Train at Home with Top Cybersecurity Experts - SANS OnDemand

Cyber Defense Initiative® 2013

Washington, DC | Thu, Dec 12 - Thu, Dec 19, 2013
This event is over,
but there are more training opportunities.

FOR408: Computer Forensic Investigations - Windows In-Depth

Thu, December 12 - Tue, December 17, 2013

Master Windows Forensics. Learn Critical Analysis Techniques.

With today√ʬ¬s ever-changing technologies and environments it is inevitable that every organization will deal with cybercrime, including fraud, insider threats, industrial espionage, and phishing. Government agencies also need the skills to perform media exploitation and recover key intelligence available on adversary systems. To help solve these cases, organizations are hiring digital forensic professionals and relying on cybercrime law enforcement agents to piece together what happened.

FOR408: COMPUTER FORENSIC INVESTIGATIONS - WINDOWS IN-DEPTH focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation.

This course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. In addition to in-depth technical knowledge of Windows Digital Forensics (Windows XP through Windows 8 and Server 2012), you will learn about well-known computer forensic tools such as Access Data√ʬ¬s Forensic Toolkit (FTK), Guidance Software√ʬ¬s EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.



Computer Forensic Investigations - Windows In-Depth course topics


  • Windows File System Foundations
  • Evidence Acquisition Tools and Techniques
  • Law Enforcement Bag and Tag
  • Evidence Integrity
  • Registry Forensics
  • Windows Artifact Analysis
    • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
    • E-Mail Forensics (Host, Server, Web)
    • Microsoft Office Document Analysis
    • Windows Link File Investigation
    • Windows Recycle Bin Analysis
    • File and Picture Metadata Tracking and Examination
    • Prefetch Analysis
  • Event Log File Analysis
  • Firefox, Chrome, and Internet Explorer Browser Forensics
  • Deleted File Recovery
  • String Searching and Data Carving
  • Examination of Cases involving Windows XP, VISTA, and Windows 7, and Windows 8
  • Media Analysis And Exploitation involving:
    • Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
    • Identifying if and how the suspect downloaded a specific file to the PC
    • Determining the exact time and number of times a suspect executed a program
    • Showing when any file was first and last opened by a suspect
    • Determining if a suspect had knowledge of a specific file
    • Showing the exact physical location of the system
    • Tracking and analysis of USB devices
    • Showing how the suspect logged on to the machine via the console, RDP, or network
    • Recovering and examining browser artifacts, even those used in private browsing mode
  • Forensic Analysis Report Writing
  • Fully Updated to include Windows 8 and Server 2012 Examinations


Course Syllabus

Chad Tilbury
Thu Dec 12th, 2013
9:00 AM - 5:00 PM


Focus: Investigations begin with firm knowledge of proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.

At first, investigating a case appears to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence can prove a case. On day one, students become familiar with fundamental forensic topics that every investigator should know.

Securing or "bagging and tagging" digital evidence can be tricky. Each computer forensics examiner should be familiar with different methods of successfully acquiring and maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence-handling procedures, you will learn firsthand the best methods to obtain evidence in a case. You will use the Wiebetech Forensic Ultradock v5 Write Blocker, part of your Windows SIFTkit, to obtain evidence from a hard drive using the most popular tools in the field. You will learn how to use toolkits to obtain memory, encrypted or unencrypted hard disk images, and protected files from a computer system that is running or powered off.

CPE/CMU Credits: 6

  • Purpose of Forensics
    • Investigative Mindset
    • Focus on the Fundamentals
  • Evidence Fundamentals
    • Admissibility
    • Authenticity
    • Threats against Authenticity
  • Reporting and Presenting Evidence
    • Taking Notes
    • Report Writing Essentials
    • Best Practices for Presenting Evidence
  • Evidence Acquisition Basics
    • Wiebetech Forensic Ultradock v5 Write Blocker Utilization
    • Access Data√ʬ¬s FTK Imager
    • Access Data√ʬ¬s FTK Imager Lite
  • Preservation of Evidence
    • Chain of Custody
    • Evidence Handling
    • Evidence Integrity
  • Types of Acquisition
    • Logical vs. Physical
    • Basic Windows Memory Acquisition
    • Basic Disk-Based Acquisition
    • E-discovery Acquisition
  • Forensic Field Kits
    • Adapters/Cables
    • Write Blockers
    • Laptops/Handheld Imagers
  • Full Disk Image Acquisition Tools and Techniques
    • Seizing the Evidentiary Image of a USB Device
    • Seizing the Evidentiary Image from a Hard Drive

