- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
select a course
San Francisco, CA - April 19 - 21, 2009
- Event Location & Info
- Faculty
- Vendor Expo
- General Info
- Vendor Events
- Special Events
- SANS @Night
- Brochure (PDF)
The SANS class stands out above the rest because of the subject matter experts who teach the classes and labs.
-Shirlee Eitel-Birgham, State of Nevada
Windows Forensics
Sunday, April 19, 2009 - Monday, April 20, 2009Rob Lee, SANS Faculty Fellow
6 CPE Credits per day
Investigations involving Windows-based operating systems occur every day. As a result, it is essential for an investigator to know how to properly examine the critical files and structures of the Windows operating system. This two-day course will provide an in-depth study and examination of the forensic evidence left on the VISTA, Windows XP, and Windows server based operating systems. This hands-on forensic course will arm you with methods and techniques to investigate critical areas of the Windows operating system for any case.
Beginning with the registry, the new investigator will learn how to discover critical user and system information from the Windows Registry that is pertinent to any investigation. Second, the investigator will learn how to find and examine logs from a Windows machine in order to find relevant data to any case. In the final part of the day, the investigator will learn how to examine and search email for key evidence. Throughout the day, the investigator will utilize their skills in real hands-on cases exploring evidence and artifacts discussed throughout the day.
- Topics
- Registry Forensics
- Registry Basics
- Core System Information
- System Name and Version
- Configuration (Domain, Workgroup)
- Networks
- Drives
- USB Drives
- User Information
- Group Information
- Install Date
- Timezone
- User Forensic Data
-
- User searches
- Typed URLS
- Recently Modified Documents
-
- Event Log Forensics
- Event Logging Basics
- Locations
- Viewers
- Event Types
- Email Forensics
- How Email Works
- Locations
- Examination
- Types of Email Formats
- Email Analysis
- Email Searching and Examination
- Registry Forensics
- Day 1 Exercises
- Profile a computer system using evidence found in the registry
- Profile a user’s activities using evidence found in the registry
- Find event log evidence of user logins and odd system activity in the event logs
- Find email evidence containing a specific set of keywords
- Find email evidence sent to a specific email address
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy