PowerShell gives system administrators extensive access to the Windows operating system internals. Digital forensic professionals will find that using PowerShell will reveal many items of evidentiary value and a wealth of digital artifacts located within an operating system including how system tools and applications are used as well as user access. Moreover, PowerShell contains a robust scripting component that can be extended to other operating systems including both client -side and network operating systems. This course provides digital forensic examiners with a forensically sound method for conducting digital forensic investigations for both static and live acquisitions. Journey with the instructor as you test and validate Powershell with real world relevant case examples as a forensically sound tool that will stand up in a court proceeding providing and reporting evidence that is admissible and defensible. At the completion of this course you will be able to use PowerShell at an advanced level for both onsite live data acquisition and analysis and reporting at a forensic laboratory.
This course is for anyone interested in computer forensics using PowerShell to conduct static and live acquisition and analysis, or computer forensic examiners looking for more detail in using PowerShell at an advanced level including scripting languages applicable across other operating systems, including networking ones. Digital forensic professionals intrigued by using a formal testing and validation process to certify PowerShell as a forensically sound tool are also suitable candidates.
Being an expert on a subject means total mastery over that subject. If you want to be an expert and credible witness in computer forensic acquisition and analysis using advanced tools for both traditional digital forensics and live data acquisition that ensures effective, admissible, and defensible evidence, then you will take this course now. This course offers a cost-effective way to gain skills and knowledge in using a system administration tool that includes scripting while at the same time enhancing your credentials. By taking this course now you will be able to conduct live forensic investigations in a timely and cost-effective manner leading to faster case resolution and maximizing how you use your organization’s resources to bring a case to its conclusion from start to finish.
PowerShell has many uses in Digital Forensic investigations especially when conducting Live Forensic. Live Forensics is a relatively new field in digital forensics investigations and is important when there is a threat of potential loss of evidence due to imminent system changes such as power loss, passwords or device locks and remote wipes. This applies equally to deadbox forensics on hard disk drives as well as with mobile devices. It is also important to use tools in a traditional way such as with static acquisitions in transporting systems back to the forensic lab. Knowing PowerShell intimately provides a tested and valid tool and addresses both static and live acquisition and analysis. By taking this course you will become an expert in using a system tool as well as learning about scripting that adds to your repertoire of digital forensic tools which will add to your expertise and credibility as a digital forensic investigator and examiner. You will also gain the knowledge and skills necessary to explain PowerShell as a digital forensic tool to the layperson and be able to locate relevant evidence using regular expressions in searches using a variety of tools as well a pinpoint relevant evidence in your reports to legal professionals and juries in a court proceeding.
PowerShell is the main tool that you will use in this course. In order to facilitate integration with other tools, and for reporting purposes, you will use various text editors, Visual Studio Code, and other operating systems including networking ones and a Linux shell interface. These tools will give you direct hands-on experience conducting static and live acquisitions, searching for items of evidentiary value, analysis, and reporting.
What skills will you gain?
- Navigate and explore Windows OS system files.
- Launch PowerShell as administrator
- Run PowerShell Cmdlets
- Use text editors to create PowerShell Scripts
- Use Visual Studio Code to create and test PowerShell Scripts
- Run PowerShell remotely
- Access help feature in PowerShell
- Apply the .NET Framework to the PowerShell environment
- Perform administrative tasks
- Complete common forensic tasks with PowerShell
- Execute advanced scripts with programming language
- Define a script policy
- Sign a PowerShell script
- Create a PowerShell advanced function
- Create a PowerShell Desired State Configuration Script
- Use PowerShell in a network environment
- Use PowerShell for extractions and hashing
- Use PowerShell for imaging
- Use PowerShell to extract contents from RAM
- Export PowerShell Cmdlet and Script output to files for presentation in a court proceeding
- Use scripting to locate items of evidentiary value using regular expressions
- Conduct triage using PowerShell
- Test and validate PowerShell as a forensically sound tool
- Apply PowerShell scripts to actual digital forensic case examples
- Integrate PowerShell and scripting languages with other forensically sound tools, such as EnCase and FTK.
What will you learn about?
You will examine the forensic process as it applies to advanced scripting tools using PowerShell. In the process, you will gain expertise in using PowerShell and a scripting language. This entails testing and validating PowerShell as a sound digital forensic tool that can be used in any forensic investigation through all its stages. As an added bonus, you will obtain the knowledge and skills to test and validate any forensic tool as a method to use with other open-source tools that you currently use or come onto the market. Finally, you will work with common and relevant case examples where PowerShell can be used.
Course general information:
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
COMPLETE, SELF-PACED, PRERECORDED
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
Windows 10 computer with access to the Internet. The computer should meet the recommended requirements for running Windows 10.
This course is designed for intermediate to advanced users familiar with operating system internal components, system tools and what scripting is. Advanced Scripting will be covered as well as programming language concepts. The student should be able to research and download various scripts and scripting development environments including Visual Studio Code. Basic text editor understanding and familiarization with the digital forensic process will facilitate course comprehension.
YOUR INSTRUCTOR: David J Tatum
David has taught computer network systems for over twenty years and digital forensic for the last ten years. Prior to teaching, David worked as a senior technical support engineer supporting a wide variety of hardware and software platforms. David recently started his own business that includes teaching with computer networks and specializing in computer forensic imaging and data recovery. Interests include 3D printing and video game design. In his spare time, David enjoys reading, hiking and trips to the beach.
Before the course
Evidence preservation and maintaining a chain of custody is an important factor in the forensic process. The Forensics Process is listed below. Students interested in advancing their skills using PowerShell and scripting should be familiar with the forensic process as well as types of evidence found in computer related crimes. Knowledge of system administrative tools will facilitate integrating PowerShell with the operating system. In module 0, some background reading materials will be provided.
PowerShell in Digital Forensics
- The .NET Framework (Knowledge)
- Working with Scripts and Cmdlets (Knowledge and Skill)
- Forensic cases suited for using PowerShell (Knowledge)
- Creating your own scripts (Knowledge and Skill)
- Advanced functions (Knowledge and Skill)
- PowerShell Desired State Configuration (Knowledge and Skill)
- Integrating PowerShell with other tools (Knowledge and Skill)
- The .NET Framework – This exercise presents information on the .NET Framework and how it fits into PowerShell and forensic investigations.
- Scripts and Cmdlets – This exercise begins intermediate applications on using scripts and Cmdlets. Students complete a simulation using Cmdlets in scripts.
- Digital Forensic Cases – This exercise identifies several digital forensic cases that are suited for using PowerShell and Scripting
- Creating Scripts – This exercise explores real world digital forensic cases suited for using PowerShell and Scripting. Students complete a simulation on using corresponding scripts to match relevant digital forensic cases.
- Advanced Functions – This exercise presents knowledge and skills regarding PowerShell advanced functions. Students complete a simulation on using a PowerShell advanced function.
- Desired State Configuration – This exercise presents information on desired state configuration and its relationship to PowerShell, scripting, and the digital forensic process.
- Integrating with other Tools – This exercise presents several applications where PowerShell can be integrated. Students complete a simulation on integrating PowerShell with other tools.
- Module Knowledge Check
- Installed software (Knowledge and Skill)
- Applications running in memory (Knowledge and Skill)
- Services (Knowledge and Skill)
- Logged on User (Knowledge and Skill)
- Network Activity (Knowledge and Skill)
- Running Processes (Knowledge and Skill)
- File Hashing (Knowledge and Skill)
- Imaging (Knowledge and Skill)
- Extending Scripting to Network Operating Systems (Knowledge and Skill)
- Installed Software – This exercise explores installed applications on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view installed software.
- Running Applications – This exercise explores running applications on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view running applications in memory.
- Services – This exercise explores services on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view services running in memory.
- User Accounts – This exercise explores the last logged on user on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view logged in users.
- Network Activity – This exercise explores network activity on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view network activity.
- Running Processes – This exercise explores running processes on a suspect computer. Students complete a simulation on writing and running a PowerShell script to view running processes.
- Hashing – This exercise presents information on file hashing. Students complete a simulation on performing a file hash.
- Imaging – This exercise presents information on digital forensic imaging. Students complete a simulation on conducting a forensic image using PowerShell.
- Scripting in Networks – The exercise explains scripting in a network operating system.
- Module Knowledge Check
Using PowerShell for Live Analysis
- Benefits and Considerations (Knowledge)
- Case Studies (Knowledge)
- Live Analysis (Skill)
- Legal Ramifications (Knowledge)
- Benefits and Considerations – This exercise presents the benefits and other issues that will affect the digital forensics investigation using PowerShell in a Live Analysis.
- Case Studies – This exercise presents several case studies on using PowerShell for Live Analysis.
- Live Analysis – This exercise presents a simulation on conducting a real-world live analysis using PowerShell.
- Legal Ramifications – This exercise presents legal issues and ramifications on using PowerShell for Live Analysis.
- Module Knowledge Check
Testing and Validation
- Testing and Validation Methods (Knowledge)
- Keeping Data Unaltered (Knowledge and Skill Using)
- Imaging and Hashing Confirmation (Knowledge and Skill Using)
- Certifying PowerShell and Scripting (Knowledge and Skill Using)
- Real World Relevant Case Example (Knowledge)
- Methods – This exercise identifies sound forensic methods and tools that have been tested and validated. Students apply proven testing and validation methods to the forensic process.
- Data Integrity – This exercise tests and validates PowerShell’s ability to maintain data integrity.
- Preservation – This exercise tests and validates PowerShell’s ability to preserve evidence with hashing and imaging functions.
- Certifying – This exercise presents an argument that will certify that PowerShell has been tested and validated as a sound forensic tool.
- Real World Case – This exercise presents a real-world case that will hold up in a court proceeding where PowerShell has been used in the forensic investigation.
- Module Knowledge Check
Multiple choice and short answer. Between 70 and 90 questions.
Suggested Final Exam Time: 90 minutes
If you have any questions, please contact us at [email protected].