3 Days Left to Save $400 on SANS Security East 2016

CyberCon 2012

Online | Mon, Oct 8 - Sat, Oct 13, 2012

FOR408: Computer Forensic Investigations - Windows In-Depth

This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.
Alexander Applegate, Auburn University

This is by far the best training I have ever had. My forensic knowledge increased more in the last 5 days than in the last year.
Vito Rocco, UNLV

Master computer forensics. Learn critical investigation techniques. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threats, industrial espionage, and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve these cases, organizations are hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in these cases.

FOR408: Computer Forensic Investigations - Windows In-Depth focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic and media exploitation methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as Access Data's Forensic Toolkit (FTK), Guidance Software's EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.

FOR408: Computer Forensic Investigations - Windows In-Depth is the first course in the SANS Computer Forensic Curriculum. If this is your first computer forensics course with SANS we recommend that you start here.


Computer Forensic Investigations - Windows In-Depth course topics

  • Windows File System Basics
  • Evidence Acquisition Tools and Techniques
  • Law Enforcement Bag and Tag
  • Evidence Integrity
  • Registry Forensics

Windows Artifact Analysis

  • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
  • E-mail Forensics (Host, Server, Web)
  • Microsoft Office Document Analysis
  • Windows Link File Investigation
  • Windows Recycle Bin Analysis
  • File and Picture Metadata Tracking and Examination
  • Prefetch Analysis

  • Event Log File Analysis
  • Firefox and Internet Explorer Browser Forensics
  • Deleted File Recovery
  • String Searching and Data Carving
  • Examine cases involving Windows XP, VISTA, and Windows 7

Media Analysis And Exploitation Involving:

  • Tracking user communications using a windows PC (email, chat, IM, webmail)
  • Tell if and how the suspect downloaded a specific file to the PC
  • Determine the exact time and the number of times a suspect executed a program
  • Show when any file was first and last opened by a suspect
  • Determine if a suspect had knowledge of a specific file
  • Show the exact physical location of the system
  • USB device tracking and analysis
  • Show how the suspect logged into the machine via the console, RDP, or network
  • Recover and examine browser artifacts even those used in private browsing mode
  • Fully Updated to include full Windows 7 and Server 2008 Examinations

Course Syllabus
Course Contents InstructorsSchedule
9:00 AM - 5:00 PM CT

Focus: Investigations begin with a firm knowledge in proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.

At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students are familiarized with fundamental forensic topics that every investigator should know.

Securing or "Bagging and Tagging" digital evidence can be tricky. Each computer forensic examiner should be familiar with different methods of successfully acquiring it, maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence handling procedures, you will learn firsthand the best methods for acquiring evidence in a case. You will utilize the Tableau T35es write blocker, part of your SIFT Essentials kit, to obtain evidence from a hard drive using the most popular tools utilized in the field. You will learn how to utilize toolkits to obtain memory, encrypted or unencrypted hard disk images, or protected files from a computer system that is running or powered off.

CPE/CMU Credits: 6


Purpose of forensics

  • Investigative Mindset
  • Focus on the Fundamentals

Evidence fundamentals

  • Admissibility
  • Authenticity
  • Threats against Authenticity

Reporting and presenting evidence

  • Taking Notes
  • Report Writing Essentials
  • Best Practices for Presenting Evidence

Evidence acquisition basics

  • Tableau Write Blocker utilization
  • Access Data's FTK Imager
  • Access Data's FTK Imager Lite

Preservation of evidence

  • Chain of custody
  • Evidence Handling
  • Evidence Integrity

Types of acquisition

  • Logical vs. physical
  • Basic Windows Memory Acquisition
  • Basic Disk Based Acquisition
  • E-discovery Acquisition

Forensic field kits

  • Adapters/Cables
  • Write Blockers
  • Laptops/Handheld Imagers

Full disk image acquisition tools and techniques

  • Seize Evidentiary Image of a USB Device
  • Seize Evidentiary Image From a Hard Drive

  FOR408.2: Core Windows Forensics Part I - String Search, Data Carving, and Email Forensics Ovie Carroll Tue Oct 9th, 2012
9:00 AM - 5:00 PM CT

Focus: Moving quickly from evidence acquisition, you will begin your investigation using cutting-edge tools that the pros use. Host, server, and webmail forensics the investigator will learn how to recover and analyze the most popular form of communication.