Chad Tilbury
Fri Dec 13th, 2013
9:00 AM - 5:00 PM


Focus: Moving quickly from evidence acquisition, you will begin your investigation using the same cutting-edge tools used by the pros. You will learn how major forensic suites can facilitate and expedite the investigative process. In addition, you will learn how to recover and analyze e-mail, the most popular form of communication. Client-based, server-based, mobile, and web-based email forensic analysis is discussed in-depth and students use their knowledge to solve a realistic spam e-mail case.

The section begins with the analysis of electronic evidence using commercial and freely available tools packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from evidence, perform string searches using a word list, and begin to piece together the events that occurred. Today√ʬ¬s course is critical to anyone performing digital forensics and provides the most up-to-date techniques to acquire and analyze digital evidence.

Forensics investigations involving e-mail occur every day. However, e-mail examinations require the investigator to pull data locally or from an e-mail server, or even recover web-based e-mail fragments from temporary files left by a web browser. Students will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes e-mail stores.

This course is very hands-on. Students will acquire a disk image and begin analysis of a case that will require them to use the skills presented throughout the section.

  • Recover deleted files
  • Search for files or e-mails containing specific keywords related to a case
  • Attribute email evidence to the individual who sent it
  • Find e-mail evidence sent to specific e-mail and IP addresses
  • Geo-locate sender of phishing e-mails
  • Detect phishing e-mails.

CPE/CMU Credits: 6

  • Forensic Automated Tools
    • Access Data√ʬ¬s Forensic Tool Kit (FTK)
    • Guidance Software√ʬ¬s EnCase
    • Freeware/Open-Source Capabilities
  • Traditional Tasks Using Forensic Tools
    • Triage Techniques
    • String/File Searches
    • Automated Forensics
    • Browsing Disks
  • Recovering Deleted Files
    • Automated Recovery
    • String Searches
    • Keyword Searches
  • E-Mail Forensics
    • Evidence of User Communication
    • How E-Mail Works
    • Determining Sender√ʬ¬s Geographic Locations
    • Examination of E-Mail
    • Types of E-Mail Formats
      • Microsoft Outlook/Outlook Express
      • Web-Based Mail
      • Microsoft Exchange
      • Lotus Notes
      • Exchange Dumpster Forensics
      • Recovering Deleted E-Mails
    • E-Mail Analysis
    • E-Mail Searching and Examination

Chad Tilbury
Sat Dec 14th, 2013
9:00 AM - 5:00 PM


FOCUS: Focus on Windows XP, Windows 7, and Windows 8 Registry Analysis and USB Device Forensics.

Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed key word searches, ran specific programs, opened and saved files, perused folders, and used removable devices.

Removable storage device investigations are often a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 8, Windows 7, Vista, and Windows XP machines. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.

Throughout the section, investigators will use their skills in a real hands-on case, exploring evidence and analyzing evidence.

CPE/CMU Credits: 6

  • Registry Forensics In-Depth
    • Registry Basics
      • Hives, Keys, and Values
      • Registry Last Write Time
      • MRU Lists
    • Profile Users and Groups
      • Discover Usernames and the SID mapped to them
      • Last Login
      • Last Failed Login
      • Logon Count
      • Password Policy
    • Core System Information
      • Identify Current Control Set
      • System Name and Version
      • Timezone
      • Local IP Address Information
      • Wireless/Wired/3G Networks
      • Geo-location using Wireless Networks
      • Network Shares
      • Last Shutdown Time
    • User Forensic Data
      • Evidence of Program Execution
      • Evidence of File Downloads
      • Evidence of File and Folder Access (Shellbag)
      • XP, Win7, Win8 Search History
      • Typed Paths and Directories
      • Recent Documents (RecentDocs)
      • Open-> Save/Run Dialog Boxes Evidence
      • Application Execution History (UserAssist)
    • External and BYOD Device Forensic Examinations
      • Vendor/Make/Version
      • Unique Serial Number
      • Last Drive Letter
      • MountPoints2 √ʬ¬ Last Drive Mapping Per User
      • Volume Name and Serial Number
      • Username that Used the USB Device
      • Time of First Use of USB Device
      • Time of Last Use of USB Device
      • BYOD Device Forensics
    • Tools Utilized
      • Regripper and Regripper plugins
      • Access Data Registry Viewer
      • YARU (Yet Another Registry Utility)

