FOR500.1: Digital Forensics and Advanced Data Triage

• Windows Operating System Components
  • Key Differences in Modern Windows Operating Systems
• Core Forensic Principles
  • Analysis Focus
  • Determining Your Scope
  • Creating and Investigative Plan
• Live Response and Triage-Based Acquisition Techniques
  • RAM Acquisition and Following the Order of Volatility
  • Triage-Based Forensics and Fast Forensic Acquisition
  • Encryption Detection
  • Registry and Locked File Extraction
  • Leveraging the Volume Shadow Service
  • KAPE Triage Collection
• Windows Image Mounting and Examination
• NTFS File System Overview
• Document and File Metadata
• Volume Shadow Copies
• File and Stream Carving
  • Principles of Data Carving
  • Recovering File System Metadata
  • File and Stream Carving Tools
  • Custom Carving Signatures
• Memory, Pagefile, and Unallocated Space Analysis
  • Artifact Recovery and Examination
  • Chat Application Analysis
  • Internet Explorer, Edge, Firefox, Chrome, and InPrivate Browser Recovery
  • Email and Webmail, including Yahoo, Outlook.com, and Gmail

FOR500.2: Registry Analysis, Application Execution, and Cloud Storage Forensics

• Registry Forensics In-Depth
• Registry Core
  • Hives, Keys, and Values
  • Registry Last Write Time
  • MRU Lists
  • Deleted Registry Key Recovery
  • Identify Dirty Registry Hives and Recover Missing Data
  • Rapidly Search and Timeline Multiple Registry Hives
• Profile Users and Groups
  • Discover Usernames and Relevant Security Identifiers
  • Last Login
  • Last Failed Login
  • Login Count
  • Password Policy
  • Local versus Domain Account Profiling
• Core System Information
  • Identify the Current Control Set
  • System Name and Version
  • Document the System Time Zone
  • Audit Installed Applications
  • Wireless, Wired, VPN, and Broadband Network Auditing
  • Perform Device Geolocation via Network Profiling
  • Identify System Updates and Last Shutdown Time
  • Registry-Based Malware Persistence Mechanisms
  • Identify Webcam and Microphone Usage by Illicit Applications
• User Forensic Data
  • Evidence of File Downloads
  • Office and Microsoft 365 File History Analysis
  • Windows 7, Windows 8/8.1, Windows 10/11 Search History
  • Typed Paths and Directories
  • Recent Documents
  • Search for Documents with Malicious Macros Enabled
  • Open Save/Run Dialog Evidence
  • Application Execution History via UserAssist, Prefetch, System Resource Usage Monitor (SRUM), FeatureUsage, and BAM/DAM
• Cloud Storage Forensics
  • Microsoft OneDrive
  • OneDrive Files on Demand
  • Microsoft OneDrive for Business
  • OneDrive Unified Audit Logs
  • Google Drive for Desktop
  • Google Workspace (G Suite) Logging
  • Google Protobuf Data Format
  • Dropbox
  • Dropbox Decryption
  • Dropbox Logging
  • Box Drive
  • Synchronization and Timestamps
  • Forensic Acquisition Challenges
  • User Activity Enumeration
  • Automating SQLite Database Parsing

FOR500.3: Shell Items and Removable Device Profiling

• Shell Item Forensics
  • Shortcut Files (LNK) - Evidence of File Opening
  • Windows 7-10 Jump Lists - Evidence of File Opening and Program Execution
  • ShellBag Analysis - Evidence of Folder Access
• USB and BYOD Forensic Examinations
  • Vendor/Make/Version
  • Unique Serial Number
  • Last Drive Letter
  • MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
  • Volume Name and Serial Number
  • Username that Used the USB Device
  • Time of First USB Device Connection
  • Time of Last USB Device Connection
  • Time of Last USB Device Removal
  • Drive Capacity
  • Auditing BYOD Devices at Scale
  • Identify Malicious HID USB Devices