The day will begin with the analysis of electronic evidence using commercial and freely available toolkits packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from the evidence, perform string searches against it using a word list, and begin to piece together the events that shaped the case. Today's course is critical to anyone performing digital forensics to learn the most up-to-date techniques of acquiring and analyzing digital evidence.

Email Forensics: Investigations involving email occur every day. However, email examinations require the investigator to pull data locally, from an email server, or even recover web-based email fragments from temporary files left by a web browser. Email has become critical in a case and the investigator will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes email cases.

This course is very hands-on. Each investigator will acquire a disk image and begin analysis on a case that will utilize the skills presented throughout the day. This course is necessary for anyone looking to put to practice the skills they are learning daily.

CPE/CMU Credits: 6


Forensic tools

  • Access Data's Forensic Tool Kit (FTK)
  • Guidance Software's EnCase
  • Freeware/Open source capabilities

Traditional tasks utilized using the forensic tools

  • Triage techniques
  • String/file searches
  • Automated forensics
  • Browsing disks

Recover deleted files

  • Automated recovery
  • String searches
  • Dirty word searches

Email forensics

  • How email works
  • Locations
  • Examination of email
  • Types of email formats

Microsoft Outlook/Outlook Express

  • Web based mail
  • Microsoft Exchange
  • Lotus Notes
  • Email analysis
  • Email searching and examination

Day 2 exercises

  • Recover deleted files
  • Search for files or emails containing specific words related to a case
  • Find email evidence sent to a specific email and IP addresses
  • Detect phishing emails

  FOR408.3: Core Windows Forensics Part II - Registry and USB Device Analysis Ovie Carroll Wed Oct 10th, 2012
9:00 AM - 5:00 PM CT

Focus: Focus on Windows XP, Vista, and Windows 7 Registry Analysis and USB Device Forensics.

Each examiner will learn how to examine the Registry to obtain user profile data and system data. The course will also teach each forensic investigator how to show that a specific user performed key word searches, ran specific programs, opened saved files, and then list the most recent items that were used. Finally, USB Device investigations are becoming more and more a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 7, Vista, and Windows XP machines.

CPE/CMU Credits: 6


Registry Forensics in-depth

Registry basics

  • Hives, keys, and values
  • Registry last write time
  • MRU lists

Profile users and groups

  • Discover usernames and the SID mapped to them
  • Last login
  • Last failed login
  • Logon count
  • Password policy

Core system information

  • Identify current control set
  • System name and version
  • Timezone
  • Local IP Address info
  • Wireless/Wired/3G Networks
  • Network shares
  • Last shut down time

User forensic data

  • Evidence of program execution
  • Evidence of file download
  • Evidence of file and folder access (Shellbag)
  • XP and Win7 search history
  • Typed URLS
  • Recent documents
  • Open-> Save/Run dialog boxes
  • Application execution history (UserAssist)

USB device forensic examinations

  • Vendor/Make/Version
  • Unique serial number
  • Last drive letter
  • Volume name and serial number
  • The username that used the USB Device
  • Time of first use of USB device
  • Time of first use of USB device after last reboot
  • Time of last use of USB device

Tools utilized

  • Regripper
  • Access Data's Registry Viewer
  • YARU (Yet Another Registry Utility)

Day 3 exercises

  • Profile a computer system using evidence found in the registry.
  • Profile a user's activities using evidence found in the registry.
  • Track USB devices that were connected to the system via the registry and filesystem
  • Recover critical user data from the pagefile, memory images, and unallocated space

  FOR408.4: Core Windows Forensics Part III - Artifact and Log File Analysis Michael Murr Thu Oct 11th, 2012
9:00 AM - 5:00 PM CT

Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, the windows prefetch, pagefile/system memory, and more. The latter part of the day will center on examining the Windows log files and the usefulness in both simple and complex cases.

