No products in the cart.
Requested resource is not accessible
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
At the end of the training, the participants will be able to reach the level of knowledge to examine devices with Windows operating systems for the purpose of detecting suspicious activity. The course will focus on Windows 10 Operating System, but we know that there are a lot of common things with server operating systems. So Windows Server systems also could be our evidence source. The course’s material will also apply to Windows 11, as there are no changes compared to Windows 10 when looking from a forensics perspective.
Who is this course for?
- Forensic Analysts
- Cyber Incident Responders
- Cyber Security Analysts
- Cyber Threat Hunters
Why NOW?
Windows Forensics training can be considered as the basis of the Cyber Incident Response approach. Increasing the level of technical knowledge without delay is a requirement for the analysis of new concepts and attack types. For this reason, it seems to be the right step to acquire the basic knowledge level without wasting time.
Who is this course for?
Considering the corporate environments, Windows is still known as the most used operating system. This situation causes cyber attackers to target Windows systems. The need for analysts with sufficient knowledge about analysis is increasing day by day. Focused attendees will have high level and easy to use knowledge about Windows forensics topics.
Course benefits:
FTK Imager, ANJP, EZ Tools, SIFT, Regripper, Windows Event Log Explorer, Volatility, Plaso, DensityScout, SigCheck, etc.
What skills will you gain?
Acquiring system images, creating triage data, analyzing Windows execution artifacts, analyzing Windows Registry records, the ability to create a super-timeline and analyze it, the ability to analyze memory images, etc.
What will you learn about?
In addition to important information such as file system and persistence mechanisms in Windows systems, information about analysis approaches that will be required during cyber incident response will be given. Sample approaches; Least frequency occurrences, Occam’s razors, Locard’s Exchange theory, the ability to select the right questions to get answers about technical problems.
Course general information:
Course format:
- Self-paced
- Pre-recorded
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
Equipment
- All tools will be open source
- Midrange computer with Windows 10 Operating System
- SIFT Workstation
Experience
- Able to use the command prompt on Windows
- Fundamental knowledge about Windows operating system
- General cybersecurity knowledge
YOUR INSTRUCTOR: KAAN KAYA
Kaan KAYA - Computer Engineering (BS). Working on DFIR area for more than 3 years.
Main responsibilities are conducting forensics on digital evidences and enterprise incident response projects.
COURSE SYLLABUS
Windows System Processes & Live System Analysis
In this module, attendees will learn about Windows system processes and live system analysis techniques. Having knowledge about system processes makes it easier to find abnormal and malicious processes.
Also live analysis on Windows 10 systems with native Windows tools is important for first touch with evidence.
- Windows System Processes: (Windows 10)
- Details about system processes; image path, name, number of instances
- Live System Analysis for computers with Windows 10 operating system with tools such as Sysinternals, Powershell, WMI
- Collecting triage data and parsing methods with KAPE
Exercises
- System Processes Case: Attendees try to find malicious processes on the live Windows system
- Live Analysis Case: Attendees try to collect evidence about a compromised host using native commands and KAPE
Module 2: Acquiring Evidence & Memory Analysis
In this module, information about the image acquisition process, which is the basis of forensics science, will be given. Thus, the details of the image acquisition process, which are necessary for the examination phase to give the correct result, will be studied. Different image acquisition methods, image acquisition applications, image formats are among the other topics to be mentioned.
- Windows NTFS File System Details
- Image Types
- Image File Formats
- Verification of Successful Imaging Process
- Physical Imaging with FTK Imager
- Logical Imaging with FTK Imager
- Memory Imaging with FTK Imager, DumpIT, WinPmem
- Bitlocker Encryption
Exercises
- Acquiring physical image of Windows 10 system
- Acquiring logical image of Windows 10 system
- Acquiring custom content image of Windows 10 system
- Acquiring memory image of Windows 10 system
- Analyzing acquired memory image sample
- Analyzing sample compromised memory image
- Quiz (15 Questions about module) - Correct answers will be given and explained
Module 3: File System Forensics & SuperTimeline
In this module, the file system analysis of a Windows 10 operating system computer with the NTFS file system image will be the subject. During this process, the subjects of obtaining and analyzing MFT, LogFile, UsnJournal files, which are important for forensic experts, will be discussed. After this module, attendees will be able to detect anomalous file operation activities on Windows systems with NTFS File System.
