Welcome to FOR500: Windows Forensic Analysis
Instructor: TBD | 36 CPEs
Associated Certification: GIAC Certified Forensic Examiner (GCFE)
FOR500 builds in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems by analyzing and authenticating forensic data as well as track detailed user activity and organize findings. It teaches students to apply digital forensic methodologies to a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome.
What You Will Learn
Master Windows Forensics - "You Can't Protect the Unknown."
All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems, as well as law enforcement investigators to get to the root of a crime. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.
FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and available artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track individual user activity on your network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. You'll be able to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data and use it to your advantage.
Proper analysis requires real data for students to examine. This continually updated course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest technologies, including Microsoft Windows 7, Windows 8/8.1, Windows 10, Office and Microsoft 365, Google Workspace (G Suite), Cloud Storage, SharePoint, Exchange, and Outlook. Students will leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.
FOR500: Windows Forensic Analysis will teach you to:
- Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows 7, Windows 8/8.1, Windows 10, and Windows Server products.
- Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file download, anti-forensics, and detailed system and user activity.
- Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
- Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.
FOR500 starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor course development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows the tools and techniques that each investigator should employ step by step to solve a forensic case. The tools can be used long after the end of class.
Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. The course authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.
You Will Be Able To
- Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7, Windows 8/8.1, and Windows10
- Use state-of-the-art forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geolocation, browser history, profile USB device usage, cloud storage usage, and more
- Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
- Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
- Audit cloud storage usage, including detailed user activity, identifying deleted files and even documenting files available only in the cloud
- Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding, and accomplish detailed damage assessments
- Use Windows Shellbag analysis tools to articulate every folder and directory a user or attacker interacted with while accessing local, removable, and network drives
- Determine each time a unique and specific USB device was attached to the Windows system, the files and folders accessed on it, and what user plugged it in by parsing Windows artifacts such as Registry hives and Event Log files
- Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
- Determine where a crime was committed using Registry data and pinpoint the geolocation of a system by examining connected networks and wireless access points
- Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts to identify web activity, even if privacy cleaners and in-private browsing software are used
- Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted
Windows Forensics Course Topics:
- Windows Operating Systems Focus (Windows 7, Windows 8/8.1, Windows 10, Server 2008/2012/2016/2019)
- Windows File Systems (NTFS, FAT, exFAT)
- Advanced Evidence Acquisition Tools and Techniques
- Registry Forensics
- Shell Item Forensics
- Shortcut Files (LNK) - Evidence of File Opening
- Shellbags - Evidence of Folder Opening
- JumpLists - Evidence of File Opening and Program Execution
- Windows Artifact Analysis
- Browser and Webmail Analysis
- Microsoft Office Document Analysis
- System Resource Usage Database
- Windows 10 Timeline Database
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Myriad Application Execution Artifacts, including Several New to Windows 10
- Cloud Storage File and Metadata Examinations
- OneDrive and OneDrive for Business, Dropbox, Google Drive, Google Workspace, and Box
- Email Forensics (Host, Server, Web), including Microsoft 365 and G Suite
- Microsoft Unified Audit Logging
- Event Log Analysis
- Chrome, Edge, Internet Explorer, and Firefox Browser Forensics
- Microsoft 365 SharePoint, OneDrive, Teams, and Email
- Google Workspace (G Suite) Applications and Logging
- Deleted Registry Key and File Recovery
- Recovering Missing Data from Registry and ESE Database .log Files
- String Searching and File Carving
- Examination of Cases Involving Windows 7 through Windows 10
- Media Analysis and Exploitation to:
- Track User Communications Using a Windows Device (Email, Chat, Webmail)
- Identify If and How a Suspect Downloaded Specific Files to or from a Device
- Determine the Exact Time and Number of Times a Suspect Executed a Program
- Show When Any File Was First and Last Opened by a Suspect
- Determine If a Suspect Had Knowledge of a Specific File
- Show the Exact Physical Location of the System
- Track and Analyze Removable Media and USB Mass Storage Class Devices
- Show How the Suspect Logged on to the Machine via the Console, RDP, or Network
- Recover and Examine Browser Artifacts, including Those from Private Browsing Mode
- Discover the Use of Anti-Forensics, including File Wiping, Time Manipulation, and Application Removal
- The Course Is Fully Updated to Include the Latest Windows 7, 8, 8.1, 10, and Server 2008/2012/2016/2019 Artifacts, Tools, and Techniques
What You Will Receive
- Windows 10 Enterprise version of the SIFT Workstation Virtual Machin e with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response (DFIR) tools prebuilt into the environment
- Trial licenses for the following commercial tool suites:
- ISO images filled with real-world cases and artifacts to examine during and after class
- FOR500 exercise workbook with 500 pages of detailed step-by-step instructions
- MP3 audio files of the complete course lecture
FOR500.1: Digital Forensics and Advanced Data Triage
The Windows Forensic Analysis course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. Hard drive and digital media sizes are increasingly difficult and time-consuming to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. In this course section, we review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and critical files in minutes instead of the hours or days currently spent on acquisition.
We also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities employing both commercial and open-source tools and techniques. Students come away with the knowledge necessary to target the specific data needed to rapidly answer fundamental questions in their cases.
FOR500.2: Registry Analysis, Application Execution, and Cloud Storage Forensics
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. You'll learn how to navigate and analyze the Registry to obtain user profile and system data. During this course section, we will demonstrate investigative methods to prove that a specific user performed keyword searches, executed specific programs, opened and saved files, perused folders, and used removable devices.
Data is moving rapidly to the cloud, constituting a significant challenge and risk to the modern enterprise. Cloud storage applications are nearly ubiquitous on both consumer and business systems, causing interesting security and forensic challenges. In a world where some of the most important data is only present on third-party systems, how do we effectively accomplish our investigations? In this section we will dissect OneDrive and OneDrive for Business, Google Drive, Google Workspace (G Suite), Dropbox, and Box applications, deriving artifacts present in application logs and left behind on the endpoint. We'll demonstrate how to discover detailed user activity, the history of deleted files, and content in the cloud. Solutions to the very real challenges of forensic acquisition and proper logging are all discussed. Understanding what can be gained through analysis of these popular applications will make investigations of less common cloud storage solutions easier.
Throughout this course section, students will use their skills in a real hands-on case, exploring and analyzing a rich set of evidence.
FOR500.3: Shell Items and Removable Device Profiling
Being able to show the first and last time a file or folder was opened is a critical analysis skill. Shell item analysis, including shortcut (LNK), Jumplist, and Shellbag databases, allows investigators to quickly pinpoint the times of file and folder usage per user. The knowledge obtained by examining shell items is crucial to perform damage assessments, track user activity in intellectual property theft cases, and track hackers.
Removable storage device investigations are an essential part of performing digital forensics. In this course section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You'll learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
FOR500.4: Email Analysis, Windows Timeline, SRUM, and Event Logs
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have an email that exists locally on their workstation, on their company email server, in a private cloud, and in multiple webmail accounts.
The exciting Windows 10 Timeline database shows great promise in recording detailed user activity, including additional application execution artifacts, mapping file usage to specific programs and users, and additional device identification via synchronized artifacts. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine many important user actions, including network usage per application and VPN and wireless network usage. Imagine the ability to audit network usage by cloud storage and backdoors even after execution of counter-forensic programs!
Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Windows 10 now includes over 300 logs, and understanding the locations and content of the available log files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms investigators with the core knowledge and capability to maintain and build upon this crucial skill for many years to come.
FOR500.5: Web Browser Forensics
With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, students will comprehensively explore web browser evidence created during the use of Internet Explorer, Microsoft Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. Students will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and private browsing remnants. Finally, we'll explore browser synchronization, providing investigative artifacts derived from other devices in use by the subject of the investigation.
Throughout the section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Microsoft Edge, Internet Explorer, and Tor correlated with other Windows operating system artifacts.
FOR500.6: Windows Forensics Challenge
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the course. You will have the option to work individually or in teams on a real forensic case. Students will be provided new evidence to analyze, and the exercise will step them through the entire case flow, including proper acquisition, analysis, and reporting and presentation of investigative findings. Fast forensics techniques will be used in order to rapidly profile computer usage and discover the most critical pieces of evidence to answer investigative questions.
This complex case involves an investigation into one of the most recent versions of the Windows operating system. The evidence is real and provides the most realistic training opportunity currently available. Solving the case requires students to use all of the skills gained from each of the previous course sections.
The section concludes with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and documentation wins the challenge - and the case!
There are no prerequisite courses required to take this course. The artifacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System.
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system provided you can install and run VMware virtualization products. Students are provided with a digital forensic lab built into a VMware Virtual Machine. You must have a minimum of 8 gigabytes (GB) of RAM or higher for the class virtual machine to function, but 16 GB of RAM is highly recommend for the best experience.
It is critical that your CPU and operating system support 64-bit applications so that our 64-bit guest virtual machine can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to the start of the class. Your version of VMware cannot be more than one version behind the latest available version of the software. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware.
MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important a 64-bit system processor is MANDATORY.)
- 8 GB of RAM or higher is mandatory for this class (Important - 8 GB of RAM or higher of RAM is mandatory and minimum. For the best experience, 16GB of RAM is recommended.)
- USB 3.0
- 300+ GB host system hard drive minimum
- 200 GB minimum of free space on your host hard drive: Free space is absolutely critical to host the virtual machines and evidence files provided with the class
- Students must have Local Administrator access within their host operating system and access to the BIOS settings
OPTIONAL FOR500 SYSTEM HARDWARE REQUIREMENTS:
A USB removable storage device is necessary to complete one optional exercise in the course. The storage size of the USB media should be larger than the RAM size of the student laptop.
MANDATORY FOR500 SYSTEM SOFTWARE REQUIREMENTS:
Host Operating System: Fully patched and updated Windows, Mac OSX (10.10+), or a recent version of the Linux operating system (released 2016 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE module
CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Microsoft Office (any version) with Excel or OpenOffice with Calc installed on your host. You can download Office Trial Software online (free for 30 days)
- Install VMware Workstation, VMware Fusion, or VMware Player (your version should be no more than one version behind the latest available from VMware)
- Download and install 7Zip on your host (Mac users should ensure they have a capable unarchiving tool such as Keka)
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8+GB Ram) and operating system configuration
- Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip and make sure everything works before class.
If you have additional questions about the laptop specifications, please contact email@example.com.
GM Security Technologies HQ (GM Sectec) GM Group Plaza
1590 Ponce de Leon Ave Suite 110 – Lobby – Executive Briefing Centre
Rio Piedras, PR 00926
Sheraton Convention Centre
200 Convention Boulevard
San Juan, PR 00907
For a special rate please contact Jaime Arbelaez-Sales Manager directly at 787-993-3607. Please reference "GM SecTec Training | Jan 24-29"
Rates are subject to availability.