Windows Forensics
BT210
Table of Contents
Description
Windows forensics is an essential skill in the cybersecurity world. This course covers a broad spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how to investigate after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners in these areas:
- Searching the hard drive for evidence
- Processing hidden files that are invisible or inaccessible containing past-usage information
- Performing a forensic analysis on a computer to reveal usage details, recover data, and accomplish a full inspection after the machine has been defragged or formatted
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories
- Self-work at home between lessons
- Repetition of materials, self-learning, performing tasks, etc…
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.
Target audience
This course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic proces
- Law enforcement officers & intelligence corps
- Incident responders
- Computer investigators
- IT/network administrators
Objectives
- Accessing concealed files on the system and extracting relevant information
- Mastering the steps of incident response
- Analyzing relevant case studies
Pre-requisites
Syllabus
Description
The first module will cover different components of computer hardware. Participants will learn the main components of Storage-Disks, the structure of the Windows OS, and finally, the participants will install their first virtual forensics stations.
Technical content
- Drives and Disks
o The Anatomy of a Drive
o Data Sizes
▪ Data Representation
▪ Hexadecimal
▪ ASCII
▪ Binary
o Volumes & Partitions
o Disk Partitioning and the Disk Management Tool
▪ MBR vs. GPT
▪ Understanding UEFI
▪ The HPA
o Solid State Drive (SSD) Features - Understanding Windows OS structure
o The filesystem
o FAT
▪ FAT Structure
▪ File Allocation and Deletion
o NTFS
▪ NTFS Structure
▪ Volume Boot Record
▪ Master File Table
o The EFS Encryption
o Windows Directory Structure - Virtualizing a Forensics Workstation
o Setting up a Virtual Machine
o Installing and Configuring the VM
o Preparing the Environment
Description
This module will expose participants to the internal components of the Windows OS. Participants will learn about tools that will help them with the forensics investigation process.
Technical content
- Understanding Hashes and Encodings
o Hash as a Digital Signature
o The Use of Hash for Forensics
o Base Encodings - Windows Artifacts
o Startup Files
o Jump List
o Thumbnail Cache
o Shadow Copy
o Prefetch and Temp Directories
o RecentApps
o Registry Hives - Windows Passwords – Bypassing Windows Protection
o Encryptions in the Windows OS
Bit locker NTLM Kerberos
o Cracking Windows Passwords
o Cracking RAR/ZIP Passwords - Data and Files structure
o Hexadecimal Editing Tools WinHex HxD
o File Structure Headers and Trailer Magic Number
o Embedded Metadata
o Working with Clusters Slack Space Unallocated and Allocated Spaces
Description
During this module, participants will master techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information.
Technical content
- Forensic Data Carving
o Using HxD for Forensics Carving Carving Files from an Existing File
o Automatic File Carving Tools Foremost Scalpel Bulk-Extractor - Collecting Information
o Indenting Evidence of Program Execution Extracting Registry Artifacts Event Viewer The Audition Policy Windows System Metadata
o Detecting Hidden Files using ADS
o Self-Extracting Archives (SFX)
o Collecting Network Information Network Information Network Connections
o Sysinternals-Suite Forensic Tools
o Extracting Credentials using NirSoft - Drive Data Acquisition
o Introduction to FTK-Imager Exploring System Files Creating an Image DD as an Alternative Image Capture Tool
o Capturing Volatile-Memory Capturing a Memory-File Capture Methods and Technics Pagefile Hiberfil.sys
Description
In this module, participants will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the RAM.
Technical content
- Analyzing captured images
o Features of FTK Extracting Protected Files Mounting an Image as a Drive Volatile Memory Capturing
o MFT Dump Identifying Potential Threats Visualizing an MFT Reconstruction using DMDE
o Analyzing Prefetch Files
o Reconstructing Explorer with ShellBags - Working with Volatile-Memory
o Extracting Data from RAM
o Identifying Network Connections
o Dumping Processes from Memory - Registry analysis
o Using AccessData Registry Viewer to analyze Registry dumps
o Finding user Information using Ntuser.dat and usrclass.dat
o Using CLI to Access the Registry
o Extracting Data from Registry
o Forensics Findings in the Registry - Anti-Forensics Techniques
o Wiping Drives
o Advanced Stenographic Methods
o File Obfuscation Techniques
o Data Forgery
o Drive and File Encryption
o Artifact Removing
Description
Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional report, including which points to consider when addressing the documentation of findings of an event.
Technical content
- Introduction to report writing
o Device Identification
o Preservation of Data
o Collecting Evidence
o Examination and Analysis
o Documentation
o Evidence Presentation
o Final Guidelines
Labs
- Lab 1 Virtualization Forensics Workstation
- Lab 2 Understanding Hashes and Encryption
- Lab 3 Using Artifacts
- Lab 4 Understanding Windows Authentications
- Lab 5 Data and Files Structure
- Lab 6 Forensic Data Carving
- Lab 7 Collecting Windows Information
- Lab 8 Drive Data Acquisition
- Lab 9 Analyzing Captured Images
- Lab 10 Working with Volatile-Memory
- Lab 11 Registry Analyzes
- Lab 12 Forensics Report
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
- In situe classroom with proctored labs and scenarios executed in our Cyberium Arena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group:
Defense
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.
Certification
This course prepares the participant to the following certification:
- GCIH (SANS)
- CHFI (EC|Council)
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic
