FOR408: Windows Forensic Analysis
There's not a lot of courses that cover depth as well as the width of material. I think FOR408 (FOR500) strikes the right balance between the two.
I have been using forensics tools for years. I never professed to know it all; however, I did not expect to learn as much as I did.
Master Windows Forensics : What Do You Want to Uncover Today?
Every organization will deal with cyber-crime occurring on the latest Windows operating systems. Analysts will investigate crimes including fraud, insider threats, industrial espionage, traditional crimes, and computer hacking. Government agencies use media exploitation of Windows systems to recover key intelligence available on adversary systems. To help solve these cases, organizations are hiring digital forensic professionals, investigators, and agents to uncover what happened on a system.
FOR408: Windows Forensic Analysis focuses on a comprehensive and deep analysis of the latest Microsoft Windows operating systems. In this intermediate course, you will learn directly how forensic analysts track the second-by-second trail left behind by evildoers used in successful criminal prosecution, incident response, media exploitation or civil litigation.
Proper analysis requires real data for students to examine. The completely updated FOR408 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 8.1, Office365, Skydrive, Sharepoint, Exchange Online, and Windows Phone). This will ensure that students are prepared to investigate the latest trends and capabilities they might encounter. In addition, students will have labs that cover both Windows XP and Windows 7 artifacts.
FOR408 Windows Forensic Analysis will teach you to:
- Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, XP, and Windows Server 2008/2012
- Identify artifact and evidence locations that will answer key questions, including questions about program execution, file opening, external device usage, geo-location, file download, anti-forensics, and system usage
- Focus your capabilities on analysis instead of how to use a specific tool
- Extract key answers by utilizing proper analysis via a variety of free, open-source, and commercial tools in the Windows SIFT Workstation
Updated FOR408 Course in 2014: This course utilizes a brand-new Windows 8.1 based case exercise that took over 6 months to create the data. Realistic example case data takes months to create in real time correctly. The example case is a Windows 8.1 based image that has the subject utilize Windows Phone, Office 365, Sharepoint, MS Portal Online, Skydrive/Onedrive, Dropbox, and USB external devices. Our development team spent months creating an incredibly realistic scenario. The case demonstrates the latest technologies an investigator would encounter analyzing a Windows operating system. The brand new case workbook, will detail the step-by-step each investigator could follow to examine the latest technologies including Windows 8.1.
FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE AT A TIME
- Windows Operating Systems (XP, Vista, Win7, Win8/8.1, Server 2008/2012)
- Windows File Systems (NTFS, FAT, exFAT)
- Advanced Evidence Acquisition Tools and Techniques
- Registry Forensics
- Windows Artifact Analysis
- Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
- E-Mail Forensics (Host, Server, Web)
- Microsoft Office Document Analysis
- Windows Link File Investigation
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Prefetch Analysis
- Event Log File Analysis
- Firefox, Chrome, and Internet Explorer Browser Forensics
- Deleted File Recovery
- String Searching and File Carving
- Examination of Cases Involving Windows XP, Vista, Windows 7, and Windows 8/8.1
- Media Analysis and Exploitation involving:
- Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
- Identifying if and how the suspect downloaded a specific file to the PC
- Determining the exact time and number of times a suspect executed a program
- Showing when any file was first and last opened by a suspect
- Determining if a suspect had knowledge of a specific file
- Showing the exact physical location of the system
- Tracking and analysis of external and USB devices
- Showing how the suspect logged on to the machine via the console, RDP, or network
- Recovering and examining browser artifacts, even those used in a private browsing mode
- Discovering utilization of anti-forensics, including file wiping, time manipulation, and program removal
- The Course Is Fully Updated to Include Latest Windows 8.1 and Server 2012 Examinations
FOR408.1: Windows Digital Forensics and Advanced Data Triage
Sat May 10th, 2014
9:00 AM - 5:00 PM
Focus: Modern techniques in digital forensics on Windows systems. Triage-based acquisition techniques. Stream- and file-based extraction techniques. Evidence mounting and examination.
The Windows Forensics course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. We will discuss how modern hard drives, such as Solid State Devices (SSD), can affect the digital forensics acquisition process and how analysts need to adapt to overcome the introduction of these new technologies.
Hard drive sizes are increasingly more difficult to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is critically important to every investigator today. Most basic analysts can easily image a hard drive using a write blocker. In this course, we will review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We will demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and key files that will take minutes to acquire instead of the hours or days currently spent on acquisition.
We will also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities that employ both commercial and open-source tool and techniques. Seasoned investigators will need to know how to target the specific data they need in order to begin to answer key questions in their case.
