SANS FOR500: Windows Forensic Analysis

تمرکز دوره SANS FOR500: Windows Forensic Analysis بر روی افزایش و بهبود دانش فارنزیک مبتنی بر سیستم‌ عامل ویندوز می باشد. دانش فارنزیک و آرتیفکت‌ها هسته اصلی امنیت اطلاعات هستند. در دوره SANS FOR500به طور کامل خواهید آموخت که چطور اطلاعات فارنزیک را در سیستم‌عامل‌ ویندوز بازیابی، تحلیل و تایید اعتبار کنید. ی‌توانید فعالیت‌های یک کاربر خاص را ردیابی کرده و نتایج را در تیم پاسخگویی به حادثه به کار بگیرید. SANS FOR500 به شما کمک می‌کند تا از مهارت‌های خود برای تایید اعتبار ابزارهای امنیتی، تهدیدات داخلی، ردیابی هکرها و بهبود سیاست‌های امنیتی استفاده کنید. ویندوز میزان غیرقابل باوری از اطلاعات را درباره شما و کاربران شما ذخیره سازی می‌کند. همچنین  افراد قادر خواهند بود که تجزیه و تحلیل عمیق پزشکی قانونی سیستم عامل های ویندوز و بهره برداری رسانه ها از ویندوز 7 ، ویندوز 8 / 8.1 ، ویندوز 10 و ویندوز سرور انجام دهند. تعیین تعداد دفعات باز شدن پرونده ها توسط مظنون از طریق پزشکی قانونی مرورگر ، تجزیه و تحلیل پرونده میانبر (LNK) ، تجزیه و تحلیل ایمیل و تجزیه و تحلیل رجیستری ویندوز از جمله توانایی افراد پس از مطالعه دوره SANS FOR500: Windows Forensic Analysis است.

Date: 2021
Price: $7,640 USD
Format: Video+eBook
Publisher: SANS

FOR500 builds in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems by analyzing and authenticating forensic data as well as track detailed user activity and organize findings. It teaches students to apply digital forensic methodologies to a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome.

Syllabus

500.1 HANDS ON: Windows Digital Forensics and Advanced Data Triage
500.2 HANDS ON: CORE WINDOWS FORENSICS PART 1 – Windows Registry Forensics and Analysis
500.3 HANDS ON: CORE WINDOWS FORENSICS PART 2 – USB Devices And Shell Items
500.4 HANDS ON: CORE WINDOWS FORENSICS PART 3 – Email, Key Additional Artifacts, and Event Logs
500.5 HANDS ON: CORE WINDOWS FORENSICS PART 4 – Web Browser Forensics: Firefox, Internet Explorer, and Chrome
500.6 HANDS ON: Windows Forensic Challenge

What You Will Learn

Master Windows Forensics – “You Can’t Protect the Unknown.”

All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Corporations, governments, and law enforcement agencies increasingly require trained forensics specialists to perform investigations, recover vital intelligence from Windows systems, and ultimiately get to the root cause of the crime. To help solve these cases, SANS is training a new cadre of the world’s best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can’t protect what you don’t know about, and understanding forensic capabilities and available artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track individual user activity on your network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. You’ll be able to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data and use it to your advantage.

Proper analysis requires real data for students to examine. This continually updated course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest technologies, including Microsoft Windows versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage providers, SharePoint, Exchange, and Outlook. Students will leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out – attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

• Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows XP, Windows 7, Windows 8/8.1, Windows 10, Windows 11 and Windows Server products.
• Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file download, anti-forensics, and detailed system and user activity.
• Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
• Extract critical findigs and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.

FOR500 starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor course development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook teaches the tools and techniques that every investigator should employ step by step to solve a forensic case. The tools provided can be used long after the end of class.

Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the “chain of custody,” or introductory drive acquisition. The course authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.

You Will Be Able To

• Perform proper Windows forensic analysis by applying peer-reviewed techniques focusing on Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Windows Server products
• Use state-of-the-art forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geolocation, browser history, profile USB device usage, cloud storage usage, and more
• Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
• Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
• Audit cloud storage usage, including detailed user activity, identifying deleted files, signs of data exfiltration, and even documenting files available only in the cloud
• Identify items searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding, and accomplish detailed damage assessments
• Use Windows Shell Bag analysis tools to articulate every folder and directory a user or attacker interacted with while accessing local, removable, and network drives
• Determine each time a unique and specific USB device was attached to the Windows system, the files and folders accessed on it, and what user plugged it in by parsing Windows artifacts such as Registry hives and Event Log files
• Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
• Determine where a crime was committed using Registry data and pinpoint the geolocation of a system by examining connected networks and wireless access points
• Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts to identify web activity, even if privacy cleaners and in-private browsing software are used
• Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted

Hands-on Labs

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that’s directly tied to the material to develop skills in an hands-on environment.

• lab 1.1 – Mounting Disk Images
• lab 1.2 – Triage Imaging with KAPE
• lab 1.3 – Mounting Triage VHDX Evidence
• lab 1.4 – Memory Carving with AXIOM
• lab 2.1 – User Account Profiling
• lab 2.2 – System Profiling
• lab 2.3 – NTUSER.DAT Analysis
• lab 2.4 – Application Execution Analysis
• lab 2.5 – Cloud Storage Forensics – Onedrive
• lab 3.1 – Cloud Storage Forensics – Google
• lab 3.2 – LNK Shell Item Analysis
• lab 3.3 – Jumplist and Shellbags Shell Item Analysis
• lab 3.4 – USB Analysis
• lab 4.1 – Email Forensics
• lab 4.2 – Windows Timeline and Recycle Bin Analysis
• lab 4.3 – SRUM Analysis
• lab 4.4 – Event Log Analysis
• lab 5.1 – Automating Artifact Processing with KAPE
• lab 5.2 – Chrome Browser Forensics
• lab 5.3 – Edge and Internet Explorer Analysis
• lab 5.4 – Firefox Forensics
• lab 5.5 – Cloud Storage Forensics – Google
• lab 6.1 – FOR500 Forensic Challenge