From this eBook you will learn how to recover, analyze and validate forensic data on Windows systems. You will also learn how to track detailed user activity on your network and how to organize the findings for use in incident management, internal investigations and civil/criminal litigation. You will have a chance to use your new knowledge to validate security tools, improve vulnerability assessments, identify threats, trace hackers, and improve security policies.
Windows forensic analysis focuses on building deep digital forensics expertise in Microsoft windows operating systems. You can’t protect what you don’t understand. Understanding of forensic capacity and artifacts is crucial part of information security. In this online course you learn how to recover, analyze and validate forensic data on Windows systems. You will also learn how to track detailed user activity on your network and how to organize the findings for use in incident management, internal investigations and civil/criminal litigation. You will have a chance to use your new knowledge to validate security tools, improve vulnerability assessments, identify threats, trace hackers, and improve security policies.
Proper analysis requires accurate information for students to explore. Students will finish this course armed with the latest tools and techniques and ready to explore even the most complex systems that they may encounter.
You will learn:
- How to perform Windows forensics by using core techniques focused on Windows environment;
- How to use forensic tools to analyze and investigate every action the suspect had done;
- Uncover the exact time a specific user last executed a program through registry and Windows artifact analysis and understand how such information was used for an illegal act;
- Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), e-mail analysis, and Windows Registry parsing;
- Identify keywords searched by a specific user on a Windows system in order to pinpoint the files and information that the suspect was interested in finding and accomplish detailed damage assessments;
- Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and log files;
- Learn event log analysis techniques and use them to determine when and how users logged into a Windows system;
- Use browser forensic tools to perform detailed Web browser analysis;
- Windows password analysis from digital forensics point of view;
You should know:
Basics of MS Windows Operating System.
Basics of digital forensics.
Basics of IT and Information Security terms and technologies.
TABLE OF CONTENTS:
Module 1: Collecting volatile and non-volatile information
Tutorial 1: Volatile information, system time, logged-on users, opened files, network information, network connections.
Tutorial 2: Processes information, process-to-port mapping, process memory, network status, other important volatile information.
Tutorial 3: Non-volatile information, examination of file system, registry setting, Microsoft Secure ID, event logs, index.dat, file, devices and other information, slack space, virtual memory, swap file, Windows search index.
Exercise 1: Collecting hidden partition information, hidden ADS stream and other non-volatile information.
Exercise 2: Case study: Terrorist Attack.
Module 2: Windows memory analysis and Windows Registry analysis
Tutorial 1: memory dump, eProcess structure, process creation mechanism, parsing memory contents. parsing process memory.
Tutorial 2: Extracting the process image, collecting process memory, registry inside, registry structure, registry as a log file, registry analysis, system information, time zone information, shares, audit policy, wireless SSID’s, auto-start locations, system boot.
Tutorial 3: User login, user activity, enumerating auto-start registry locations, USB removable storage devices, mounted devices, finding users, tracking user activity, UserAssist keys, MRU lists, search assistant, connecting to other systems.
Exercise 1: Extracting information about loaded processes using Process Explorer.
Exercise 2: Analyzing restore point registry settings and determining the startup locations.
Module 3: Cache, cookie, history analysis and MD5 calculation
- Tutorial 1: Cache, cookie and history analysis in Internet Explorer, Firefox and Chrome.
Tutorial 2: Analysis using: IECookiesView, IECacheView, IEHistoryView, MozillaCookiesView, MozillaCacheView, MozillaHistoryView, ChromeCookiesView, ChromeCacheView and the ChromeHistoryView.
Tutorial 3: Message digest function, importance of MD5 calculation, MD5 hash calculators, MD5 check sum verifiers, MD5 generators.
- Exercise 1: Forensic Challenge: Banking Trouble-I.
- Exercise 2: Forensic Challenge: Banking Trouble-II.
Module 4: Windows file analysis and metadata investigation
Tutorial 1: Recycle Bin, System Restore Points, pre-fetch files, shortcut files, word documents, PDF documents, image files, file signature analysis, NTFS alternate data streams, executable file analysis, documentation before analysis.
Tutorial 2: Static analysis process, search strings, PE Header analysis, Import Table analysis, Export Table analysis, dynamic analysis process, test environment creation, information collection and testing.
Tutorial 3: Metadata, metadata types, metadata in different file systems, metadata in pdf and word files.
- Exercise 1: Forensic Challenge.
- Exercise 2: Investigating Metadata using Metadata Analyzer.
Module 5: Text based logs, audit events and forensics of event logs
Tutorial 1: Understanding events, event logon types, event record structure, Windows event logs, IIS logs, parsing IIS logs, parsing FTP logs, FTP sc-status, Parsing, DHCP server logs.
Tutorial 2: Parsing Windows firewall logs, Microsoft log parser, evaluating account management events, audit policy change events, system log entries and application log entries.
Tutorial 3: Searching with event viewer, examination of Windows event log files and Window log file internals.
- Exercise 1: Viewing, monitoring and analyzing event using the Event Log Explorer Tool.
- Exercise 2: Case Study: Brutal Murder.
Module 6: Windows password issues and forensic tools
Tutorial 1: Windows password storage, cracking Windows passwords, exploring Windows authentication mechanisms, sniffing and cracking Windows authentication exchanges, cracking offline passwords.
Tutorial 2: X-Ways forensics, X-Ways Trace, Windows Forensics Toolchest, Sigverif, COFEE, System Explorer, System Scanner, SecretExplorer, Registry Viewer, Regscanner, Alien Registry Viewer, MultiMon, CurrProcess, Process Explorer.
Tutorial 3: Security Task Manager, PrcView, ProcHeap Viewer, Memory Viewer, PMDump, Word Extractor, Belkasoft Evidence Center, Belkasoft Browser Analyzer, Metadata Assistant, HstEx , Xpolog Center Suit, LogViewer Pro, Event log Explorer, Log Meister, Prodiscover Forensics, PyFlag, Live Wire Investigator, Tumbs Display, DriveLook.
- Exercise 1: Discovering and Extracting hidden forensic material on computer using OSForensics Tool.
- Exercise 2: Perform computer forensics investigation using Helix Tool.