Continuing from the previous day, the investigator will initially focus on key files found on the Windows operating system that contains evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult to access locations that could offer the critical piece of your case. These files could be especially important to an investigation, providing key evidentiary links to pictures, printed office documents, or files that were saved to a removable device.

Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many overlook these files as they do not have adequate knowledge or tools to get the job done. The last part of the day will arm each investigator with core knowledge and capability that will enable them to maintain this crucial skill for many years to come.

CPE/CMU Credits: 6


Memory, Pagefile, and unallocated space analysis

  • Artifact recovery and examination
  • Facebook live, MSN Messenger, Yahoo, AIM, GoogleTalk chat
  • IE8/IE9 InPrivate/Recovery URLs
  • Yahoo, Hotmail, Gmail Webmail email

Forensicating files containing critical digital forensic evidence

  • Office Documents (2000-2007, doc, and .docx)
  • Adobe files
  • Exif data including GPS coordinates
  • Link/shortcut files (.lnk)
  • Windows 7 jump lists
  • XP Thumbs.db and Vista / Win7 Thumbscache files
  • Internet chat programs (Skype/AIM/MSN)
  • Windows Prefetch analysis (XP/Vista/Win7)
  • Windows Recycle Bin analysis (XP/Vista/Win7)

Windows event log digital forensic analysis

  • Which Windows events matter to a digital forensic investigator
  • EVT log files
  • EVTX log files

Day 4 exercises

  • Recycle Bin analysis
  • Shortcut (LNK) file analysis
  • Prefetch folder analysis
  • Find and examine various logfiles from hosts and servers to determine critical case details

  FOR408.5: Core Windows Forensics Part IV - Web Browser Forensics Michael Murr Fri Oct 12th, 2012
9:00 AM - 5:00 PM CT

Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect's system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the day, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.

CPE/CMU Credits: 6


Browser forensics

  • History
  • Cache
  • Searches
  • Downloads
  • Understanding of browser timestamps
  • Internet Explorer 6, 7, 8, and 9

IE Key forensic file locations

  • History Index.dat (master, daily, weekly) timestamps
  • Cache Index.dat timestamps
  • InPrivate browsing
  • IE8/IE9 recovery folder analysis

Firefox 2-5

  • FF2 and FF3-5 key forensic file locations
  • Mork format and .sqlite files
  • Download history
  • Cache examinations
  • Typed URLs
  • FF3+ recovery data analysis
  • Private browsing
  • Session Recovery

Examination of browser artifacts

  • Flash cookie files
  • DOM objects
  • Super cookies

Tools used

  • MANDIANT Inc.'s Web Historian
  • Access Data's FTK
  • FoxAnalysis

Day 5 exercises

  • Track a suspect's activity in browser history and cache files
  • Examine which files a suspect downloaded
  • Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing

  FOR408.6: Digital Forensic Challenge and Mock Trial Michael Murr Sat Oct 13th, 2012
9:00 AM - 5:00 PM CT

Focus: Windows Vista/7 Based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. This day is a capstone for every artifact discussed in the class. You will use this day to solidify your skills that you have learned over the past week.

Nothing will prepare you more than a full hands-on challenge utilizing the skills and knowledge presented throughout the week. In the morning, you will have the option of working in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. Every team will work on the case for the majority of the day with the objective of discovering critical pieces of evidence to present during the trial.

The case presented is a complex murder case based that will engage the individual to examine one of the most recent versions of the Windows Operating System released. The case took 3 weeks to create following a script that lays out the key parts of the case in correct time sequence to make for the most realistic training opportunity available. The case will utilize skills from each of the previous days in order to solve the case.

The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

CPE/CMU Credits: 6


Digital Forensic Case


Following evidence analysis methods discussed throughout the week, find critical evidence.

Teams will examine registry, email, recovered files and more for use in the case.


  • Focus and submit the top three pieces of evidence discovered, and discuss what they prove factually.
  • One of the submitted pieces of evidence will be documented for potential examination during the mock trial.

Mock Trial

Each team would be asked to prepare an

  • Executive Summary
  • Short Presentation
  • Conclusion

The team voted with the best argument and presentation to prove their case will win the challenge.

Day 6 exercises

  • Windows 7/Vista Based Forensic Challenge
  • Mock Trial

Additional Information
  Laptop Required


Download Laptop Requirements:

A properly configured computer system is required for each student participating in this course. Before coming to class, download the forensic installation document that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to accomplish many of the in-class exercises.

You will use VMware with preconfigured virtual forensic workstation built in a Windows 7 Home Premium environment that will enable you to perform hands-on analysis during class. You must download and install VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download.


Very Important: Student must bring a Retail, OEM, or MSDN Microsoft Windows 7 Home Premium License Key with them to class at the beginning of the first day.

  • Do not bring a license key that is already in use on another system as it will likely not work.
  • You can purchase licenses from http://www.microsoftstore.com
  • The key will look like XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Corporate, Site, Volume, and Group Licenses are not acceptable as they will fail the Windows Genuine Advantage Test.



  • CPU: 64bit based 2.0 GHz or higher CPU is required (Multi-Core recommended)
  • DVD/CD Combo Drive
  • Wireless 802.11 B/G/N Networking Capability
  • 4 Gigabyte of RAM minimum (More RAM is recommended)
  • 100 Gigabytes of free space on your Host System Hard Drive
  • Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host


  • One External USB 2.0 or Firewire Hard Drive (Formatted NTFS)
  • Large Capacity 150GB or larger preferred
  • One USB Thumb Drive (2-4 GB in size)
  • One new, old, used, or out-of-computer IDE, SATA, or laptop hard disk drive from:
  • Hard drive purchased from EBAY or craigslist
  • Hard drive from used PC at home/work
  • Local computer show
  • New/Old hard drive from any computer store
  • During an image acquisition exercise, we use the drive for imaging only


  • Download Laptop Requirements:
  • Write down and bring with you a MS Windows 7 Home Premium License Key (XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
  • Bring the proper laptop hardware and software configuration
  • Install VMware Workstation, Player, or Fusion
  • Bring the proper mandatory additional items

FOR408 Laptop Setup F.A.Q. (Frequently Asked Questions)

  1. Can I use Win7 Professional or Ultimate for the class? No, only Win7 Home Premium will work.
  2. Where can I purchase the license online without having to head to the store? Will any retail version of Win7 Home Premium work? You can also purchase or bring licenses from Microsoft Store, or MSDN. Overall, any retail version of Win7 Home Premium will work.
  3. My company already has Win7 Professional Site license, can I use that license? Unfortunately, even though your organization might have a site license, we would still need you to bring a separate retail license. Retail licenses and Site/Enterprise licenses are incompatible.
  4. Why don't you include the Win7 Home Premium license in the class even if it increased the price of the course? When we have asked previous classes, many students had a license already and did not want to spend money on another copy. It was overwhelming in favor that each student should bring his or her own version as a result. We are looking at ways in the future to have an optional purchase of the license. But in the meantime, you can purchase the Win7 Home Premium online at the Microsoft online store.
  5. My company refuses to pay for Win7 Home Premium license because we have a site license, what options do I have? With a Site/Enterprise license each organization gets access to MSDN. I guarantee the Win7 Home Premium keys are probably not in use. I recommend calling your IT Support and asking to bring one of the MSDN Win7 Home Premium keys with you.
  6. I have a workstation already installed with Win7 Home Premium; can I use the license key with two computers? No, it will not work.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  Who Should Attend
  • Information technology professionals who wish to learn the core concepts in computer forensics investigations
  • Incident Response Team Members who are new to responding to security incidents and need to utilize computer forensics to help solve their cases
  • Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems
  • Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by an individual. They will be able to specifically determine how the individual used their system, who they communicated with, and files they have downloaded, edited, or deleted.
  • Information security managers who need to understand digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
  • Information technology lawyers and paralegals who desire to have a formal education in digital forensic investigations
  • Anyone interested in computer forensic investigations with a background in information systems, information security, and computers
  Why Take This Course?


