Windows Forensics
R11,999.00
Windows Forensics is an essential skill in the cybersecurity world. Covering a broad spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how to investigate after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners in these areas:
- Searching the hard drive for evidence
- Processing hidden files that are invisible or inaccessible containing past-usage information
- Performing a forensic analysis on a computer to reveal usage details, recover data, and accomplish a full inspection after the machine has been defragged or formatted
Duration: 40 hours
Target Audience
This course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic process
- Law enforcement officers & intelligence corps
- Incident responders
- Computer investigators
- IT/network administrators
Pre-requisites
- ThinkCyber Level-1 Courses
Objectives
- Accessing concealed files on the system and extracting relevant information
- Mastering the steps of incident response
- Analyzing relevant case studies
Description
Module 1: Computer Hardware
The first module will cover different components of computer hardware. Students will learn the main components of Storage-Disks, the structure of the Windows OS, and finally, the students will install their first virtual forensics stations.
- Drives and Disks
o The Anatomy of a Drive
o Data Sizes - Data Representation
- Hexadecimal
- ASCII
- Binary
o Volumes & Partitions
o Disk Partitioning and the Disk Management Tool - MBR vs. GPT
- Understanding UEFI
- The HPA
o Solid State Drive (SSD) Features - Understanding Windows OS structure
o The filesystem
o FAT - FAT Structure
- File Allocation and Deletion
o NTFS - NTFS Structure
- Volume Boot Record
- Master File Table
o The EFS Encryption
o Windows Directory Structure - Virtualizing a Forensics Workstation
o Setting up a Virtual Machine
o Installing and Configuring the VM
o Preparing the Environment
Module 2: Forensic Fundamentals
This module will expose students to the internal components of the Windows OS. Students will learn about tools that will help them with the Forensics investigation process.
- Understanding Hashes and Encodings
o Hash as a Digital Signature
o The Use of Hash for Forensics
o Base Encodings - Windows Artifacts
o Startup Files
o Jump List
o Thumbnail Cache
o Shadow Copy
o Prefetch and Temp Directories
o RecentApps
o Registry Hives - Windows Passwords – Bypassing Windows Protection
o Encryptions in the Windows OS - Bit locker
- NTLM
- Kerberos
o Cracking Windows Passwords
o Cracking RAR/ZIP Passwords - Data and Files structure
o Hexadecimal Editing Tools - WinHex
- HxD
o File Structure - Headers and Trailer
- Magic Number
o Embedded Metadata
o Working with Clusters - Slack Space
- Unallocated and Allocated Spaces
Module 3: Collecting Evidence
During this module, students will master techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information. Students will learn techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information.
- Forensic Data Carving
o Using HxD for Forensics Carving - Carving Files from an Existing File
o Automatic File Carving Tools - Foremost
- Scalpel
- Bulk-Extractor
- Collecting Information
o Indenting Evidence of Program Execution - Extracting Registry Artifacts
- Event Viewer
- The Audition Policy
- Windows System Metadata
o Detecting Hidden Files using ADS
o Self-Extracting Archives (SFX)
o Collecting Network Information - Network Information
- Network Connections
o Sysinternals-Suite Forensic Tools
o Extracting Credentials using NirSoft - Drive Data Acquisition
o Introduction to FTK-Imager - Exploring System Files
- Creating an Image
- DD as an Alternative Image Capture Tool
o Capturing Volatile-Memory - Capturing a Memory-File
- Capture Methods and Technics
- Pagefile
- Hiberfil.sys
Module 4: Analyzing Forensic Findings
In this module, students will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the Ram.
- Analyzing captured images
o Features of FTK - Extracting Protected Files
- Mounting an Image as a Drive
- Volatile Memory Capturing
o MFT Dump - Identifying Potential Threats
- Visualizing an MFT Reconstruction using DMDE
o Analyzing Prefetch Files
o Reconstructing Explorer with ShellBags - Working with Volatile-Memory
o Extracting Data from RAM
o Identifying Network Connections
o Dumping Processes from Memory - Registry analysis
o Using AccessData Registry Viewer to analyze Registry dumps
o Finding user Information using Ntuser.dat and usrclass.dat
o Using CLI to Access the Registry
o Extracting Data from Registry
o Forensics Findings in the Registry - Anti-Forensics Techniques
o Wiping Drives
o Advanced Stenographic Methods
o File Obfuscation Techniques
o Data Forgery
o Drive and File Encryption
o Artifact Removing
Module 5: Data Labelling and Report Writing Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional report, including which points to consider when addressing the documentation of findings of an event. - Introduction to report writing
o Device Identification
o Preservation of Data
o Collecting Evidence
o Examination and Analysis
o Documentation
o Evidence Presentation