Provided by SANS

About the course

Master Windows Forensics - "You Can't Protect What You Don't Know About."

All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

1. Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
2. Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
3. Focus your capabilities on analysis instead of on how to use a particular tool
4. Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

Course Syllabus

FOR500.1: Windows Digital Forensics And Advanced Data Triage

Overview

The Windows Forensic Analysis course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. We will discuss how modern hard drives, such as Solid State Devices (SSD), can affect the digital forensics acquisition process and how analysts need to adapt to overcome the introduction of these new technologies.

Hard drive sizes are increasingly difficult to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. Most fundamental analysts can easily image a hard drive using a write blocker. In this course, we will review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We will demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and critical files that will take minutes to acquire instead of the hours or days currently spent on acquisition.

We will also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities that employ both commercial and open-source tools and techniques. Seasoned investigators will need to know how to target the specific data that they need to begin to answer fundamental questions in their cases.

Exercises

• Install the Windows SIFT Workstation and get an orientation about its operations
• Image a hard drive for evidence using a WiebeTech UltraDock Write Blocker
• Undertake advanced triage-based acquisition and imaging - rapid acquisition
• Mount acquired disk images and evidence
• Carve important files from free space
• Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
• Recover chat sessions, web-based email, social networking, and private browsing

CPE/CMU Credits: 6

Topics

• Windows Operating System Componets
  • Key Differences in Windows Versions
  • Windows 7 and Higher
  • Microsoft Server Variations
• Core Forensic Principles
  • Analysis Focus
  • Key Questions
  • Determining Your Scope
• Live Response and Triage-Based Acquisition Techniques
  • RAM Acquisition
  • Registry Extraction
  • Creating Custom Content Images
  • Triage-Based Forensics - Fast Forensic Acquisition - Key Files
  • Following the Order of Volatility
  • Triage via Custom Content Extraction
• Acquisition Review with Write Blocker
• Advanced Acquisition Challenges
  • Detecting Encrypted Drives
  • SSD vs. Standard Platter-Based Hard Drives
  • SSD Acquisition Concerns
• Windows Image Mounting and Examination
• NTFS File System Overview
• Document and File Metadata
• File Carving
  • Principles of Data Carving
  • Loss of File System Metadata
  • File Carving Tools
• Custom Carving Signatures
• Memory, Pagefile, and Unallocated Space Analysis
  • Artifact Recovery and Examination
  • Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
  • IE8-11, Edge, Firefox, Chrome InPrivate/Recovery URLs
  • Yahoo, Hotmail, G-Mail, Webmail, Email

FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis

Overview

Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed keyword searches, ran specific programs, opened and saved files, perused folders, and used removable devices.

Throughout the section, investigators will use their skills in a real hands-on case, exploring the evidence and analyzing evidence.

Exercises

• Profile a computer system using evidence found in the Registry
• Conduct a detailed profile of user activity using Registry evidence
• Examine which programs a user recently executed by examining Registry-based UserAssist, AppCompability, Amcache, RecentApps, BAM/DAM, and others
• Determine which files a user recently opened via the RecentDocs keys in the Registry
• Examine recently opened Office 365 files and determine first/last open times
• Find folders recently accessed by a user via the Open/Save keys in the Registry

CPE/CMU Credits: 6

Topics

Registry Forensics In-Depth

• Registry Core

• • Hives, Keys, and Values
  • Registry Last Write Time
  • MRU Lists
  • Deleted Registry Key Recovery
  • Identify Dirty Registry Hives and Recover Missing Data
  • Rapidly Search and Timeline Multiple Hives

• Profile Users and Groups

• • Discover Usernames and the SID Mapped to Them
  • Last Login
  • Last Failed Login
  • Login Count
  • Password Policy

• Core System Information

• • Identify Current Control Set
  • System Name and Version
  • Timezone
  • Local IP Address Information
  • Wireless/Wired/3G Networks
  • Connected Network Auditing and Device Geolocation
  • Network Shares and Offline Caching
  • Last Shutdown Time
  • Registry-Based Malware Persistence Mechanisms

• User Forensic Data

• • Evidence of File Downloads
  • Office and Office 365 File History Analysis
  • Windows 7, Windows 8/8.1, Windows 10 Search History
  • Typed Paths and Directories
  • Recent Documents (RecentDocs)
  • Open-> Save/Run Dialog Boxes Evidence
  • Application Execution History via UserAssist, Shimcache, RecentApps, AmCache, and BAM/DAM

• Tools Used

• • Registry Explorer
  • TZWork's CAFAE and YARU (Yet Another Registry Utility)

FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items

Overview

Being able to show the first and last time a file or folder was opened is a critical analysis skill. Utilizing shortcut (LNK), jump list, and Shellbag databases through the examination of SHELL ITEMS, we can quickly pinpoint which file or folder was opened and when. The knowledge obtained by examining SHELL ITEMS is crucial in tracking user activity in intellectual property theft cases internally or in tracking hackers.

