Members loginEnglandRomania

Windows Computer Forensics

About the course

Windows Forensics is a practical, hands-on training course designed to allow you gain first had competences in responding to security breaches and conducting a computer forensics investigation. Using a variety of computer forensics tools and a portable forensics laboratory you will be working through a number of practical exercises and challenges and learn how to best react to incidents while collecting volatile and non volatile evidence. You will learn how to investigate security breaches and how to analyse digital evidence that could be used internally or in a court of law. During the course you will play the role of a computer forensics professional in charge of a real-case investigation and apply the methods, techniques and tools required for a computer forensics investigation.

Who Should Attend

This course is ideally suited for:

  • security auditors
  • network and system administrators
  • technical managers
  • law enforcement personnel
  • security professionals wanting to learn the core concepts of computer forensic investigations in Windows based operating systems

Prerequisites

The course is "hands-on", technically focused and aimed at those individuals who have a good knowledge of standard ethical hacking techniques, common networking protocols, and practical familiarity with the Linux and Microsoft operating systems.

Duration:3 days

Course Structure

Widows Forensics is a fully hands-on course developed around a set of real-case intrusion scenarios. The structure of the course follows the same sequence of steps that a computer forensic investigator will typically carry out in a real life investigation, from the very first response to the report writing phase or even presenting electronic evidence as expert witness. Topics for this training will include:

  • Setting a forensic laboratory
  • Performing initial forensic response
  • Collecting System Memory and other volatile evidence acquisition
  • File slack, ram slack, drive slack, and unallocated space
  • Hard drive imaging
  • Analysing FAT 12/16/32 and NTFS file systems
  • Creating event time lines
  • Recovering data from unallocated space
  • Extracting evidence from the Windows Registry
  • Parsing Windows Event Logs
  • Conducting keyword searches
  • Interpreting Internet History and HTTP concepts
  • Writing forensic reports
  • Providing expert opinion in a court of law

 The hacking scenarios will be the thread around which each of the above phases will be addressed, as opposed to the commonly followed approach of teaching each phase and related tools in isolation.

Laptop Requirements

A laptop is required to be able to work through all the practical hands-on workshops. Failure to meet the requirements below may result in the participant not being able to carry out one or more of the practical workshops and thus not gaining full benefit from the Windows Forensics Course. The minimum laptop requirements are:

  •  x86-compatible 1.5 Ghz CPU Minimum or higher
  • DVD Drive
  • 1GB RAM minimum or higher
  • Ethernet adapter
  • 10 Gigabyte available hard drive space
  • The system must be capable of booting from a CD
  • PCMCIA or ExpressCard or USB interface (this is required for the external wireless card included in the Ethical Ninja hacking kit). 
  • VMware Player or VMware Workstation.

 Portable Forensic Laboratory

Each participant on the course will receive a Portable Forensic Laboratory consisting of:

  • A DVD containing a Virtual Forensic Workstation preconfigured with all the necessary tools to perform a forensic investigation (Linux VMware appliance)
  • A CD with a set of ready to use Incident Response tools for Windows based operating systems

 

Course Outline

Intrusion Scenario

The system administrator knew something was wrong when he saw there was an additional account on the Windows Server that he administered. As a computer forensic investigator your task is to find out if there was any unauthorised access, how it happened and what was the extent of the damage.

 Day 1

After introducing the core concepts of the computer forensic methodology, you will learn how to perform live forensic response, acquiring volatile and non-volatile evidence without damaging or altering the original data for later analysis. Day 1 will finish with a fascinating section on physical memory analysis.

 Day 2

Following the computer forensics methodology discussed on day 1, you will use your forensics toolkit to analyse and investigate the evidence acquired from the compromised system. You will learn how to use TSK tools and Autopsy to create and analyse a timeline, how to parse and correlate Windows Event Logs and how to extract valuable evidence from the System Registry among others.

 Day 3

You will complete your work with the analysis of metadata and use tools such as Wireshark and NetworkMiner to analyse network traffic captures and add valuable information to your investigation. Finally, you will use all the information gathered through your analysis to solve the case and present your findings in a forensically sound manner.

Course Breakdown

Day 1

1. Computer Forensics
 1.1. Computer crime and common forensic scenarios
 1.2. The investigator mindset
 1.3. Dealing with digital evidence
 1.4. Forensics methodology in a nutshell
 1.5. Chain of custody
 1.6. Legal topics for forensics analysts
 1.7. Report writing
 1.8. Setting a forensic laboratory

2. Incident Response: collecting volatile and non-volatile data
  2.1 Dead or alive
  2.2 Live Response
  2.3 Locard’s exchange principle
  2.4 Collecting volatile data
  2.5 System Memory Acquisition
  2.6 Hard drive and media imaging
  2.7 Logical vs physical disk acquisition

3. Live Data Analysis
  3.1 Incident Verification
  3.2 Volatile data analysis
  3.3Physical Memory Analysis

Day 2

4. Windows File System
 4.1. General File System Concepts
 4.2. FAT Concepts and Analysis
 4.3. NTFS Concepts and Analysis

5. Disk Investigation and Analysis
  5.1 Forensics Investigation Methodology
  5.2 Initial Reconnaissance
  5.3 Timeline Creation and Analysis
  5.4 File and Directory Analysis
  5.5 Parsing Windows Event Logs
  5.6 Data Recovery
  5.7 String Search
  5.8 Advanced Registry Analysis with RegRipper
  5.9 USB Devices
  5.10 Email and Internet Browser Forensics

Day 3

6. File Metadata
 6.1. Word, PDF and Image Files
 6.2. NTFS Alternate Data Streams

7. Network Forensics
  7.1 Wiretap strategies
  7.2 Network capture with tcpdump
  7.3 Deciphering an attack with Whireshark and NetworkMiner

8. Final Challenge

Why us?

"Our trainers are security consultants with many years of experience, highly dedicated to teach and share their knowledge."

"Windows Forensics is about acquiring practical skills and competence - not just theory."

"We focus on the tools and techniques which are used in real life by computer forensics investigators"

 

Ismael Valenzuela

About the Author

Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in international projects across UK, Europe, India and Australia. Ismael holds a Bachelor in Computer Science and is certified in Business Administration. He also holds a number of professional certifications, including GIAC Certified Forensic Analyst, GIAC Certified Intrusion Analyst, GIAC Penetration Tester, ITIL, CISM, CISSP and IRCA ISO 27001 Lead Auditor by Bureau Veritas UK. He is also a member of the SANS GIAC Advisory Board and international BSi Instructor for ISO 27001, ISO 20000 and BS 25999 courses.

 He currently works as Global IT Security Manager for a large multinational software provider and has authored a number of articles on information security, including the two series article “My ERP got hacked, An Introduction to Computer Forensics”, recently published on the Hakin9 magazine.

top
© 2010 Silensec. All Rights Reserved. Legal notice | Sitemap