AX250 Axiom Advanced Computer Forensics

Course Modules

Module 1: Course scenario and Windows overview
• Build upon knowledge of the Windows registry by learning how to track down operating system installation upgrade history.
• Learn more about Windows recovery and how to leverage it in forensic analysis.
• Expand knowledge of local and internet accounts, combined with Windows user authentication.
• Learn more in-depth Windows topics, including Taskbar pinned apps, WER, and wireless artefacts.

Module 2: Tracking down volume serial numbers
• Interpret volume serial numbers and their importance to an investigation.
• Use volume serial numbers to track down volumes using LNK files and Windows Event Logs.
• Using volume serial numbers as filter searches, learn how to track down additional volumes including virtual machines.

Module 3: Missing files and folders
• Track down information concerning items that are not present among the evidence sources they have.
• Understand Microsoft’s Programme Compatibility Assistant and how to leverage the Application Compatibility Cache.
• Investigate AmCache and Shellbags.

Module 4: Investigating prefetched data
• Find out more about what Windows Prefetch is and what it does.
• Understand the forensic implications and advantages of using Prefetch information in their investigations.
• Further learn how to correlate the information using other artefacts and verify those artefacts using external tools.

Module 5: Investigating suspicious documents
• Identify and examine suspicious documents.
• Learn how to correctly interpret MRU artefacts and verify their interpretations using the registry.
• Further learn about Microsoft 365 including its unique MRU artefacts and registry locations that are better investigated manually.
• Find out how to recover previous versions of PDF documents from embedded file data and how to compare those versions to detect malicious or historical activity.

Module 6: Memory investigations
• Capture and process active memory from a running Windows computer using Magnet Forensics Comae Toolkit.
• Add new RAM evidence to an existing Axiom case and process it with Axiom Process.
• Gain further experience using Axiom Examine to apply analysis techniques to identify information of interest and artefacts pertinent to your investigation.

Module 7: Tracking down shared files
• Learn how comprehensive cross-device sharing via Microsoft Cloud services can be.
• Dive deeper into OneDrive in particular, including source evidence information locations, tracing file and folder sharing, recovering deleted OneDrive files, analysing OneDrive URLs, and determining sync status.
• Gain further insight into cloud data syncing as it pertains to Microsoft Edge, Wi-Fi profiles, and other general items.

Module 8: iOS backups in Windows
• Reinforce prior learning concerning mobile backups found on Windows systems with the focus being Apple devices.
• Learn about iOS encryption and how to use an index attack to gain access to encrypted iOS backups.
• Explore artefact results in Axiom with particular attention paid to Microsoft 365 document and Apple keychain artefacts.

Module 9: Windows encryption and passwords
• Learn more about Windows credential security and storage, focusing on user account passwords.
• Understand how to recover Windows user and BitLocker passwords and do this in practical exercises.
• Bypass application encryption for the Signal Messenger desktop app within a practical exercise.

Module 10: Investigating Google Drive
• Explore advanced knowledge and concepts pertaining to Google Drive for desktop, building on their prior learning from basic Windows forensic courses.
• Understand the difference between metadata and mirror-tracking databases and the purposes of each.
• Learn about some highly valuable forensic data and their implications in forensic investigation that they can look out for in the future.
• Get opportunities for hands-on practice deriving the secrets Google Drive may hold.

Module 11: Investigating Windows backups
• Learn about Microsoft backup features for Windows with specific attention paid to File History.
• Explore user settings, access to backups, and restoration.
• Go deeper into File History internals, learning how it works and how to understand it forensically.
• Find out about additional investigative techniques and the use of Event Logs to further the investigation.

Module 12: Windows apps overview
• Get introduced to Windows apps and the Microsoft Store.
• Explore important considerations for investigating Windows apps usage and focus on three example apps—iTunes, Windows Subsystem for Linux, and Photos.

Module 13: File system logging
• Learn more about Microsoft’s New Technology File System logging and how to take advantage of it in their investigations.
• Understand the $ObjId/$40 attribute to identify MAC addresses and other information.
• Explore the $Secure, $UsnJrnl, and $LogFile metafiles to gather even more information about New Technology File System object owners and actions, including information from removable devices.

‍