CPE/CMU Credits: 6
- Windows Operating System Components
- Key Differences in Windows Versions
- Windows 8.1 and Beyond
- Microsoft Server Variations
- Core Forensic Principles
- Analysis Focus
- Key Questions
- Determining Your Scope
- Live Response and Triage-Based Acquisition Techniques
- RAM Acquisition
- Registry Extraction
- Creating Custom Content Images
- Triage-Based Forensics - Fast Forensic Acquisition - Key Files
- Following the Order of Volatility
- Triage via Custom Content Extraction
- Acquisition Review with Write Blocker
- Advanced Acquisition Challenges
- Detecting Encrypted Drives
- SSD vs. Standard Platter-Based Hard Drives
- SSD Acquisition Concerns
- Windows Image Mounting and Examination
- FAT and NTFS File System Overview
- Key Word Searching and Forensics Suites (FTK, EnCase, and Autopsy)
- Document and File Metadata
- File Carving
- Principles of data carving
- Loss of file system metadata
- File carving tools
- Custom carving signatures
FOR408.2: Core Windows Forensics Part I: Registry and USB Device analysis
Sun May 11th, 2014
9:00 AM - 5:00 PM
FOCUS: Windows XP, Windows 7, and Windows 8/8.1 Registry Analysis and USB Device Forensics.
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed key word searches, ran specific programs, opened and saved files, perused folders, and used removable devices.
Removable storage device investigations are often a key part of performing digital forensics. We will show you how to perform in-depth USB device examinations on Windows 8, Windows 7, Vista, and Windows XP machines. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
Throughout the section, investigators will use their skills in a real hands-on case, exploring evidence and analyzing evidence.
- Profile a computer system using evidence found in the Registry
- Profile a user's activities using evidence found in the Registry
- Examine which programs a user recently executed through examining the userassist key in the registry
- Determine which files a user recently opened via the recentdocs keys in the registry
- Find folders recent accessed by a user via the open/save keys in the registry
- Track USB and BYOD devices that were connected to the system via the Registry and file system
- Recover critical user data from the pagefile, memory images, and unallocated space
CPE/CMU Credits: 6
Registry Forensics In-Depth
- Registry Basics
- Hives, Keys, and Values
- Registry Last Write Time
- MRU Lists
- Profile Users and Groups
- Discover Usernames and the SID Mapped to Them
- Last Login
- Last Failed Login
- Logon Count
- Password Policy
- Core System Information
- Identify Current Control Set
- System Name and Version
- Local IP Address Information
- Wireless/Wired/3G Networks
- Geo-location Using Wireless Networks
- Network Shares
- Last Shutdown Time
- User Forensic Data
- Evidence of Program Execution
- Evidence of File Downloads
- Evidence of File and Folder Access (Shellbags)
- XP, Win7, Win8/8.1 Search History
- Typed Paths and Directories
- Recent Documents (RecentDocs)
- Open-> Save/Run Dialog Boxes Evidence
- Application Execution History (UserAssist)
- External and Bring Your Own Device (BYOD) Forensic Examinations
- Unique Serial Number
- Last Drive Letter
- MountPoints2 - Last Drive Mapping Per User
- Volume Name and Serial Number
- Username that Used the USB Device
- Time of First Use of USB Device
- Time of Last Use of USB Device
- BYOD Device Forensics
- Tools Utilized
- Regripper and Regripper Plug-ins
- Access Data Registry Viewer
- YARU (Yet Another Registry Utility)
FOR408.3: Core Windows Forensics Part II - E-Mail Forensics
Mon May 12th, 2014
9:00 AM - 5:00 PM
Focus: You will learn how major forensic suites can facilitate and expedite the investigative process, and how to recover and analyze e-mail, the most popular form of communication. Client-based, server-based, mobile, and web-based e-mail forensic analysis are discussed in-depth.
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of e-mail files. Recovered e-mail can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have e-mail that exists locally on their workstation, on their company e-mail server, in the private cloud, and in multiple webmail accounts.
This section discusses what types of information can be relevant to an investigation, where to find e-mail files, and how to use forensic tools to facilitate the analysis process. We will find that the analysis process is similar across different types of e-mail stores, but the real work takes place in the preparation - finding and extracting the e-mail files from a variety of different sources.
