Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

Community SANS

Phoenix, AZ | Mon Jan 14 - Sat Jan 19, 2013
This event is over
but there are more training opportunities.

FOR408: Computer Forensic Investigations - Windows In-Depth

Master computer forensics. Learn critical investigation techniques. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threats, industrial espionage, and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve these cases, organizations are hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in these cases.

FOR408: Computer Forensic Investigations - Windows In-Depth focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic and media exploitation methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as Access Data's Forensic Toolkit (FTK), Guidance Software's EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.

FOR408: Computer Forensic Investigations - Windows In-Depth is the first course in the SANS Computer Forensic Curriculum. If this is your first computer forensics course with SANS we recommend that you start here.



Computer Forensic Investigations - Windows In-Depth course topics

  • Windows File System Basics
  • Evidence Acquisition Tools and Techniques
  • Law Enforcement Bag and Tag
  • Evidence Integrity
  • Registry Forensics

Windows Artifact Analysis

  • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
  • E-mail Forensics (Host, Server, Web)
  • Microsoft Office Document Analysis
  • Windows Link File Investigation
  • Windows Recycle Bin Analysis
  • File and Picture Metadata Tracking and Examination
  • Prefetch Analysis

  • Event Log File Analysis
  • Firefox and Internet Explorer Browser Forensics
  • Deleted File Recovery
  • String Searching and Data Carving
  • Examine cases involving Windows XP, VISTA, and Windows 7

Media Analysis And Exploitation Involving:

  • Tracking user communications using a windows PC (email, chat, IM, webmail)
  • Tell if and how the suspect downloaded a specific file to the PC
  • Determine the exact time and the number of times a suspect executed a program
  • Show when any file was first and last opened by a suspect
  • Determine if a suspect had knowledge of a specific file
  • Show the exact physical location of the system
  • USB device tracking and analysis
  • Show how the suspect logged into the machine via the console, RDP, or network
  • Recover and examine browser artifacts even those used in private browsing mode
  • Fully Updated to include full Windows 7 and Server 2008 Examinations


Course Syllabus

Mike Pilkington
Mon Jan 14th, 2013
9:00 AM - 5:00 PM


Focus: Investigations begin with a firm knowledge in proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.

At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students are familiarized with fundamental forensic topics that every investigator should know.

Securing or "Bagging and Tagging" digital evidence can be tricky. Each computer forensic examiner should be familiar with different methods of successfully acquiring it, maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence handling procedures, you will learn firsthand the best methods for acquiring evidence in a case. You will utilize the Tableau T35es write blocker, part of your SIFT Essentials kit, to obtain evidence from a hard drive using the most popular tools utilized in the field. You will learn how to utilize toolkits to obtain memory, encrypted or unencrypted hard disk images, or protected files from a computer system that is running or powered off.

CPE/CMU Credits: 6


Purpose of forensics

  • Investigative Mindset
  • Focus on the Fundamentals

Evidence fundamentals

  • Admissibility
  • Authenticity
  • Threats against Authenticity

Reporting and presenting evidence

  • Taking Notes
  • Report Writing Essentials
  • Best Practices for Presenting Evidence

Evidence acquisition basics

  • Tableau Write Blocker utilization
  • Access Data's FTK Imager
  • Access Data's FTK Imager Lite

Preservation of evidence

  • Chain of custody
  • Evidence Handling
  • Evidence Integrity

Types of acquisition

  • Logical vs. physical
  • Basic Windows Memory Acquisition
  • Basic Disk Based Acquisition
  • E-discovery Acquisition

Forensic field kits

  • Adapters/Cables
  • Write Blockers
  • Laptops/Handheld Imagers

Full disk image acquisition tools and techniques

  • Seize Evidentiary Image of a USB Device
  • Seize Evidentiary Image From a Hard Drive

Mike Pilkington
Tue Jan 15th, 2013
9:00 AM - 5:00 PM


Focus: Moving quickly from evidence acquisition, you will begin your investigation using cutting-edge tools that the pros use. Host, server, and webmail forensics the investigator will learn how to recover and analyze the most popular form of communication.

