Windows Forensics

These seminars bring our extensive knowledge of Windows internals and security to the cyber-forensics field.

ID Title Level, etc Summary
FOR111 Data Storage and Recovery Methods Basic
2 days with labs
Cyber Forensics

This seminar covers how data is physically stored in a computer system, and provides detailed information on RAM, ROM, Flash, CD, DVD, Hybrid Hard Disks, and Blu-Ray.  Learn about the recovery potential from a variety of storage devices.

FOR130 Survey of Malware Types Basic
1 day lecture onlyCyber Forensics

Most recent malware is used for financial or political gain, and although often referred to as "viruses," the attack and propagation methods are very different from true viruses. This course is an overview of the types of malware, how malware is categorized, and how each type of malware attacks a Windows system. This allows the forensic investigator to identify malware used in criminal attacks.

FOR202 Malware Internals Intermediate
2 days with labs
Cyber Forensics

How does malware work? How do you trace where malware came from? In order to defeat your enemy, you must understand your enemy. This course covers the various types of malware and how it typically operates in a Windows system. 

FOR205 Windows Internals for Forensics Intermediate
5 days with labs
Cyber Forensics

All modern malware works within the operating system, not only by exploiting weaknesses but also by using features that are there for everyday use. It is therefore impossible to understand how malware works without a deep understanding of the operating system it targets. This seminar provides detailed information on how Windows works internally, with special focus on common malware attack methods. It includes coverage of Windows’ most recent security features, most of them specifically added to combat malware.  

FOR206 Windows Cryptography Intermediate
2 days with labs
Cyber Forensics

Encryption is being used more and more in legitimate business, as well as within criminal enterprises. Learn about the types of encryption available in Windows, the weaknesses, and what it takes to either decrypt files that have been encrypted or to defeat the encryption by other means. Includes the detection of hidden volumes as implemented by, for example, TrueCrypt. 

FOR207 BitLocker Operation and Internals Intermediate
1 day with labs
Cyber Forensics

BitLocker is being used more and more to protect the contents of disks from loss and theft. Unfortunately, it is also being used by cybercriminals to hide their activities from law enforcement. This course describes the internal operation of BitLocker, and how  law enforcement can defeat it in some cases. 

FOR209 Virtual Machines Intermediate
1 day with labs
Cyber Forensics

Virtual machines are useful for many purposes in computing, but they can also be used to hide evidence of user activity on a computer system. Cybercriminals are using virtual machines because it is apparently easy to remove all trace of their activities just by deleting a single file. This seminar describes virtual machines, their methods of operation, how they are used to hide user activity, and how to detect their use. It also describes how to use virtual machines for malware analysis and other aspects of cyber forensics. 

FOR220 Windows Storage Architecture Overview Intermediate
1 day with labs
Cyber Forensics

Understanding how files are stored (and may be hidden) on a disk or other storage media (solid-state disk, USB "key", SD card, etc.), is essential to performing a thorough forensic investigation. Learn the essentials of the on-disk formats of NTFS, EFS, FAT 12/16/32, exFAT, CDFS, and UDFS. This seminar also covers details of partitioning methods (MBR vs. GPT), the various types of Windows "volumes," basic vs. dynamic disks, and the new Storage Spaces. 

FOR223 Windows Log Files and Other History Intermediate
1 day with labs
Cyber Forensics

Windows miaintains a significant amount of data on its past activity as part of its normal operation. This is used for self-diagnosis, performance monitoring, and error reporting, as well as for common functions such as user login/logiout tracking and file access auditing. Using this information, a forensic investigator can create a detailed timeline of a user’s activities, going back months or in some cases years. Learn what information Windows maintains and where to find it. 

FOR231 Internet Design and Protocols Intermediate
5 days with labs
Cyber Forensics

How is data transmitted from one machine to another over the Internet? What network protocols are used by the Internet? How do you capture network traffic? What information is recorded by a user’s Internet Service Provider? How do you trace the origin of a Distributed Denial of Service Attack? This course will answer these questions and more, and provide the forensic investigator with the knowledge necessary to gather information about a suspect’s use of the internet. The student will learn how to capture network traces and trace the route through the Internet that packets followed.