  What You Will Receive
  • Windows version of the SIFT Workstation Virtual Machine
  • License to FTK and EnCase for 3 months
  • Write Blocker Kit

    • SATA/IDE Write Blocker with cables and power adapter
  • Course DVD loaded with case examples, tools, and documentation
  You Will Be Able To
  • Perform proper windows forensics analysis, deter- mine how and who placed an artifact on the system by applying key analysis techniques covering Windows XP through Windows 8
  • Use full scale forensic analysis tools and analysis methods to detail every action a suspect accomplished on a windows system, and determine program execution, file/folder opening, geo-location, browser his- tory, USB devices, and more.
  • Uncover the exact time that a specific user last executed a program over time that is key to proving intent in many cases such as intellectual property theft, hacker breached systems, and traditional crimes through registry analysis, windows artifact analysis, and email analysis.
  • Demonstrate every time a file has been opened by a suspect through IE browser forensics, shortcut file analysis (LNK), email analysis and registry parsing using regripper.
  • Using automated analysis techniques via AccessData's Forensic ToolKit (FTK), identify key words searched for by a specific user on a Windows system that can be used to identify files that the suspect was interested in finding.
  • Using shellbags analysis tools, articulate every folder and directory that a user opened up while he was browsing through their hard drive
  • Determine each time a unique and specific USB device is attached to the windows system, the files and folders that were accessed on it, and who plugged it in via tools parsing key Windows artifacts such as the registry and log files.
  • Using the Win8 SIFT Workstation, examine how a user logged into a Windows system through a remote session, at the keyboard, or simply unlocking their screensaver by viewing the logon types in the Windows security event logs.
  • Using FTK Registry Viewer, pinpoint geo-location of a windows system through the examination of the networks they have connected to, browser search terms, and cookie data to determine where a crime was committed.
  • Using Webhistorian, recover browser history of a suspect who has attempted to clear their trail using in-private browsing through the recovery of session restore points and flash cookies.

Author Statement

After 25 years in law enforcement, when I think of what makes a great digital forensic analyst, three things immediately rise to the top of my list. Superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408, Windows In-Depth was designed around imparting these critical skills to the students. Unlike many other forensics training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel every forensicator needs a variety of tools in their arsenal so they can pick and choose the best tool for each task. But we also understand that a great forensics analyst is not great because of the tool(s) they use; they are great because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 is designed to teach and allow each student to apply digital forensic methodologies for a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, this course is designed to teach and demonstrate problem-solving skills necessary to be a truly successful forensicator. Almost immediately after starting your forensic career, you learn each forensic analysis presents its own unique challenges. A technique that worked flawlessly in previous exams may not work in the next. A good forensicator must be able to overcome obstacles through advanced trouble shooting and problem solving. FOR408 gives students the foundation that will allow them to solve future problems, overcome obstacles and become great forensicators. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must have course. - Ovie Carroll

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their digital forensic skills in very real situations. Graduates of Computer Forensic Investigations - Windows In-Depth are the front line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the this course at SANS helps prepare students to fight and solve crime. - Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for those investigators working to repel computer intrusions, stop intellectual property theft, and put the bad guys in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, and with frequent updates I am confident this course provides the most up to date training available -- whether you are just starting out or are looking to add to your forensic arsenal. - Chad Tilbury