The day will begin with the analysis of electronic evidence using commercial and freely available toolkits packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from the evidence, perform string searches against it using a word list, and begin to piece together the events that shaped the case. Today's course is critical to anyone performing digital forensics to learn the most up-to-date techniques of acquiring and analyzing digital evidence.

Email Forensics: Investigations involving email occur every day. However, email examinations require the investigator to pull data locally, from an email server, or even recover web-based email fragments from temporary files left by a web browser. Email has become critical in a case and the investigator will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes email cases.

This course is very hands-on. Each investigator will acquire a disk image and begin analysis on a case that will utilize the skills presented throughout the day. This course is necessary for anyone looking to put to practice the skills they are learning daily.

CPE/CMU Credits: 6


Forensic tools

  • Access Data's Forensic Tool Kit (FTK)
  • Guidance Software's EnCase
  • Freeware/Open source capabilities

Traditional tasks utilized using the forensic tools

  • Triage techniques
  • String/file searches
  • Automated forensics
  • Browsing disks

Recover deleted files

  • Automated recovery
  • String searches
  • Dirty word searches

Email forensics

  • How email works
  • Locations
  • Examination of email
  • Types of email formats

Microsoft Outlook/Outlook Express

  • Web based mail
  • Microsoft Exchange
  • Lotus Notes
  • Email analysis
  • Email searching and examination

Day 2 exercises

  • Recover deleted files
  • Search for files or emails containing specific words related to a case
  • Find email evidence sent to a specific email and IP addresses
  • Detect phishing emails

Mike Pilkington
Wed Jan 16th, 2013
9:00 AM - 5:00 PM


Focus: Focus on Windows XP, Vista, and Windows 7 Registry Analysis and USB Device Forensics.

Each examiner will learn how to examine the Registry to obtain user profile data and system data. The course will also teach each forensic investigator how to show that a specific user performed key word searches, ran specific programs, opened saved files, and then list the most recent items that were used. Finally, USB Device investigations are becoming more and more a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 7, Vista, and Windows XP machines.

CPE/CMU Credits: 6


Registry Forensics in-depth

Registry basics

  • Hives, keys, and values
  • Registry last write time
  • MRU lists

Profile users and groups

  • Discover usernames and the SID mapped to them
  • Last login
  • Last failed login
  • Logon count
  • Password policy

Core system information

  • Identify current control set
  • System name and version
  • Timezone
  • Local IP Address info
  • Wireless/Wired/3G Networks
  • Network shares
  • Last shut down time

User forensic data

  • Evidence of program execution
  • Evidence of file download
  • Evidence of file and folder access (Shellbag)
  • XP and Win7 search history
  • Typed URLS
  • Recent documents
  • Open-> Save/Run dialog boxes
  • Application execution history (UserAssist)

USB device forensic examinations

  • Vendor/Make/Version
  • Unique serial number
  • Last drive letter
  • Volume name and serial number
  • The username that used the USB Device
  • Time of first use of USB device
  • Time of first use of USB device after last reboot
  • Time of last use of USB device

Tools utilized

  • Regripper
  • Access Data's Registry Viewer
  • YARU (Yet Another Registry Utility)

Day 3 exercises

  • Profile a computer system using evidence found in the registry.
  • Profile a user's activities using evidence found in the registry.
  • Track USB devices that were connected to the system via the registry and filesystem
  • Recover critical user data from the pagefile, memory images, and unallocated space

Mike Pilkington
Thu Jan 17th, 2013
9:00 AM - 5:00 PM


Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, the windows prefetch, pagefile/system memory, and more. The latter part of the day will center on examining the Windows log files and the usefulness in both simple and complex cases.

Continuing from the previous day, the investigator will initially focus on key files found on the Windows operating system that contains evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult to access locations that could offer the critical piece of your case. These files could be especially important to an investigation, providing key evidentiary links to pictures, printed office documents, or files that were saved to a removable device.

Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many overlook these files as they do not have adequate knowledge or tools to get the job done. The last part of the day will arm each investigator with core knowledge and capability that will enable them to maintain this crucial skill for many years to come.

CPE/CMU Credits: 6


Memory, Pagefile, and unallocated space analysis

  • Artifact recovery and examination
  • Facebook live, MSN Messenger, Yahoo, AIM, GoogleTalk chat
  • IE8/IE9 InPrivate/Recovery URLs
  • Yahoo, Hotmail, Gmail Webmail email

Forensicating files containing critical digital forensic evidence

  • Office Documents (2000-2007, doc, and .docx)
  • Adobe files
  • Exif data including GPS coordinates
  • Link/shortcut files (.lnk)
  • Windows 7 jump lists
  • XP Thumbs.db and Vista / Win7 Thumbscache files
  • Internet chat programs (Skype/AIM/MSN)
  • Windows Prefetch analysis (XP/Vista/Win7)
  • Windows Recycle Bin analysis (XP/Vista/Win7)

Windows event log digital forensic analysis

  • Which Windows events matter to a digital forensic investigator
  • EVT log files
  • EVTX log files

Day 4 exercises

  • Recycle Bin analysis
  • Shortcut (LNK) file analysis
  • Prefetch folder analysis
  • Find and examine various logfiles from hosts and servers to determine critical case details

Mike Pilkington
Fri Jan 18th, 2013
9:00 AM - 5:00 PM


Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect's system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the day, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.

CPE/CMU Credits: 6


Browser forensics

  • History
  • Cache
  • Searches
  • Downloads
  • Understanding of browser timestamps
  • Internet Explorer 6, 7, 8, and 9

IE Key forensic file locations

  • History Index.dat (master, daily, weekly) timestamps
  • Cache Index.dat timestamps
  • InPrivate browsing
  • IE8/IE9 recovery folder analysis

Firefox 2-5

  • FF2 and FF3-5 key forensic file locations
  • Mork format and .sqlite files
  • Download history
  • Cache examinations
  • Typed URLs
  • FF3+ recovery data analysis
  • Private browsing
  • Session Recovery

Examination of browser artifacts

  • Flash cookie files
  • DOM objects
  • Super cookies

Tools used

  • MANDIANT Inc.'s Web Historian
  • Access Data's FTK
  • FoxAnalysis

Day 5 exercises

  • Track a suspect's activity in browser history and cache files
  • Examine which files a suspect downloaded
  • Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing

Mike Pilkington
Sat Jan 19th, 2013
9:00 AM - 5:00 PM


Focus: Windows Vista/7 Based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. This day is a capstone for every artifact discussed in the class. You will use this day to solidify your skills that you have learned over the past week.

Nothing will prepare you more than a full hands-on challenge utilizing the skills and knowledge presented throughout the week. In the morning, you will have the option of working in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. Every team will work on the case for the majority of the day with the objective of discovering critical pieces of evidence to present during the trial.

The case presented is a complex murder case based that will engage the individual to examine one of the most recent versions of the Windows Operating System released. The case took 3 weeks to create following a script that lays out the key parts of the case in correct time sequence to make for the most realistic training opportunity available. The case will utilize skills from each of the previous days in order to solve the case.

The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

CPE/CMU Credits: 6


Digital Forensic Case


Following evidence analysis methods discussed throughout the week, find critical evidence.

Teams will examine registry, email, recovered files and more for use in the case.


  • Focus and submit the top three pieces of evidence discovered, and discuss what they prove factually.
  • One of the submitted pieces of evidence will be documented for potential examination during the mock trial.

Mock Trial

Each team would be asked to prepare an

  • Executive Summary
  • Short Presentation
  • Conclusion

The team voted with the best argument and presentation to prove their case will win the challenge.

Day 6 exercises

  • Windows 7/Vista Based Forensic Challenge
  • Mock Trial

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.

VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.


  • CPU: 64-bit Intel® x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
  • 4 GB (Gigabytes) of RAM minimum (We strongly recommend 6 GB of RAM or higher to get the most out of the course)
  • Ethernet CAT5 Networking Capability Recommended or Wireless 802.11 B/G/N
  • DVD/CD Combo Drive
  • USB 2.0 or higher Port(s)
  • 200 Gigabyte Host System Hard Drive minimum
  • 80 Gigabytes of Free Space on your System Hard Drive
  • The student should have the capability to have Local Administrator Access within their host operating system



  1. Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 60 days)
  2. Install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 (higher versions are ok) )
  3. Download and install Winzip or 7Zip


  • One External USB 2.0 or Firewire Hard Drive (Formatted NTFS)
  • One USB Thumb Drive (2-4 GB in size)
  • One 3.5 inch IDE or SATA hard disk drive from:
    • Hard drive purchased from EBAY or craigslist
    • Hard drive from used PC at home/work
    • Local computer show
    • New/Old hard drive from any computer store
    • During an image acquisition exercise, we use the used drive for imaging only


  1. Bring the proper system hardware (64bit/6GB Ram) and operating system configuration
  2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip
  3. Bring the proper mandatory additional items

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Information technology professionals who wish to learn the core concepts in computer forensics investigations
  • Incident Response Team Members who are new to responding to security incidents and need to utilize computer forensics to help solve their cases
  • Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
  • Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by an individual. They will be able to specifically determine how the individual used their system, who they communicated with, and files they have downloaded, edited, or deleted.
  • Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
  • Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
  • Anyone interested in computer forensic investigations with a background in information systems, information security, and computers

  • Windows version of the SIFT Workstation Virtual Machine
  • License to FTK and EnCase for 3 months
  • Write Blocker Kit

    • SATA/IDE Write Blocker with cables and power adapter
  • Course DVD loaded with case examples, tools, and documentation

Author Statement

After 25 years in law enforcement, when I think of what makes a great digital forensic analyst, three things immediately rise to the top of my list. Superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408, Windows In-Depth was designed around imparting these critical skills to the students. Unlike many other forensics training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel every forensicator needs a variety of tools in their arsenal so they can pick and choose the best tool for each task. But we also understand that a great forensics analyst is not great because of the tool(s) they use; they are great because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 is designed to teach and allow each student to apply digital forensic methodologies for a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, this course is designed to teach and demonstrate problem-solving skills necessary to be a truly successful forensicator. Almost immediately after starting your forensic career, you learn each forensic analysis presents its own unique challenges. A technique that worked flawlessly in previous exams may not work in the next. A good forensicator must be able to overcome obstacles through advanced trouble shooting and problem solving. FOR408 gives students the foundation that will allow them to solve future problems, overcome obstacles and become great forensicators. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must have course. - Ovie Carroll

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their digital forensic skills in very real situations. Graduates of Computer Forensic Investigations - Windows In-Depth are the front line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn properly how to conduct analysis and run investigations properly. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the this course at SANS helped prepare students to fight and solve crime. - Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for those investigators working to repel computer intrusions, stop intellectual property theft, and put the bad guys in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, and with frequent updates I am confident this course provides the most up to date training available -- whether you are just starting out or are looking to add to your forensic arsenal. - Chad Tilbury

Venue Information

  • University of Phoenix (Main Campus)
  • 1625 West Fountainhead Parkway
    Second Floor Room 228
    Tempe, AZ 85282-2371 US
Reservation Information

Area Hotels

Comfort Suites Airport

1625 South 52nd Street

Tempe, AZ

(480) 446-9500


Sheraton Hotel

1600 South 52nd Street

Tempe, AZ

(480) 967-6600


Red Roof Inn

2135 West 15th Street

Tempe, AZ

(800) 733-7663


Hampton Inn & Suites Phoenix Airport South

4234 South 48th Street

Phoenix, AZ

(602) 438-8688