Windows Forensic Analysis Training

Windows Forensic Analysis Training

Course Delivery

This Course is available in the following format:

Request this course in a different delivery format

GSA Schedule 70 Saving for Government Customers

Course Overview:

Windows Forensic Analysis Training Course Hands-on

Proper analysis requires real data for students to examine. The completely updated Windows Forensic Analysis Training course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office 365, cloud storage, Sharepoint, Exchange, Outlook). Students leave the Windows Forensic Analysis Training course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out – attendees learn to analyze everything from legacy Windows XP systems to just discovered Windows 10 artifacts.

Every organization must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been higher for analysts who can investigate crimes like fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover key intelligence from Windows systems. To help solve these cases, ENO is training a new cadre of the world’s best digital forensic professionals, incident responders, and media exploitation masters capable of piecing together what happened on computer systems second by second.

Windows Forensic Analysis Training focuses on building in-depth digital forensics knowledge of the Microsoft Windows operating systems. You can’t protect what you don’t know about, and understanding forensic capabilities and artifacts is a core component of information security. Learn to recover, analyze, and authenticate forensic data on Windows systems. Understand how to track detailed user activity on your network and how to organize findings for use in incident response, internal investigations, and civil/criminal litigation. Use your new skills for validating security tools, enhancing vulnerability assessments, identifying insider threats, tracking hackers, and improving security policies. Whether you know it or not, Windows is silently recording an unimaginable amount of data about you and your users. Windows Forensic Analysis Training teaches you how to mine this mountain of data.

Customize It:

• If you are familiar with some aspects of this Windows Forensic Analysis Training course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Windows Forensic Analysis Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Windows Forensic Analysis Training course in manner understandable to lay audiences.

Related Courses:

Virtualization and Private Cloud Security Training
Securing Windows and PowerShell Automation Training

Windows Forensic Analysis Training – Prerequisites:

The knowledge and skills that a learner must have before attending this Windows Forensic Analysis Training course are as follows:

• Windows Forensic Analysis Training is an intermediate level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR408 focuses entirely on in-depth tool agnostic analysis of Windows operating system and artifacts.

Audience / Target Group:

The target audience for this Windows Forensic Analysis Training course:

• Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations.
• Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases.
• Law enforcement officers, federal agents, or detectives who want to become a deep subject-matter expert on digital forensics for Windows-based operating systems.
• Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX) operations on Windows-based systems used by an individual. Attendees will be able to specifically determine how individuals used a system, who they communicated with, and the files that were downloaded, edited, and deleted.
• Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers.

Windows Forensic Analysis Training – Objectives:

Upon completing this Windows Forensic Analysis Training course, learners will be able to meet these objectives:

• Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7/8/10
• Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
• Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
• Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing
• Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding and accomplish detailed damage assessments
• Use Windows Shellbag analysis tools to articulate every folder and directory that a user opened up while browsing local, removable, and network drives
• Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and log files
• Learn event log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
• Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
• Use browser forensic tools to perform detailed Web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts and flash cookies to identify the Web activity of suspects, even if privacy cleaners and in-private browsing are used

Windows Forensic Analysis Training – Course Syllabus:

• Windows Operating Systems Focus (Win7, Win8/8.1, Windows 10, Server 2008/2012/2016)
• Windows File Systems (NTFS, FAT, exFAT)
• Advanced Evidence Acquisition Tools and Techniques
• Registry Forensics
• Shell Item Forensics
• Shortcut Files (LNK) – Evidence of File Opening
• Shellbags – Evidence of Folder Opening
• JumpLists – Evidence of File Opening/Program Exec
• Windows Artifact Analysis
• Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
• E-Mail Forensics (Host, Server, Web)
• Microsoft Office Document Analysis
• Windows Recycle Bin Analysis
• File and Picture Metadata Tracking and Examination
• Prefetch Analysis
• Event Log File Analysis
• Firefox, Chrome, and Internet Explorer Browser Forensics
• Deleted Registry Key and File Recovery
• String Searching and File Carving
• Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
• Media Analysis and Exploitation involving:
• Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
• Identifying if and how the suspect downloaded a specific file to the PC
• Determining the exact time and number of times a suspect executed a program
• Showing when any file was first and last opened by a suspect
• Determining if a suspect had knowledge of a specific file
• Showing the exact physical location of the system
• Tracking and analysis of external and USB devices
• Showing how the suspect logged on to the machine via the console, RDP, or network
• Recovering and examining browser artifacts, even those used in a private browsing mode
• Discovering utilization of anti-forensics, including file wiping, time manipulation, and program removal
• The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10 and Server 2008/2012/2016 Techniques

Whether you are looking for general information or have a specific question, we want to help!

Request More Information

Print Friendly, PDF & Email