This class will take students through multiple labs designed to teach them key Windows forensics skills. Unlike other courses, students will start with the labs and learn by doing. Participants will work through several exercises where they analyze various aspects of Microsoft Windows using computer forensics on one or more compromised systems. Each lab will start with a brief introduction followed by the lab itself. After an allotted time has passed, the techniques used to analyze the system and answer the questions will be discussed.
Sample skills utilized in the labs include analyzing logs, the file system, the registry, and memory. In addition to the class labs, students will be given additional labs to perform independently and at their own pace. This course is designed for those with different Windows forensics skill levels - from beginners to experts, so there will be challenges for everyone. However, the labs chosen will be tailored to the overall skill level of the class.
IR Concepts Introduction
Process and Lifecycle
Master File Table (MFT)
Metafiles, Data Streams, and Attributes
Logging Best Practices
Useful Event IDs
Hives, Keys, Sub-Keys, and Values
System and User Hives
Acquisition and Analysis (Volatility)