CPE/CMU Credits: 6
- Evidence of User Communication
- How E-Mail Works
- Determining Sender's Geographic Locations
- Examination of E-Mail
- Types of E-Mail Formats
- Microsoft Outlook
- Web-Based Mail
- Microsoft Exchange and Office 365
- Lotus Notes
- Exchange Dumpster Forensics
- Recovering Deleted E-Mails
- E-Mail Forensics
- E-Mail Searching and Examination
FOR408.4: Core Windows Forensics Part III - Windows Artifact and Log File Analysis
Tue May 13th, 2014
9:00 AM - 5:00 PM
Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. You will learn how to examine key files such as shortcut (LNK) files, Windows prefetch, pagefile/system memory, and more. The latter part of the section centers on examining Windows event log files, demonstrating their usefulness in both simple and complex cases.
Being able to show the first and last time a file was opened is a critical analysis skill. Utilizing shortcut (LNK) and jumplist databases, we are able to easily pinpoint which file was opened and when. We will demonstrate how to examine the pagefile, system memory, and unallocated space, all difficult-to-access locations that can offer the critical data for your case.
Windows log file analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many investigators overlook these files because they do not have adequate knowledge or tools to get the job done. The last part of the section will arm each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.
- Recycle bin analysis
- Shortcut (LNK) file analysis to determine first/last times a file was opened
- Windows 8.1 Prefetch file analysis to determine 8 previous times of execution
- Recovery of chat sessions, Web-based e-mail, social networking, and private browsing
- Merge event logs and perform advanced filtering
- Profile account usage and determine logon session length
- Identify evidence of time manipulation on a system
- Supplement registry analysis with BYOD device auditing
- Analyze historical records of wireless network associations and geo-locate a device
- See results of audit policy decision within the Security Event Log
CPE/CMU Credits: 6
Memory, Pagefile, and Unallocated Space Analysis
- Artifact Recovery and Examination
- Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
- IE8/IE9 InPrivate/Recovery URLs
- Yahoo, Hotmail, G-Mail, Webmail, E-Mail
Forensicating Files Containing Critical Digital Forensic Evidence
- Office Documents (doc, and .docx)
- Adobe Files
- EXIF Data including GPS Coordinates
- Link/Shortcut Files (.lnk)
- Win7/Win8 Jump Lists
- XP Thumbs.db and Vista/Win7/Win8 Thumbscache Files
- Internet Chat Programs (Skype/AIM/MSN)
- Windows Prefetch Analysis (XP/Vista/Win7/Win8)
- Windows Recycle Bin Analysis (XP/Vista/Win7/Win8)
Windows Event Log Analysis
- Which Windows Events Matter to a Digital Forensic Investigator
- EVTX and EVT Log Files
- Track account usage including RDP, brute force password attacks, and rogue local account usage
- Audit and analyze file and folder access
- Track application installations
- Find evidence of malware execution
- Identify suspicious services
- Prove system time manipulation
- Track bring your own device (BYOD) and external devices
- Geo-locate a device via event logs
FOR408.5: Core Windows Forensics Part IV: Web Browser Forensics- Firefox, Internet Explorer, and Chrome
Wed May 14th, 2014
9:00 AM - 5:00 PM
Focus: This section looks at Internet Explorer, Firefox, and Chrome Web Browser digital forensics. You will learn how to examine exactly what individuals did while surfing via their Web browser. The results may give you pause the next time you use the Web!
With the increasing use of the Web and the shift toward Web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, the investigator will comprehensively explore Web browser evidence created during the use of Internet Explorer, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. The analyst will learn how to examine every major artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these files and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure browser artifacts such as session restore, tracking cookies, and private browsing remnants.
Throughout the section, investigators will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, and Internet Explorer along with Windows Operating System artifacts.
- Track a suspect's activity in browser history and cache files and identify local file access
- Analyze artifacts found within the Extensible Storage Engine (ESE) database format
- Examine which files a suspect downloaded
- Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
- Identify IE artifacts associated with specific Windows 8 Metro UI applications
- Parse automatic crash recovery files to reconstruct previous browser sessions
- Leverage Google Analytics cookies to profile user behaviors
- Learn to manually parse SQLite databases from Firefox and Chrome
- Identify anti-forensics activity and find private browsing sessions
- Investigate browser auto-complete data
CPE/CMU Credits: 6
- Understanding Browser Timestamps
- Internet Explorer
- IE Key Forensic File Locations
- History files: Index.dat and WebCache.dat
- Cache Index.dat Timestamps
- Win8 Metro UI Applications
- Download History
- InPrivate Browsing Artifact Recovery
- Internet Explorer Tab Recovery Folder Analysis
- Firefox Artifact Locations
- Mork Format and SQLite Files
- Download History
- Cache Examinations
- Typed URLs
- Form History
- Private Browsing Mode
- Session Recovery
- Firefox Extensions
- Chrome File Locations
- History Information and Page Transition Types
- Chrome Timestamps
- Cache Examinations
- Download History
- Examination of Browser Artifacts
- Super Cookies
- Flash Cookie Files
- DOM and Web Storage ObjectsGoogle Analytics Cookies
- Tools Used
- Nirsoft Tools
- Woanware ChromeForensics
- SQLite Manager
FOR408.6: Windows Forensic Challenge
Thu May 15th, 2014
9:00 AM - 5:00 PM
Focus: This section revolves around a Digital Forensic Challenge based on Windows Vista/7. It is a capstone exercise for every artifact discussed in the class. You will use this section to consolidate the skills that you have learned over the past week.