Chad Tilbury
Sun Dec 15th, 2013
9:00 AM - 5:00 PM


Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, Windows prefetch, pagefile/system memory, and more. The latter part of the section centers on examining Windows log files, demonstrating their usefulness in both simple and complex cases.

Continuing from the previous section, the investigator will focus on key files found on the Windows operating system containing evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult-to-access locations that can offer the critical data for your case. Examine key evidentiary links to pictures, printed office documents, and files copied to a removable device.

Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many investigators overlook these files because they do not have adequate knowledge or tools to get the job done. The last part of the section will arm each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.

  • Recycle Bin Analysis
  • Shortcut (LNK) File Analysis
  • Prefetch Folder Analysis
  • Recovery of Chat Sessions, Web-Based E-Mail, Social Networking, and Private Browsing

CPE/CMU Credits: 6

  • Memory, Pagefile, and Unallocated Space Analysis
    • Artifact Recovery and Examination
    • Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
    • IE8/IE9 InPrivate/Recovery URLs
    • Yahoo, Hotmail, G-Mail, Webmail, E-Mail
  • Forensicating Files Containing Critical Digital Forensic Evidence
    • Office Documents (2000-2007, doc, and .docx)
    • Adobe Files
    • EXIF Data including GPS Coordinates
    • Link/Shortcut Files (.lnk)
    • Win7/Win8 Jump Lists
    • XP Thumbs.db and Vista/Win7/Win8 Thumbscache Files
    • Internet Chat Programs (Skype/AIM/MSN)
    • Windows Prefetch Analysis (XP/Vista/Win7/Win8)
    • Windows Recycle Bin Analysis (XP/Vista/Win7/Win8)
  • Windows Event Log Digital Forensic Analysis
    • Which Windows Events Matter to a Digital Forensic Investigator
    • EVT Log Files
    • EVTX Log Files

      • Finding Evidence of User Logins, Remote Desktop Usage, Malware Execution, and More

Chad Tilbury
Mon Dec 16th, 2013
9:00 AM - 5:00 PM


Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect√ʬ¬s system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the section, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.

  • Track a suspect√ʬ¬s activity in browser history and cache files
  • Examine which files a suspect downloaded
  • Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing.

CPE/CMU Credits: 6


Browser forensics

  • History
  • Cache
  • Searches
  • Downloads
  • Understanding of browser timestamps
  • Internet Explorer 6, 7, 8, and 9

IE Key forensic file locations

  • History Index.dat (master, daily, weekly) timestamps
  • Cache Index.dat timestamps
  • InPrivate browsing
  • IE8/IE9 recovery folder analysis

Firefox 2-5

  • FF2 and FF3-5 key forensic file locations
  • Mork format and .sqlite files
  • Download history
  • Cache examinations
  • Typed URLs
  • FF3+ recovery data analysis
  • Private browsing
  • Session Recovery

Examination of browser artifacts

  • Flash cookie files
  • DOM objects
  • Super cookies

Tools used

  • MANDIANT Inc.'s Web Historian
  • Access Data's FTK
  • FoxAnalysis

Day 5 exercises

  • Track a suspect's activity in browser history and cache files
  • Examine which files a suspect downloaded
  • Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing

Chad Tilbury
Tue Dec 17th, 2013
9:00 AM - 5:00 PM


Focus: This section revolves around the Windows Vista/7-based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. The section is a capstone for every artifact discussed in the class. You will use this section to consolidate the skills that you have learned over the past week.

Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. All the teams will work on the case with the objective of discovering critical pieces of evidence to present during the trial.

The complex case presented will involve an investigation of one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use the skills from each of the previous sections.

The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge √ʬ¬¶ and the case!

The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

  • Windows 7/Vista-Based Forensic Challenge
  • Mock Trial

CPE/CMU Credits: 6

  • Digital Forensic Case
    • Analysis
      • Following evidence analysis methods discussed throughout the week, find critical evidence.
      • Examine registry, e-mail, recovered files, and more.
    • Reporting
      • Focus and submit the top three pieces of evidence discovered and discuss what they prove factually.
      • One of the submitted pieces of evidence will be documented for potential examination during the mock trial.
  • Mock Trial
    • Each team will be asked to prepare an
      • Executive Summary
      • Short Presentation
      • Conclusion
    • The team voted to have the best argument and presentation proving their case will win the challenge.

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.

VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.


  • CPU: 64-bit Intelģ x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
  • 8 GB (Gigabytes) of RAM minimum (We strongly recommend 8 GB of RAM or higher to get the most out of the course)
  • Ethernet CAT5 Networking Capability Recommended or Wireless 802.11 B/G/N
  • DVD/CD Combo Drive
  • USB 2.0 or higher Port(s)
  • 200 Gigabyte Host System Hard Drive minimum
  • 100 Gigabytes of Free Space on your System Hard Drive
  • The student should have the capability to have Local Administrator Access within their host operating system



  1. Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 60 days)
  2. Install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 (higher versions are ok) )
  3. Download and install Winzip or 7Zip


  • One USB Thumb Drive (2-4 GB in size)
  • One External USB 2.0 or Firewire Hard Drive (Formatted NTFS)
  • One 3.5 inch IDE or SATA hard disk drive from:
    • Hard drive purchased from EBAY or craigslist
    • Hard drive from used PC at home/work
    • Local computer show
    • New/Old hard drive from any computer store
    • During an image acquisition exercise, we use the used drive for imaging only


  1. Bring the proper system hardware (64bit/6GB Ram) and operating system configuration
  2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip
  3. Bring the proper mandatory additional items

If you have additional questions about the laptop specifications, please contact

  • Information technology professionals who wish to learn the core concepts of computer forensics investigations.
  • Incident response team members who are new to responding to security incidents and need to use computer forensics to help solve their cases.
  • Law enforcement officers, federal agents, or detectives who want to become a subject matter expert on computer forensics for Windows-based operating systems.
  • Media exploitation analysts who need to master tactical exploitation and document and media exploitation (DOMEX) operations on systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
  • Information technology lawyers and paralegals who want to a formal education in digital forensic investigations.
  • Anyone interested in computer forensic investigations who has a background in information systems, information security, and computers

What you will learn

  • Perform proper windows forensics analysis, determine how and who placed an artifact on the system by applying key analysis techniques covering Windows XP through Windows 8
  • Using full scale forensic analysis tools and analysis methods detail every action a suspect accomplished on a windows system √ʬ¬ determine program execution, file/folder opening, geo-location, browser history, USB devices, and more.
  • Uncover the exact time that a specific user last executed a program over time that is key to proving intent in many cases such as intellectual property theft, hacker breached systems, and traditional crimes through registry analysis, windows artifact analysis, and email analysis.
  • Demonstrate every time a file has been opened by a suspect through IE browser forensics, shortcut file analysis (LNK), email analysis and registry parsing using regripper.
  • Using automated analysis techniques via AccessData√ʬ¬s Forensic ToolKit (FTK), identify key words searched for by a specific user on a windows system that can be used to identify files that the suspect was interested in finding.
  • Using shellbags analysis tools, articulate every folder and directory that a user opened up while he was browsing through their hard drive
  • Determine each time a unique and specific USB device is attached to the windows system, the files and folders that were accessed on it, and who plugged it in via tools parsing key windows artifacts such as the registry and log files.
  • Using the Win8 SIFT Workstation, examine how a user logged into a windows system through a remote session, at the keyboard, or simply unlocking their screensaver by viewing the logon types in the windows security event logs.
  • Using FTK Registry Viewer, pinpoint geo-location of a windows system through the examination of the networks they have connected to, browser search terms, and cookie data to determine where a crime was committed.
  • Using Webhistorian recover browser history of a suspect who has attempted to clear their trail using in-private browsing through the recovery of session restore points and flash cookies


