Overview

This advanced 4 day course will provide you with the knowledge and skills to capture and process data from 'live' systems and an awareness of the latest guidelines and artefacts available on current Windows operating systems to enable you to conduct an efficient and comprehensive analysis.

Computer forensics is constantly evolving due to the introduction of new technologies​ and systems now running 24/7/365. Initially focussing on data collection, ​you will learn how to capture volatile and stored data from a system in a 'live' and 'booted' state to acquiring remote and virtualised systems. This is then extended to the capture of mailboxes from a Microsoft Exchange Server and web-mail accounts.

Using captured data the course will then follow a realistic data / IP theft scenario to demonstrate a range of forensic tools, scripts and techniques to build a picture of a chain of events. You will identify data from the Windows domain controller, network files shares and FTP logs before moving to more conventional analysis of a forensic image of a workstation. This, in detailed examination, will show artefacts stored in system files linked with individual user activity and will reveal data from Windows Volume Shadow Copies.

File systems underlie data storage, therefore understanding how they work and the data they store can reveal a whole lot more than many forensic tools show. Delegates will explore several less familiar artefacts including the NTFS journal in order to reveal that potential 'smoking gun'.

Prerequisites

Principles & general guidelines surrounding forensic investigations
Experience of carrying out forensic investigations and incident response plans
A basic computer forensic course e.g. the CFIP course

Who Should Attend?

Primarily aimed at practising forensic investigators and digital security practitioners who have computer forensic experience and wish to dig deeper and broaden their skills.
A natural progression from the supplier's CFIP course.

Outline

  • Incidents & Investigations - What are and why? Incident Response Plans
  • Investigation Process - Best practice, phases of an investigation
  • Data Theft - How can data be stolen and this investigated?
  • Data Acquisition - Environments, methods, types and associated problems
  • File Systems Revisited - Understanding FAT and NTFS data structures
  • Servers and Data Storage - Disk technologies and RAID's
  • Volatile Date - Memory and volatile data collection from 'live' systems
  • Data Collection - Windows Domains - Extracting system and user information from a Windows Domain Controller
  • Data Collection - Other Sources - Mail Servers, web-mail, web-sites, Facebook, Linux & Mac's
  • Tracing System Activity - The Windows Registry, Event Logs and connected Devices
  • Tracing User Activity - Prefetch, Link files, Shellbags and more…
  • Log File Analysis - IIS & FTP logs and filtering using Cygwin
  • Databases - Analysing SQLite and Firefox browser artefacts
  • Volume Shadow Copies - Examination 3 ways
  • NTFS Journals - Understanding their content and forensic value in specific investigations
  • Data Deletion and Wiping - How to remove data from a system
  • Testing Software - A practical approach to investigating artefacts associated with unfamiliar software
  • Malware Investigation - A high level methodology