FOR500.4: Email Analysis, Windows Search, SRUM, and Event Logs

• Email Forensics
  • Evidence of User Communication
  • How Email Works
  • Email Header Examination
  • Email Authenticity
  • Determining a Sender's Geographic Location
  • Extended MAPI Headers
  • Host-Based Email Forensics
  • Exchange Recoverable Items
  • Exchange and M365 Evidence Acquisition and Mail Export
  • Exchange and M365 Compliance Search and eDiscovery
  • Unified Audit Logs in Microsoft 365
  • Google Workspace (G Suite) Logging
  • Recovering Data from Google Workspace Users
  • Web and Cloud-Based Email
  • Webmail Acquisition
  • Email Searching and Examination
  • Mobile Email Remnants
  • Business Email Compromise Investigations
• Forensicating Additional Windows OS Artifacts
  • Windows Search Index Database Forensics
  • Extensible Storage Engine (ESE) Database Recovery and Repair
  • Windows Thumbcache Analysis
  • Windows Recycle Bin Analysis (XP, Windows 7-10)
  • System Resource Usage Monitor (SRUM)
    • Connected Networks, Duration, and Bandwidth Usage
    • Applications Run and Bytes Sent/Received Per Application
    • Application Push Notifications
    • Energy Usage
• Windows Event Log Analysis
  • Event Logs that Matter to a Digital Forensic Investigator
  • EVTX and EVT Log Files
    • Track Account Usage, including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
    • Prove System Time Manipulation
    • Track BYOD and External Devices
    • Microsoft Office Alert Logging
    • Geo-locate a Device via Event Logs

FOR500.5: Web Browser Forensics

• Browser Forensics
  • History
  • Cache
  • Searches
  • Downloads
  • Understanding Browser Timestamps
  • Chrome
    • Chrome File Locations
    • Correlating URLs and Visits Tables for Historical Context
    • History and Page Transition Types
    • Chrome Preferences File
    • Web Data, Shortcuts, and Network Action Predictor Databases
    • Chrome Timestamps
    • Cache Examinations
    • Download History
    • Media History
    • Web Storage, IndexDB, and the HTML5 File System
    • Chrome Session Recovery
    • Chrome Profiles Feature
    • Chromium Snapshots folder
    • Identifying Cross-Device Chrome Synchronization
  • Edge
    • Chromium Edge vs. Google Chrome
    • History, Cache, Cookies, Download History, and Session Recovery
    • Microsoft Edge Collections
    • Edge Internet Explorer Mode
    • Chrome and Edge Extensions
    • Edge Artifact Synchronization and Tracking Multiple Profiles
    • Edge HTML and the Spartan.edb Database
    • Reading List, WebNotes, Top Sites, and SweptTabs
  • Internet Explorer
    • Internet Explorer Essentials and the Browser That Will Not Die
    • WebCache.dat Database Examination
    • Internet Explorer and Local File Access
  • Electron Applications and Chat Client Forensics
    • Electron Application Structure
    • Electron Chromium Cache
    • LevelDB Structure and Tools
    • Manual Parsing of LevelDB
    • Specialized LevelDB parsers
  • Firefox
    • Firefox Artifact Locations
      • SQLite Files and Firefox Quantum Updates
  • Download History
    • Firefox Cache2 Examinations
    • Detailed Visit Type Data
    • Form History
      • Session Recovery
    • Firefox Extensions
    • Firefox Cross-Device Synchronization
  • Private Browsing and Browser Artifact Recovery
    • Chrome, Edge, and Firefox Private Browsing
    • Investigating the Tor Browser
    • Identifying Selective Database Deletion
  • SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
    • DOM and Web Storage Objects
    • Rebuilding Cached Web Pages
    • Browser Ancestry
    • Capturing Stored Browser Credentials

FOR500.6: Windows Forensics Challenge

• Digital Forensics Capstone
  • Analysis
    • Process and Triage a New Full Set of Evidence
    • Find Critical Evidence Following the Evidence Analysis Methods Discussed Throughout the Week
    • Examine Memory, Registry, Chat, Browser, Recovered Files, Synchronized Artifacts, Installed Malware, and More
  • Reporting
    • Build an Investigative Timeline
    • Answer Critical Investigative Questions with Factual Evidence
    • Practice Executive Summary and Report Generation
    • Present Technical Case Findings

 

 

• آشنایی با سیستم عامل ویندوز • آشنایی با شبکه های کامپیوتری • آشنایی با اصول اولیه و پایه امنیت