Removable storage device investigations are often an essential part of performing digital forensics. We will show you how to perform in-depth USB device examinations on Windows 7, 8/8.1, and 10. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.

Exercises

• Track USB and BYOD devices that were connected to the system via the Registry and file system
• Determine first and last connected times of USB devices that are plugged into your system
• Determine last removal time of USB devices that are plugged into your system
• Use Shortcut (LNK) file analysis to determine first/last times a file was opened
• Use Shellbag Registry Key Analysis to determine when a folder was accessed
• Use a jump list examination to determine when files were accessed by specific programs
• Unlock BitLocker-To-Go encrypted USB devices

CPE/CMU Credits: 6

Topics

• Shell Item Forensics
  • Link/Shortcut Files (.lnk) - Evidence of File Opening
  • Windows7/Windows10 Jump Lists - Evidence of File Opening and Program Execution
  • Shellbag Analysis - Evidence of Folder Access
• USB and Bring Your Own Device (BYOD) Forensic Examinations
  • Vendor/Make/Version
  • Unique Serial Number
  • Last Drive Letter
  • MountPoints2 - Last Drive Mapping Per User (Including Mapped Shares)
  • Volume Name and Serial Number
  • Username that Used the USB Device
  • Time of First USB Device Connection
  • Time of Last USB Device Connection
  • Time of Last USB Device Removal
  • Auditing BYOD Devices at Scale
  • Bitlocker -To-Go Encrypted USB Devices

FOR500.4: Core Windows Forensics - Part III: Email, Key Additional Artifacts, and Event Logs

Overview

Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have an email that exists locally on their workstation, on their company email server, in a private cloud, and in multiple webmail accounts.

Additional artifacts such as Windows Prefetch and AppcompatCache data are paramount to proving evidence of execution. The exciting Windows 10 Timeline database shows great promise in recording detailed user activity. Similarly, the System Resource Usage Monitor (SRUM), one of our newest digital artifacts, can help determine several important user actions, including network usage by cloud storage and backdoors, even after execution of counter-forensic programs.

Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.

Exercises

• Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
• Analyze message headers and gauge email authenticity using SPF and DKIM
• Understand how Extended MAPI Headers can be used in an investigation
• Effectively collect evidence from Exchange and Office365
• Learn the latest on Unified Audit Logs in Office365
• Search for Webmail and Mobile Email remnants
• Understand key concepts like email object filtering, de-duplication, and message similarity
• Use forensic software to recover deleted objects from email archives
• Gain experience with a commercial email forensics and e-discovery tool
• Perform data visualization and timeline analysis
• Analyze document metadata present in email archives
• Analyze the various versions of the Windows Recycle Bin
• Analyze Windows Prefetch files to determine thousands of application execution times
• Use the System Resource Usage Monitor (SRUM) to answer questions never before available in Windows forensics
• Merge event logs and perform advanced filtering
• Profile account usage and determine logon session length
• Audit file and folder access
• Identify evidence of time manipulation on a system
• Supplement registry analysis with BYOD device auditing, including new Windows 10 events
• Analyze historical records of wireless network associations and geolocate a device

CPE/CMU Credits: 6

Topics

• Email Forensics
  • Evidence of User Communication
  • How Email Works
  • Email Header Examination
  • Email Authenticity
  • Determining a Sender's Geographic Location
  • Extended MAPI Headers
  • Host-Based Email Forensics
  • Exchange Recoverable Items
  • Exchange Evidence Acquisition and Mail Export
  • Exchange Compliance Search and eDiscovery
  • Unified Audit Logs in Office 365
  • Recovering Deleted Emails
  • Web and Cloud-Based Email
  • Email Searching and Examination
  • Mobile Email Remnants
• Forensicating Additional Windows OS Artifacts
  • Windows Search Index Forensics
  • Extensible Storage Engine (ESE) Database Recovery and Repair
  • Thumbs.db and Thumbscache Files
  • Windows Prefetch Analysis (XP, Windows 7-Windows 10)
  • Windows Recycle Bin Analysis (XP, Windows 7- Windows 10)
  • Windows 10 Timeline Database
  • System Resource Usage Monitor (SRUM)
  • • Connected Networks, Duration, and Bandwidth Usage
    • Applications Run and Bytes Sent/Received Per Application
    • Application Push Notifications
    • Energy Usage
• Windows Event Log Analysis
  • Events Logs that Matter to a Digital Forensic Investigator
  • EVTX and EVT Log Files
  • • Track Account Usage including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
    • Audit and Analyze File and Folder Access
    • Prove System Time Manipulation
    • Track Bring Your Own Device (BYOD) and External Devices
    • Geo-locate a Device via Event Logs

FOR500.5: Core Windows Forensics - Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome

Overview

With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, the investigator will comprehensively explore web browser evidence created during the use of Internet Explorer, Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. The analyst will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, tracking cookies, zoom levels, predictive site prefetching, and private browsing remnants.

