|
Dec 06, 2024
|
|
|
|
CVF 1081 - Advanced Windows Forensics Credits: 3 Hours/Week: Lecture 2 Lab 2 Course Description: This course provides an in-depth examination of the forensic evidence left on Windows-based file systems using a variety of methods and tools to investigate any event for the workplace. It covers Windows methods that ensure maximum evidence capture without poisoning key evidence residing in disk space and memory. This course aligns with the objectives of the EnCase Certified Examiner (ENCE) certification. MnTC Goals None
Prerequisite(s): CVF 1065 with a grade of C or higher or instructor consent. Corequisite(s): None Recommendation: None
Major Content
- Guidance Software EnCase
- EnCase Overview
- EnCase Interface
- Basic Data Analysis
- Creating a Case
- Narrowing/Filtering data
- Reporting
- Keyword/Pattern Searching
- Cryptography
- Understand the fundamentals of encryption
- Understand decryption technologies
- Identify and recover encrypted data
- Perform decryption on various files
- Email Analysis
- Microsoft Outlook
- Microsoft Mail
- Web-based email
- Email headers
- Examining Windows Artifacts (XP, Vista, 7)
- Directory Structure
- Recycle Bin
- Thumbs.db
- Shortcut/Link (LNK) Files
- Prefetch
- Restore Points
- File metadata
- Volume Shadow Copy
- Log files
- Live Analysis & Incident Response
- Understand requirements for live response
- Perform analysis on a live system
- Employ automated toolkits to collect information from Windows-based systems
- Understand and implement Incident Response technologies
- Perform imaging and analysis of Windows-based systems
- Memory Analysis
- Issues in collecting Windows memory
- Image and analyze Windows memory
- Identify registry data in memory
- Identify process information in memory
- Identify passwords in memory
- Web Browser Analysis (Internet Explorer, Firefox, Chrome)
- Internet history
- Cookies
- Cached files
- Recovering deleted history
- Private browsing
- Windows Registry Analysis
- Identify the structure of the Windows registry
- Identify and understand Windows registry artifacts
- Locate and examine deleted Windows registry data
- Perform testing of applications in the Windows registry
- Perform analysis of the Windows registry
Learning Outcomes At the end of this course students will be able to:
- employ automated toolkits to collect information from Windows-based systems
- perform analysis of the Windows registry
- identify and recover encrypted and hidden data
- implement Incident Response Technologies
- perform imaging and analysis of Windows-based systems
- perform analysis on a live system
Competency 1 (1-6) None Competency 2 (7-10) None Courses and Registration
Add to Portfolio (opens a new window)
|
|