  • Perform proper Windows forensic analysis by applying key analysis techniques covering Windows XP through Windows 8
  • Use full-scale forensic tools and analysis methods to detail every action a suspect accomplished on a Windows system, including how and who placed an artifact on the system, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
  • Uncover the exact time that a specific user last executed a program through Registry analysis, Windows artifact analysis, and e-mail analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker breached systems, and traditional crimes
  • Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing
  • Use automated analysis techniques via AccessData√ʬ¬s Forensic ToolKit (FTK)
  • Identify keywords searched by a specific user on a Windows system in order to pinpoint the files and information that the suspect was interested in finding and to accomplish damage assessments
  • Use shellbags analysis tools to articulate every folder and directory that a user opened up while browsing the hard drive
  • Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing key Windows artifacts such as the Registry and log files
  • Learn event log analysis techniques and use them to determine when and how users logged into a Windows system via a remote session, at the keyboard, or simply by unlocking their screensaver
  • Determine where a crime was committed using FTK Registry Viewer to pinpoint the geo-location of a system by examining connected networks, browser search terms, and cookie data
  • Use Mandiant Web Historian, parse raw SQLite databases, and leverage browser session recovery artifacts and flash cookies to identify web activity of suspects, even if privacy cleaners and in-private browsing are used.

√ʬ¬This is a very high intensity course with extremely current course material that is not available anywhere else in my experience.√ʬ¬ -Alexander Applegate, Auburn University

"Best forensics class I've had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det Det. Juan C. Marquez Prince William County Police Dept

"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days!" -Jason Jones, USAF

Course Review: SANS FOR408 Computer Forensic Investigations √ʬ¬ Windows In-Depth -

"I took SANS FOR408 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell - Information Security Architect, Airlines Reporting Corporation (ARC)

"As a member of the IR team, this course will aid in investing compromised hosts". - Mike Piclher, URS Corp

"FOR408 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence

"Best forensics course I√ʬ¬ve taken to date. Vast amounts of information." - Ellen Clark, FBI

"Call me a geek, but this is FUN!" - Frank Dixon, The Babcock & Wilcox Company

"Overall the course continues to be chockfull of megalicious forensicness. Thank a bunch for the key knowledge." - Vincent Bryant, Blue Cross Blue Shield of Tennessee

"If you weren√ʬ¬t interested in forensics before, you will be after this class. For those who already love it, its reassurance that you√ʬ¬re doing the right thing with your life." - Cleora Madison, Walt Disney Theme Parks and Resorts

"The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks!" - Michael Mimo, JP Morgan

"I was really looking forward to Windows in-depth and that√ʬ¬s exactly what we√ʬ¬re getting!" - Joshua Hoover, Charles Schwab

"I have been using forensics tools for years. I never professed to √ʬ¬know it all√ʬ¬; however, I did not expect to learn as much as I did." - Jody Hawkins, Cook Children√ʬ¬s Health Care System

"I really appreciate the prebuilt and configured SIFT workstation. The For 408 class materials and instruction were outstanding." Clint Modesitt, LSUHSC

"FOR408 is absolutely necessary for any computer forensic type career. Excellent information!" - Rebecca Passmore, FBI

Author Statement

After 27 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408: Windows In-Depth was designed to impart these critical skills to the students. Unlike many other training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel that all forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best tool for each task. However, we also understand that forensics analysts are not great because of the tool(s) they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 teaches students to apply digital forensic methodologies to a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, the course teaches and demonstrates the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will find out that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR408 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must-have course.

√ʬ¬ Ovie Carroll

Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of Computer Forensics Windows In-Depth are the front-line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that the SANS FOR408 course helped prepare them to fight and solve crime.

√ʬ¬ Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates, I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal.

√ʬ¬ Chad Tilbury