Windows miaintains a significant amount of data on its past activity as part of its normal operation. This is used for self-diagnosis, performance monitoring, and error reporting, as well as for common functions such as user login/logiout tracking and file access auditing. Using this information, a forensic investigator can create a detailed timeline of a user’s activities, going back months or in some cases years. Learn what information Windows maintains and where to find it.
Cyber forensics investigators
Attendees should be familiar with Windows at the “power user” or system administrator level.
Much of the information in the log files is related to internal mechanisms described in FOR205, Windows Internals for Forensics; so that is strongly recommended.
|Operating systems supported:||All Windows versions|
|Durations and formats:||1 day with labs|