Also SuperTimeline will be the second important subject. Attendees will be able to create and analyse superTimeline created with Plaso.
- Windows NTFS Timestamps (MACB)
- Analyzing Physical Image with FTK imager
- Acquisition and Analysis of mft, logfile, journal Files.
- Creating & Analyzing SuperTimeline (pinfo, psort, log2timeline)
Exercises
- Anomaly detection with Windows timestamps values
- Analysis of MFT, LogFile, UsnJournal
- Forensic Case - detection of malicious file creations
- Creating SupertTimeline with Plaso
- Forensic Case - writing a forensic report analyzing a Windows system image
- Quiz (15 Questions about module) - Correct answers will be given and explained
Module 4: Windows 10 Execution Artifacts & Compromised Host Identification
Windows systems contain many residual areas in their content due to their working structure. These areas become evidence of great importance during forensic studies. In this module, the important residue areas that should be obtained during the possible Windows system analysis and how they will be analyzed will be discussed.
Windows 10 - Artifacts:
- Amcache
- Shimcache
- Prefetch
- Objects.Data
- Jumplist
- Shortcuts (LNK Files)
- Task Bar
- RecycleBin
- Thumbnails
- SRUM
- Registry
- Event Logs
- Browser Artifacts (Chrome-Firefox)
Exercises
The content of this module will include case studies for all relic areas that participants need to solve. When all these cases are resolved, a general image file will be analyzed regarding the simulated attack.
- Lateral Movement Detection with EventLogs
- Anti-Forensics Detection: Event Log Clearing
- Windows 10 Persistency Point Detection
- Compromised Host Analysis Case (with all topics covered by this course)
Final exam:
Final exam:
All the topics will be covered in this exam. The exam will consist of two parts:
- HandsOn Lab Questions (practical)
- Multiple Choice Questions (theoretical)
Contact:
If you have any questions, please contact us at [email protected].
Let down by poor support
The content is generally fine, the facilitator brushes over some topics saying “you already know this yes”. There are some learning curves where you are expected to be able to rattle off command line scripts for various executables without understanding of what they mean, but it does say the student should know how to use Command Line so that may just be me.
One of the first practice scenarios required you to rely on a specific command line input that was about five lines long and I think may have popped up in the video for a second or two. The facilitator relies on this in his solution to the scenario but after watching two hours of videos it wasn’t very clear that this was the best method. All training up to the scenario also showed a working system without any malicious activity so the student activity was the very first case of any actual evidence of misuse. This made it difficult as there wasn’t any successful examples of finding malicious activity to draw on in the practical scenario.
There are some questions in quizzes with misspelled and duplicate answers. One of the answers appeared to be incorrect but I’m unsure if the duplicate answer was the correct one as it was multiple choice and I didn’t want to fail while testing it.
One of the tests had a blank area that looks like a question was supposed to be there but wasn’t entered or was removed. there was only 9 questions when it said there should be 10.
At least one of the assignment links doesn’t work. Judging off other student questions in the FAQ this has not been rectified in over a year or it has broken again since. I haven’t submitted assignments as
1. The material wasn’t there
2. I couldn’t get the software running
3. Software I may have relied upon is not available
4. I believe if I went through the effort of struggling past whatever issues I could, it either won’t be marked correctly or at all.
ANJP does not appear to be available online. There are apparently similar GUID tools but this is out of date in the course material.
I was unable to get some of the software running on my laptop. They are command line scripts but help documents could not rectify the issue and installation and setup weren’t covered in course. I was unable to ask the question on the FAQ as the body of the area where a question should be submitted was not editable and therefore could not be submitted.
At least one of the assignment links doesn’t work. Judging off other student questions in the FAQ this has not been rectified in over a year or it has broken again since. I haven’t submitted assignments as
1. The material wasn’t there
2. I couldn’t get the software running
3. Software I may have relied upon is not available
4. I believe if I went through the effort of struggling past whatever issues I could, it either won’t be marked correctly or at all.