Course Modules
Module 1: Course scenario and Windows overview
- Build upon knowledge of the Windows registry by learning how to track down operating system installation upgrade history.
- Learn more about Windows recovery and how to leverage it in forensic analysis.
- Expand knowledge of local and internet accounts, combined with Windows user authentication.
- Learn more in-depth Windows topics, including Taskbar pinned apps, WER, and wireless artifacts.
Module 2: Tracking down volume serial numbers
- Interpret volume serial numbers and their importance to an investigation.
- Use volume serial numbers to track down volumes using LNK files and Windows Event Logs.
- Using volume serial numbers as filter searches, learn how to track down additional volumes including virtual machines.
Module 3: Missing files and folders
- Track down information concerning items that are not present among the evidence sources they have.
- Understand Microsoft’s Program Compatibility Assistant and how to leverage the Application Compatibility Cache.
- Investigate AmCache and Shellbags.
Module 4: Investigating prefetched data
- Find out more about what Windows Prefetch is and what it does.
- Understand the forensic implications and advantages of using Prefetch information in their investigations.
- Further learn how to correlate the information using other artifacts and verify those artifacts using external tools.
Module 5: Investigating suspicious documents
- Identify and examine suspicious documents.
- Learn how to correctly interpret MRU artifacts and verify their interpretations using the registry.
- Further learn about Microsoft 365 including its unique MRU artifacts and registry locations that are better investigated manually.
- Find out how to recover previous versions of PDF documents from embedded file data and how to compare those versions to detect malicious or historical activity.
Module 6: Memory investigations
- Capture and process active memory from a running Windows computer using Magnet Forensics Comae Toolkit.
- Add new RAM evidence to an existing Axiom case and process it with Axiom Process.
- Gain further experience using Axiom Examine to apply analysis techniques to identify information of interest and artifacts pertinent to your investigation.
Module 7: Tracking down shared files
- Learn how comprehensive cross-device sharing via Microsoft Cloud services can be.
- Dive deeper into OneDrive in particular, including source evidence information locations, tracing file and folder sharing, recovering deleted OneDrive files, analyzing OneDrive URLs, and determining sync status.
- Gain further insight into cloud data syncing as it pertains to Microsoft Edge, Wi-Fi profiles, and other general items.
Module 8: iOS backups in Windows
- Reinforce prior learning concerning mobile backups found on Windows systems with the focus being Apple devices.
- Learn about iOS encryption and how to use an index attack to gain access to encrypted iOS backups.
- Explore artifact results in Axiom with particular attention paid to Microsoft 365 document and Apple keychain artifacts.
Module 9: Windows encryption and passwords
- Learn more about Windows credential security and storage, focusing on user account passwords.
- Understand how to recover Windows user and BitLocker passwords and do this in practical exercises.
- Bypass application encryption for the Signal Messenger desktop app within a practical exercise.
Module 10: Investigating Google Drive
- Explore advanced knowledge and concepts pertaining to Google Drive for desktop, building on their prior learning from basic Windows forensic courses.
- Understand the difference between metadata and mirror-tracking databases and the purposes of each.
- Learn about some highly valuable forensic data and their implications in forensic investigation that they can look out for in the future.
- Get opportunities for hands-on practice deriving the secrets Google Drive may hold.
Module 11: Investigating Windows backups
- Learn about Microsoft backup features for Windows with specific attention paid to File History.
- Explore user settings, access to backups, and restoration.
- Go deeper into File History internals, learning how it works and how to understand it forensically.
- Find out about additional investigative techniques and the use of Event Logs to further the investigation.
Module 12: Windows apps overview
- Get introduced to Windows apps and the Microsoft Store.
- Explore important considerations for investigating Windows apps usage and focus on three example apps—iTunes, Windows Subsystem for Linux, and Photos.
Module 13: File system logging
- Learn more about Microsoft’s New Technology File System logging and how to take advantage of it in their investigations.
- Understand the $ObjId/$40 attribute to identify MAC addresses and other information.
- Explore the $Secure, $UsnJrnl, and $LogFile metafiles to gather even more information about New Technology File System object owners and actions, including information from removable devices.
