DF – WAA : Windows® 10 Advanced Analysis

Course Information

The Advanced Windows Forensics training is a four-day course that will introduce the participant to the many forensically relevant artifacts on a Microsoft 10 Windows system.

Students will learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows artifacts that are vitally important to forensic investigations. The participant will also gain knowledge on how to process Edge browser history, cookies, temp files InPrivate browsing challenges and analysis, BitLocker encryption and other Windows 10 specific artifacts. The course includes gaining an in depth look into jump Lists, and prefetch files and how they relate to forensic investigations.

Students will use a variety of open source and leading forensic applications to examine key artifacts through multiple hands on labs and student practical’s.

Course Outline

Windows 10® Artifact Overview

• Examine the version characteristics between Windows 10 Operating systems
• Explore the challenges the recent update has presented to the forensic examiner

BitLocker Encryption

• Learn how BitLocker encryption functions
• Explore System Volume BitLocker implementation and metadata artifacts
• Discuss BitLocker To Go on data volumes and USB devices
• Learn of examination techniques of a BitLocked volume.

Exercises in Examination Workflows

• Define the forensic importance of Windows® Registry artifacts
• Examine a Registry block structure
• Workflow Exercises

o User Account Examination
o Hardware tracking
o User Activity analysis
o Application Usage

Windows® Shortcuts

• Overview of Windows® Shortcuts
• Deep dive into Jump List Analysis
• Learn of the correction between the Distributed Link Tracking Service and Windows® link files

o Learn of the intricate link with the NT File System.

• Explore the structure of Jump List data files
• Examine effects of destructive processes on jump lists
• Learn of File System artifacts associated with user activity on host files and link file creation.

Windows® Timeline

• Learn of the new Timeline feature introduced with Windows® 10 – 1803
• Review the backend storage locations of application data
• Gain knowledge on how SQLite databases function
• Explore artifacts stored in the backend SQLite database
• Compare local account storage configurations Vs. OneDrive and SharePoint accounts
• Examine the SQL database tables to identify file usage across multiple devices

Windows® 10 Notifications

• Learn of the Action Centre functionality
• Review the backend storage locations the Notifications database
• Explore artifacts stored in the backend SQLite database
• Write SQL queries to present data in a clearer forma
• Describe the correlation between displayed images on live tiles and backend storage

Photo’s Application Artifacts

• Review the Photo’s application from a user perspective
• Identify storage locations of cached data
• Identify recently viewed files
• Examine the TimeLine Cache data file and its implications
• Learn of key artifacts identified within the SQL database.

o Geo Location
o Folder identification
o Date and Times of interactions
o Camera metadata

Cortana Integration

• Learn of Microsoft digital assistant
• Identify storage location of hosted data
• Identify key folder locations of collected data
• Review data stored in txt, cfg, ttl and JSON structured files pertaining to Cortana’s collection phases
• Discuss cloud integration and synchronization processes.

Edge Browser Forensics

• Review the Edge Browser application
• Locate key folders of interested within the user profile
• Identify cached data from untrusted and trusted sites
• Learn of Edge Recovery stores and processing techniques
• Explore InPrivate browsing and learn of recoverable artifacts
• Learn of the new data storage files and their interpretation
• Extensive hands on processing techniques.

OneDrive – Cloud Synchronization

• Review the function of the OneDrive processes
• Locate key folders of interest
• Identify the locations of user files
• Explore the many artifacts located in the Synchronization logs
• Learn how to interoperate user settings
• Learn interpretation of stored settings files
• Discover Office 365 cloud integration
• Use the registry to locate recent file interaction
• Interpret stored data in the subkeys
• Introduction to Office 365 synchronized data.

Who Should Attend

Course Type: Advanced

Course Pre-Requisites

To get the most out of this class, you should:

• Have 6 months experience of forensic examinations
• Be familiar with Windows Operating systems.

Instructors

TBC

Course Duration / Dates

Duration (Days): 4


Please register your interest for the courses & we will inform you of the next intake.



We will update as soon as the course schedule is confirmed.

Meanwhile, please Register your interest to receive the most updated news:

Course Fees

Tuition Fees: USD2995.00 or SGD4345.00