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case. Students will be provided evidence to analyze and the exercise will step you through the entire case flow, including proper acquisition, analysis, and reporting in preparation for a possible trial. Teams will work on the case with the objective of profiling computer usage and discovering critical pieces of evidence to present during the trial.
This complex case will involve an investigation into one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use all of the skills gained from each of the previous sections.
The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge...and the case!
- Windows 7/Vista-Based Forensic Challenge
- Mock Trial
CPE/CMU Credits: 6
Digital Forensic Case
- Following evidence analysis methods discussed throughout the week, find critical evidence.
- Examine registry, e-mail, recovered files, and more.
- Focus and submit the top three pieces of evidence discovered and discuss what they prove factually.
- Document one of the submitted pieces of evidence for potential examination during the mock trial.
- Each team will be asked to prepare an:
- Executive Summary
- Short Presentation
- The team voted to have the best argument and presentation proving their case will win the challenge.
!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.
MANDATORY FOR408 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory)
- Ethernet Networking Capability Recommended or Wireless 802.11 B/G/N/AC
- USB 3.0 Ports Highly Recommended
- 200 Gigabyte Host System Hard Drive minimum
- 125 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical.
- Students should have the capability to have Local Administrator Access within their host operating system
MANDATORY FOR408 SYSTEM SOFTWARE REQUIREMENTS:
- Host Operating System: Any version of Windows, MAC OSX, or Linux operating system that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player)
- Download and install Winzip or 7Zip
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 60 days)
- Install VMware Workstation 11, VMware Fusion 7, or VMware Player 6 (higher versions are ok)
- Download and install Winzip or 7Zip on your host
OPTIONAL FOR408 ADDITIONAL ITEMS:
- One 3.5 inch IDE or SATA hard disk drive from:
- Hard drive purchased from EBAY or Craigslist
- Hard drive from used PC at home/work
- Note - this hard drive is used during an optional image acquisition exercise; we use the used drive for imaging only
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring the proper system hardware (64bit/8GB Ram) and operating system configuration
- Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
Who Should Attend
- Information technology professionals who want to learn the in-depth concepts of Windows digital forensics investigations.
- Incident response team members who need to use deep-dive digital forensics to help solve their Windows hacking cases.
- Law enforcement officers, federal agents, or detectives who want to become a deep subject-matter expert on digital forensics for Windows-based operating systems.
- Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX) operations on Windows-based systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
- Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers.
FOR408 is a follow-on class for those who have a foundation in and understanding of the digital forensics process and evidence acquisition. FOR408 is an intermediate course that skips over the introductory material of digital forensics. The class is good for those who are new to forensics or advanced analysts, but who do not want to spend a day on basic and core digital forensic concepts and techniques. We move quickly into the analysis of Windows and spend most of our time analyzing Windows artifacts in the class.
Why Take This Course?
What You Will Receive
- Windows 8.1 version of the SIFT Workstation Virtual Machine with over 150 commercial, open source and freeware Digital Forensics and Incident Response tools prebuilt into the environment
- Windows 8.1 Standard License and Key for the Windows SIFT Workstation
- Full license to:
- AccessData FTK for a three-month trial
- Full license to MagnetForensics Internet Evidence Finder for a 15-day trial
- TZWorks Toolset for a three-month trial
- NUIX for a month trial
- 64 GB USB Key with four full real-world cases to examine during and after class
- 64 GB USB Key with four full real-world cases to examine during and after class
- Windows 8.1
- Windows 7
- Windows Vista
- Windows XP
- SANS exercise workbook with detailed step-by-step instructions
- Wiebetech Ultradock v5 Write Blocker Kit
- IDE and SATA Cable Connector
- Three FireWire Ports
- USB 3.0 Port
You Will Be Able To
- Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7/8/8.1
- Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
- Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
- Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing
- Use automated analysis techniques via AccessData's Forensic ToolKit (FTK), Nuix, and Internet Evidence Finder (IEF)
- Identify keywords searched by a specific user on a Windows system in order to pinpoint the files and information that the suspect was interested in finding and accomplish detailed damage assessments
- Use Windows shellbags analysis tools to articulate every folder and directory that a user opened up while browsing local, removable, and network drives
- Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing key Windows artifacts such as the Registry and log files
- Learn event log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
- Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
- Use free browser forensic tools to perform detailed Web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts and flash cookies to identify the Web activity of suspects, even if privacy cleaners and in-private browsing are used.
Press & Reviews
Course Review: SANS FOR408 Windows Forensic Analysis http://www.ethicalhacker.net/content/view/459/24/
Course and GIAC Cert Review: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/02/daily-blog-226-look-ma-im-gcfe.html
"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
"This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience." - Alexander Applegate, Auburn University
"Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam)." - Det. Juan C. Marquez, Prince William County, Virginia Police Department
"Hands down the BEST forensics class EVER!! Blew my mind at least once a day for 6 days!" - Jason Jones, USAF
"I took SANS FOR408 Windows Forensics and the learning opportunity was second to none. Anyone looking for a first-rate forensics class that you can immediately take back to the real world and apply to their job needs to take at least one class from SANS in their lifetime. Whatever the cost may be to you, if forensics is a career priority to you, then you need to take at least one forensics class from SANS." - Chris Nowell, Information Security Architect, Airlines Reporting Corporation
"As a member of the IR team, this course will aid in investing compromised hosts." - Mike Piclher, URS Corp.
"FOR408 is based on real scenarios that are likely to occur again. The most up-to-date training I have received." - Martin Heyde, UK Ministry of Defence
"Best forensics course I have taken to date. Vast amounts of information." - Ellen Clark, FBI
"Call me a geek, but this is FUN!" - Frank Dixon, The Babcock & Wilcox Company
"Overall the course continues to be chock full of megalicious forensicness. Thanks a bunch for the key knowledge." - Vincent Bryant, Blue Cross Blue Shield of Tennessee
"If you were not interested in forensics before, you will be after this class. For those who already love it, it is reassurance that you are doing the right thing with your life." - Cleora Madison, Walt Disney Theme Parks and Resorts
"The Registry labs are invaluable. I learned more in this class about registry than in 10 years at work. Thanks!" - Michael Mimo, JP Morgan
"I was really looking forward to Windows in-depth and that is exactly what we are getting!" - Joshua Hoover, Charles Schwab
"I have been using forensics tools for years. I never professed to know it all; however, I did not expect to learn as much as I did." - Jody Hawkins, Cook Children's Health Care System
"I really appreciate the prebuilt and configured SIFT workstation. The FOR408 class materials and instruction were outstanding." - Clint Modesitt, LSUHSC
"FOR408 is absolutely necessary for any computer forensic type career. Excellent information!" - Rebecca Passmore, FBI
"Before I arrived here, I knew the basics of comp. forensics. After taking this course I feel that if suited with the proper tools, I could handle the task of working a live case" - Anonymous
"This course was by far the most informative and well taught class I have attended." - Brian Periera, Farfield PD
"Love the amount of detail/info in books, love the VM." - Jeff Datzman, Vacaville Police Department
"Best course I have taken in 20 years" - Gary Sanders, LWCC
"The hands on are excellent-Best I have had in 15 yrs of forensics classes. The best books as well." - Shawn Bostick, AR AG
"This is by far the best training I have ever had. My forensic knowledge increased more in the last 5 days than in the last year." - Vito Rocco, UNLV
"Are you kidding me? I, personally, see this course (FOR408) as pretty much perfected." - Mike Bowden, Boeing
"There's not a lot of courses that cover depth as well as the width of material. I think FOR408 strikes the right balance between the two." - Wayne Dawson, Vancity Savings Credit Union
"FOR408 has the depth and breadth of knowledge shared by the instructor and contents of the lab make it necessary to take the course. Very impressive!" - Debra Emmanuel, TWD & Associates
After 27 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408: Windows Forensic Analysiswas designed to impart these critical skills to the students. Unlike many other training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some exceptional tools available, we feel that all forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best tool for each task. However, we also understand that forensic analysts are not great because of the tool(s) they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 teaches students to apply digital forensic methodologies to a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, the course teaches and demonstrates the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR408 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must-have course.
- Ovie Carroll
Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of Windows Forensics are the front-line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that the SANS FOR408 course helped prepare them to fight and solve crime.
- Rob Lee
Digital forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates, I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal.
- Chad Tilbury