DIGITAL FORENSIC FOUNDATIONS & INTERMEDIATE WINDOWS ANALYSIS – December 16 – 19, 2019
Course Overview
This is a four-day course is designed for the junior level investigator/examiner or as a refresher course to seasoned examiners. This course provides the fundamental knowledge to comprehend and investigate incidents and covers in depth architecture and functionality of the most common File Systems including NTFS, FAT16, FAT32 and exFAT. This course dives deep into related metadata pertaining to stored objects on any physical storage media device. Attendees will gain insight into partitioning structures and disk layouts and the effects of formatting and data alternations can have on volumes that contain existing data. File management and directory structure characteristics will be examined in detail as well as techniques for recovering data and discovering potential evidence that maybe pivotal to a successful examination. This will be followed by topical areas of interest to include file headers and file hashing and recovery of deleted files. Finally we will cover how to perform basic analysis of a windows-based (Windows 8/10) operating system. This course incorporates an investigative scenario, providing hands-on experience with examination of collected evidence.
What You Will Learn:
Discuss Digital Forensic Foundations & Types of Forensic Analysis
- Outline the different types of analysis the examiner will encounter
- Discuss the challenges of each and questions that need to be asked before an examination begins
- Describe the forensic and incident response & outline Outline the workflow
- Discuss the role of the incident first responder
- Review best practices in evidence handling & collection (seizure)
- Discuss How-to-Address Encryption (e.g. BitLocker & File Vaulted systems)
- Review Triage, Network & Live RAM capture considerations
- Review Concepts of a the digital fingerprint, HASHing (MD5,SHA1/256), & protecting the integrity of the digital evidence
- Discuss workflow options and various approaches to road-blocks, and available resources to be a more successful digital forensic examiner
Disk Structures, Partitioning, Formating and
- Learn data storage concepts (bits & bytes) and where data is stored (sectors and clusters)
- Describe the differences between MBR and GPT partitioned disks
- Perform Hands-on exercises breaking down VBR, MBR and GPT information
- Learn how to locate and recover deleted partitions and use what you have learned to validate forensic tool disk information parsing
File Systems Deep Dive
- Break down and get an in-depth look into the functionality, and structure of the FAT/FAT32/exFAT & NTFS file systems
- Dive deep into the functions of the File Allocation Table, Master File Table, Volume Boot Record, NTFS Bitmap and more
- Examine Various File Allocation Attributes, and learn how to identify resident and non-resident files and contiguous and fragmented files
- Learn what occurs in the file systems when data is created, modified and deleted and how to locate and carve deleted files using various Allocation Attributes
- Perform a number of hand-on forensic analysis of these file systems to process and recover deleted files and partitions using various forensic tools
Windows Triage & Intermediate Forensic Analysis
- A review of the forensic examination steps on current Windows-Based Operating Systems (Windows 10 covered; 7/8 discussed )
- Learn about the key areas pertaining to user and system activity such as the windows registry, system events, recycle bin, shell bags, jump lists, and various program execution log files
- Learn how to examine these user and system areas to find more evidence and answering more questions in your examinations
- Perform Hands-on exercises to perform an analysis of collected evidence (windows based operating system) using industry standard tools
This course incorporates an investigative scenario, providing hands-on experience with examination of collected evidence .
PRESENTED BY: SPYDER FORENSICS