FOR205 - Windows Internals for Forensics

All modern malware works within the operating system, not only by exploiting weaknesses but also by using features that are there for everyday use. It is therefore impossible to understand how malware works without a deep understanding of the operating system it targets. This seminar provides detailed information on how Windows works internally, with special focus on common malware attack methods. It includes coverage of Windows’ most recent security features, most of them specifically added to combat malware.  

Level: Intermediate
Audience: Cyber forensics investigators
  • Introduction and orientation
  • Windows versions and editions
    • Windows 8/Server 2012 overview
    • Windows RT
    • Tools preview
  • Program execution environment
    • Processes and threads
    • Sessions and jobs
    • Kernel vs. user mode
    • Address spaces
    • User mode memory management
    • Service processes
    • Monitoring processes, threads, and CPU usage
  • Environment subsystems
    • API sets
    • Calling OS functions from user mode
    • Kernel, user, and GDI APIs
  • Kernel mode components and mechanisms
    • User to kernel mode calls (executive services)
    • Executive, kernel, and HAL
    • Checked build
    • Objects, handles, and security (access controls)
    • Registry
    • Kernel mode execution environment
    • Interrupt handling
    • Kernel mode stack
    • Kernel memory pools
    • Serialization mechanisms
    • System (kernel) threads
    • Monitoring kernel activity
  • Thread scheduling
    • Thread priorities and priority policies
    • Thread scheduling states and transitions
    • Preemption, timeslicing, and waiting
    • CPU time accounting
    • Priority adjustments
    • Multiprocessor issues
    • Monitoring process and thread activity
  • Memory management
    • Virtual memory concepts
    • Virtual address translation
    • Memory size limits
    • Page faults, page files, and memory mapped files
    • Per-process physical memory management (working set management)
    • System-wide physical memory management
    • Interpreting memory-related performance counters and displays
  • I/O subsystem and device driver architecture
    • Input/output APIs
    • Overview of driver models
    • I/O subsystem and device driver control flow
    • File system drivers
    • File system cache
  • System startup and shutdown
    • Booting with PC BIOS firmware
    • Booting with UEFI firmware
    • Booting with a Trusted Platform Module
    • Bitlocker and secure boot
    • Key system processes
    • Shutdown
Prerequisites: Experience using Windows as a basic to intermediate-level user
Operating systems supported: All versions of Windows
Durations and formats: 5 days with labs
Additional information: If you have a Windows Source license, this seminar can include examination of the relevant Windows source code.