OPTIONAL FOR408 ADDITIONAL ITEMS:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
FOR408 is an intermediate level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR408 focuses entirely on in-depth tool agnostic analysis of Windows operating system and artifacts.
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
Course Review: SANS FOR408 Windows Forensic Analysis http://www.ethicalhacker.net/content/view/459/24/
Course and GIAC Cert Review: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-226-look-ma-im-gcfe.html
"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
"This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience." - Alexander Applegate, Auburn University
"Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det. Juan C. Marquez, Prince William County, Virginia Police Department
"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days!" - Jason Jones, USAF
"I took SANS FOR408 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first-rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell, Information Security Architect, Airlines Reporting Corporation
"As a member of the IR team, this course will aid in investing compromised hosts." - Mike Piclher, URS Corp.
"FOR408 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence
"Best forensics course I have taken to date. Vast amounts of information." - Ellen Clark, FBI
"Call me a geek, but this is FUN!" - Frank Dixon, The Babcock & Wilcox Company
"Overall the course continues to be chock full of megalicious forensicness. Thanks a bunch for the key knowledge." - Vincent Bryant, Blue Cross Blue Shield of Tennessee
"If you were not interested in forensics before, you will be after this class. For those who already love it, it is reassurance that you are doing the right thing with your life." - Cleora Madison, Walt Disney Theme Parks and Resorts
"The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks!" - Michael Mimo, JP Morgan
"I was really looking forward to Windows in-depth and that is exactly what we are getting!" - Joshua Hoover, Charles Schwab
"I have been using forensics tools for years. I never professed to know it all; however, I did not expect to learn as much as I did." - Jody Hawkins, Cook Children's Health Care System
"I really appreciate the prebuilt and configured SIFT workstation. The FOR408 class materials and instruction were outstanding." - Clint Modesitt, LSUHSC
"FOR408 is absolutely necessary for any computer forensic type career. Excellent information!" - Rebecca Passmore, FBI
"Before I arrived here, I knew the basics of comp. forensics. After taking this course I feel that if suited with the proper tools, I could handle the task of working a live case." - Anonymous
"This course was by far the most informative and well taught class I have attended." - Brian Periera, Farfield PD
"Love the amount of detail/info in books, love the VM." - Jeff Datzman, Vacaville Police Department
"Best course I have taken in 20 years." - Gary Sanders, LWCC
"The hands-on are excellent - Best I have had in 15 years of forensics classes. The best books as well." - Shawn Bostick, AR AG
"This is by far the best training I have ever had. My forensic knowledge increased more in the last 5 days than in the last year." - Vito Rocco, UNLV
"Are you kidding me? I, personally, see this course (FOR408) as pretty much perfected." - Mike Bowden, Boeing
"There's not a lot of courses that cover depth as well as the width of material. I think FOR408 strikes the right balance between the two." - Wayne Dawson, Vancity Savings Credit Union
"FOR408 has the depth and breadth of knowledge shared by the instructor and contents of the lab make it necessary to take the course. Very impressive!" - Debra Emmanuel, TWD & Associates
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.