Windows Forensics
These seminars bring our extensive knowledge of Windows internals and security to the cyber-forensics field.
ID | Title | Level, etc | Summary |
---|---|---|---|
FOR111 | Data Storage and Recovery Methods |
Basic 2 days with labs | This seminar covers how data is physically stored in a computer system, and provides detailed information on RAM, ROM, Flash, CD, DVD, Hybrid Hard Disks, and Blu-Ray. Learn about the recovery potential from a variety of storage devices. |
FOR130 | Survey of Malware Types |
Basic 1 day lecture only | Most recent malware is used for financial or political gain, and although often referred to as "viruses," the attack and propagation methods are very different from true viruses. This course is an overview of the types of malware, how malware is categorized, and how each type of malware attacks a Windows system. This allows the forensic investigator to identify malware used in criminal attacks. |
FOR202 | Malware Internals |
Intermediate 2 days with labs | How does malware work? How do you trace where malware came from? In order to defeat your enemy, you must understand your enemy. This course covers the various types of malware and how it typically operates in a Windows system. |
FOR205 | Windows Internals for Forensics |
Intermediate 5 days with labs | All modern malware works within the operating system, not only by exploiting weaknesses but also by using features that are there for everyday use. It is therefore impossible to understand how malware works without a deep understanding of the operating system it targets. This seminar provides detailed information on how Windows works internally, with special focus on common malware attack methods. It includes coverage of Windows’ most recent security features, most of them specifically added to combat malware. |
FOR206 | Windows Cryptography |
Intermediate 2 days with labs | Encryption is being used more and more in legitimate business, as well as within criminal enterprises. Learn about the types of encryption available in Windows, the weaknesses, and what it takes to either decrypt files that have been encrypted or to defeat the encryption by other means. Includes the detection of hidden volumes as implemented by, for example, TrueCrypt. |
FOR207 | BitLocker Operation and Internals |
Intermediate 1 day with labs | BitLocker is being used more and more to protect the contents of disks from loss and theft. Unfortunately, it is also being used by cybercriminals to hide their activities from law enforcement. This course describes the internal operation of BitLocker, and how law enforcement can defeat it in some cases. |
FOR209 | Virtual Machines |
Intermediate 1 day with labs | Virtual machines are useful for many purposes in computing, but they can also be used to hide evidence of user activity on a computer system. Cybercriminals are using virtual machines because it is apparently easy to remove all trace of their activities just by deleting a single file. This seminar describes virtual machines, their methods of operation, how they are used to hide user activity, and how to detect their use. It also describes how to use virtual machines for malware analysis and other aspects of cyber forensics. |
FOR220 | Windows Storage Architecture Overview |
Intermediate 1 day with labs | Understanding how files are stored (and may be hidden) on a disk or other storage media (solid-state disk, USB "key", SD card, etc.), is essential to performing a thorough forensic investigation. Learn the essentials of the on-disk formats of NTFS, EFS, FAT 12/16/32, exFAT, CDFS, and UDFS. This seminar also covers details of partitioning methods (MBR vs. GPT), the various types of Windows "volumes," basic vs. dynamic disks, and the new Storage Spaces. |
FOR223 | Windows Log Files and Other History |
Intermediate 1 day with labs | Windows miaintains a significant amount of data on its past activity as part of its normal operation. This is used for self-diagnosis, performance monitoring, and error reporting, as well as for common functions such as user login/logiout tracking and file access auditing. Using this information, a forensic investigator can create a detailed timeline of a user’s activities, going back months or in some cases years. Learn what information Windows maintains and where to find it. |
FOR231 | Internet Design and Protocols |
Intermediate 5 days with labs | How is data transmitted from one machine to another over the Internet? What network protocols are used by the Internet? How do you capture network traffic? What information is recorded by a user’s Internet Service Provider? How do you trace the origin of a Distributed Denial of Service Attack? This course will answer these questions and more, and provide the forensic investigator with the knowledge necessary to gather information about a suspect’s use of the internet. The student will learn how to capture network traces and trace the route through the Internet that packets followed. |