Windows forensic analysis focuses on building deep digital forensics expertise in Microsoft windows operating systems. You can’t protect what you don’t understand. Understanding of forensic capacity and artifacts is crucial part of information security. In this online course you learn how to recover, analyze and validate forensic data on Windows systems. You will also learn how to track detailed user activity on your network and how to organize the findings for use in incident management, internal investigations and civil/criminal litigation. You will have a chance to use your new knowledge to validate security tools, improve vulnerability assessments, identify threats, trace hackers, and improve security policies.
Proper analysis requires accurate information for students to explore. Students will finish this course armed with the latest tools and techniques and ready to explore even the most complex systems that they may encounter.
You will learn:
How to perform Windows forensics by using core techniques focused on Windows environment;
How to use forensic tools to analyze and investigate every action the suspect had done;
Uncover the exact time a specific user last executed a program through registry and Windows artifact analysis and understand how such information was used for an illegal act;
Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing;
Identify keywords searched by a specific user on a Windows system in order to pinpoint the files and information that the suspect was interested in finding and accomplish detailed damage assessments;
Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and log files;
Learn event log analysis techniques and use them to determine when and how users logged into a Windows system;
Use browser forensic tools to perform detailed Web browser analysis;
Windows password analysis from digital forensics point of view;
You should know:
Basics of MS Windows Operating System.
Basics of digital forensics.
Basics of IT and Information Security terms and technologies.
Who should join:
This course offers skillsets for performing in-depth Windows digital forensic investigation. It helps to solve Windows data breach and intrusion cases. It provides a knowledge you need to become a subject matter expert of performing digital forensics on Windows-based operating systems. It helps in investigating a suspect and how he used the system, who he communicated with, and the files he downloaded, modified or deleted. It will be very helpful to a person with background in Information Technology, information systems, information security and computers.
Specifically, people in the following industries will benefit greatly:
IT and Information Security Professionals.
Incident Response Team Members.
Information Security Analyst.
Students with IT or Information Security Background.
Anyone who what understanding for windows forensics.
Muhammad Irfan is a forensic professional with working experience in several domains of IT and Information Security i.e. Digital Forensics, Penetration Testing and Vulnerability Assessment, IT and Information System Auditing, SIEM Deployment, Network Administration, Windows/Linux System Administration, Virtual Infrastructure Administration and Data Center Operations.
He has done a Master’s Degree in Information Security and along with that he passed several certifications: CISA, CHFI, CEH, VCP, MCSE, RHCE, CCNA and CCNA Security. He always haa a can-do-it approach towards work and his knowledge, challenging environment, a high technical aptitude and commitment to work. He can effectively contribute to the successful and profitable operation of organization.
Module 1: Collecting volatile and non-volatile information
Tutorial 1:Volatile information, system time, logged-on users, opened files, network information, network connections.
Tutorial 2: Processes information, process-to-port mapping, process memory, network status, other important volatile information.
Tutorial 3: Non-volatile information, examination of file system, registry setting, Microsoft Secure ID, event logs, index.dat, file, devices and other information, slack space, virtual memory, swap file, Windows search index.
Exercise 1: Collecting hidden partition information, hidden ADS stream and other non-volatile information.
Exercise 2:Case study: Terrorist Attack.
Module 2: Windows memory analysis and Windows Registry analysis
Tutorial 1: memory dump, eProcess structure, process creation mechanism, parsing memory contents. parsing process memory.
Tutorial 2: Extracting the process image, collecting process memory, registry inside, registry structure, registry as a log file, registry analysis, system information, time zone information, shares, audit policy, wireless SSID’s, auto-start locations, system boot.
Tutorial 3: User login, user activity, enumerating auto-start registry locations, USB removable storage devices, mounted devices, finding users, tracking user activity, UserAssist keys, MRU lists, search assistant, connecting to other systems.
Exercise 1: Extracting information about loaded processes using Process Explorer.
Exercise 2: Analyzing restore point registry settings and determining the startup locations.
Module 3: Cache, cookie, history analysis and MD5 calculation
Tutorial 1:Cache, cookie and history analysis in Internet Explorer, Firefox and Chrome.
Tutorial 2:Analysis using: IECookiesView, IECacheView, IEHistoryView, MozillaCookiesView, MozillaCacheView, MozillaHistoryView, ChromeCookiesView, ChromeCacheView and the ChromeHistoryView.
Tutorial 3:Message digest function, importance of MD5 calculation, MD5 hash calculators, MD5 check sum verifiers, MD5 generators.