Throughout the section, investigators will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Edge, Internet Explorer, and Tor correlated with other Windows operating system artifacts.

Exercises

• Track a suspect's activity in browser history and cache files and identify local file access
• Analyze artifacts found within the Extensible Storage Engine (ESE) database format
• Examine which files a suspect downloaded
• Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
• Parse automatic crash recovery files to reconstruct previous browser sessions
• Leverage Google Analytics cookies to profile user behaviors
• Learn to manually parse SQLite databases from Firefox and Chrome
• Identify anti-forensics activity and re-construct private browsing sessions
• Investigate browser auto-complete data

CPE/CMU Credits: 6

Topics

• Browser Forensics
  • History
  • Cache
  • Searches
  • Downloads
  • Understanding Browser Timestamps
  • Internet Explorer
    • IE Forensic File Locations
    • History files: Index.dat and WebCache.dat
    • Cache Recovery and Timestamps
    • Microsoft Universal Application Artifact
    • Download History
    • Credentials Stored in the Windows Vault
    • Internet Explorer Tab Recovery Analysis
    • Cross-Device Synchronization, Including Tabs, History, Favorites, and Passwords
  • Edge
    • History, Cache, Cookies, Download History, and Session Recovery
    • Spartan.edb
    • Reading List, WebNotes, Top Sites, and SweptTabs
  • Firefox
    • Firefox Artifact Locations
    • Mork Format and SQLite FilesFirefox Quantum Updates
    • Download History
    • Firefox Cache2 Examinations
    • Detailed Visit Type Data
    • Form History
    • Session Recovery
    • Firefox Extensions
  • Chrome
    • Chrome File Locations
    • Correlating URLs and Visits Tables for Historical Context
    • History and Page Transition Types
    • Chrome Preferences File
    • Web Data, Shortcuts, and Network Action Predictor Databases
    • Chrome Timestamps
    • Cache Examinations
    • Download History
    • Chrome Session Recovery
    • Chrome Profiles Feature
    • Identifying Cross-Device Chrome Synchronization
  • Private Browsing and Browser Artifact Recovery
    • IE and Edge InPrivate Browsing
    • Chrome and Firefox Private Browsing
    • Investigating the Tor Browser
    • Identifying Selective Database Deletion
  • SQLite and ESE Database CarvingExamination of Browser Artifacts
    • Super Cookies
    • DOM and Web Storage Objects
    • Google Analytics and Universal Cookies
    • Rebuilding Cached Web Pages
    • Browser Ancestry
  • Tools Used
    • Nirsoft Tools
    • SQLite Parsers
    • ESE DatabaseView
    • Hindsight

FOR500.6: Windows Forensic Challenge

Overview

Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case. Students will be provided new evidence to analyze, and the exercise will step you through the entire case flow, including proper acquisition, analysis, and reporting in preparation for a possible trial. Teams will work on the case with the objective of profiling computer usage and discovering the most critical pieces of evidence to present.

This complex case will involve an investigation into one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use all of the skills gained from each of the previous sections.

The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge...and the case!

Exercises

• Windows 10 Forensic Challenge
• Two Additional Take Home Exercises to Hone Your Skills!

CPE/CMU Credits: 6

Topics

• Digital Forensic Case
  • Analysis
    • Begin with a New Set of Evidence
    • Following Evidence Analysis Methods Discussed Throughout the Week and Find Critical Evidence
    • Examine Memory, Registry, Chat, Browser, Recovered Files, and More
  • Reporting
    • Focus and Submit the Top Three Pieces of Evidence Discovered and Discuss What They Prove Factually
    • Document One of the Submitted Pieces of Evidence for Potential Examination During the Mock Trial
• Presentation
  • Each Team Will Be Asked to Prepare the following:
    • Executive Summary
    • Short Presentation
    • Conclusion
  • The Team Voted to Have the Best Argument and Presentation Proving Its Case Wins the Challenge

Who Should Attend

• Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations
• Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases and perform damage assessments
• Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on digital forensics for Windows-based operating systems
• Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX)
• Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers

Prerequisites

FOR500: Windows Forensic Analysis focuses on in-depth analysis of the Microsoft Windows Operating System and artifacts. There are no prerequisite courses required to take this course. The artifacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System. Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. Our authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.

You Will Be Able To

• Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7, Windows 8/8.1, and Windows10
• Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
• Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
• Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
• Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding and accomplish detailed damage assessments
• Use Windows Shellbag analysis tools to articulate every folder and directory that a user or attacker opened up while browsing local, removable, and network drives
• Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and Event Log files
• Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
• Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
• Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts database carving to identify the web activity of suspects, even if privacy cleaners and in-private browsing are used
• Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted