Abu Dhabi 2018

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS:

• CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
• 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory and minimum. For best experience 16GB of RAM is recommended.)
• Wireless 802.11 Capability
• USB 3.0
• 250+ Gigabyte Host System Hard Drive minimum
• 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
• Students should have the capability to have Local Administrator Access within their host operating system and BIOS settings

MANDATORY FOR500 SYSTEM SOFTWARE REQUIREMENTS:

• Host Operating System: Fully patched & updated Windows (7+), Mac OSX (10.10+), or a recent version of Linux operating system (released 2016 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.

• Download and install 7Zip

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

1. Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 60 days)
2. Install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 (more recent versions are also ok)
3. Download and install 7Zip on your host

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

1. Bring the proper system hardware (64bit/8GB Ram) and operating system configuration
2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip and make sure it works before class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations.
• Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases.
• Law enforcement officers, federal agents, or detectives who want to become a deep subject-matter expert on digital forensics for Windows-based operating systems.
• Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX) operations on Windows-based systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
• Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers.

FOR500: Windows Forensic Analysis focuses on in-depth analysis of Microsoft Windows operating system and artifacts. There are no prerequisite courses required to take this course. The artifacts and tool agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System. Please note: This is an analysis focused course, FOR500 does not cover the basics of evidentiary handling, the "chain of custody", and introductory drive acquisition. Our authors update FOR500 aggressively to stay current with the latest new artifacts and techniques discovered recently. If you are interested in in-depth and current Microsoft Windows operating system forensics and analysis for any incident that occurs - this course is perfect for you. If you have not updated your windows forensic analysis skills in the past 3 years or more, this course is essential for you.

• Windows 10 Enterprise version of the SIFT Workstation Virtual Machine with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response tools prebuilt into the environment
• Full version licenses for 90 days:
• AccessData FTK
• Magnet Forensics Internet Evidence Finder
• TZWorks Toolset
• NUIX
• A 128 GB USB Key or two 64 GB USB Keys with real-world cases to examine during and after class
• FOR500 Detailed exercise workbook with detailed step-by-step instructions
• Wiebetech Forensic Ultradock v5.5 Write Blocker Kit
• IDE/PATA and SATA Cable Connectors
• FireWire 800, USB 3.0, USB 2.0, and eSATA Host Connections
• MP3 audio files of the complete course lecture

• Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7/8/10
• Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
• Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
• Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing
• Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding and accomplish detailed damage assessments
• Use Windows Shellbag analysis tools to articulate every folder and directory that a user opened up while browsing local, removable, and network drives
• Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and log files
• Learn event log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
• Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
• Use browser forensic tools to perform detailed Web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts and flash cookies to identify the Web activity of suspects, even if privacy cleaners and in-private browsing are used

Course Review: SANS FOR500 Windows Forensic Analysis http://www.ethicalhacker.net/content/view/459/24/

Course and GIAC Cert Review: http://www.hecfblog.com/search?q=for500

"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014

"This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience." - Alexander Applegate, Auburn University

"Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det. Juan C. Marquez, Prince William County, Virginia Police Department

"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days!" - Jason Jones, USAF

"I took SANS FOR500 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first-rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell, Information Security Architect, Airlines Reporting Corporation

"As a member of the IR team, this course will aid in investing compromised hosts." - Mike Piclher, URS Corp.

"FOR500 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence

"Best forensics course I have taken to date. Vast amounts of information." - Ellen Clark, FBI

"Call me a geek, but this is FUN!" - Frank Dixon, The Babcock & Wilcox Company

"Overall the course continues to be chock full of megalicious forensicness. Thanks a bunch for the key knowledge." - Vincent Bryant, Blue Cross Blue Shield of Tennessee

"If you were not interested in forensics before, you will be after this class. For those who already love it, it is reassurance that you are doing the right thing with your life." - Cleora Madison, Walt Disney Theme Parks and Resorts

"The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks!" - Michael Mimo, JP Morgan

"I was really looking forward to Windows in-depth and that is exactly what we are getting!" - Joshua Hoover, Charles Schwab

"I have been using forensics tools for years. I never professed to know it all; however, I did not expect to learn as much as I did." - Jody Hawkins, Cook Children's Health Care System

"I really appreciate the prebuilt and configured SIFT workstation. The FOR500 class materials and instruction were outstanding." - Clint Modesitt, LSUHSC

"FOR500 is absolutely necessary for any computer forensic type career. Excellent information!" - Rebecca Passmore, FBI

"Before I arrived here, I knew the basics of comp. forensics. After taking this course I feel that if suited with the proper tools, I could handle the task of working a live case." - Anonymous

"This course was by far the most informative and well taught class I have attended." - Brian Periera, Farfield PD

"Love the amount of detail/info in books, love the VM." - Jeff Datzman, Vacaville Police Department

"Best course I have taken in 20 years." - Gary Sanders, LWCC

"The hands-on are excellent - Best I have had in 15 years of forensics classes. The best books as well." - Shawn Bostick, AR AG

"This is by far the best training I have ever had. My forensic knowledge increased more in the last 5 days than in the last year." - Vito Rocco, UNLV

"Are you kidding me? I, personally, see this course (FOR500) as pretty much perfected." - Mike Bowden, Boeing

"There's not a lot of courses that cover depth as well as the width of material. I think FOR500 strikes the right balance between the two." - Wayne Dawson, Vancity Savings Credit Union

"FOR500 has the depth and breadth of knowledge shared by the instructor and contents of the lab make it necessary to take the course. Very impressive!" - Debra Emmanuel, TWD & Associates