Dec 06, 2024  
2021-2022 Course Catalog 
    
2021-2022 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 1081 - Advanced Windows Forensics

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: This course provides an in-depth examination of the forensic evidence left on Windows-based file systems using a variety of methods and tools to investigate any event for the workplace. It covers Windows methods that ensure maximum evidence capture without poisoning key evidence residing in disk space and memory. This course aligns with the objectives of the EnCase Certified Examiner (ENCE) certification.
MnTC Goals
None

Prerequisite(s): CVF 1065  with a grade of C or higher or instructor consent.
Corequisite(s): None
Recommendation: None

Major Content
  1. Guidance Software EnCase
    1. EnCase Overview
    2. EnCase Interface
    3. Basic Data Analysis
    4. Creating a Case
    5. Narrowing/Filtering data
    6. Reporting
    7. Keyword/Pattern Searching
  2. Cryptography
    1. Understand the fundamentals of encryption
    2. Understand decryption technologies
    3. Identify and recover encrypted data
    4. Perform decryption on various files
  3. Email Analysis
    1. Microsoft Outlook
    2. Microsoft Mail
    3. Web-based email
    4. Email headers
  4. Examining Windows Artifacts (XP, Vista, 7)
    1. Directory Structure
    2. Recycle Bin
    3. Thumbs.db
    4. Shortcut/Link (LNK) Files
    5. Prefetch
    6. Restore Points
    7. File metadata
    8. Volume Shadow Copy
    9. Log files
  5. Live Analysis & Incident Response
    1. Understand requirements for live response
    2. Perform analysis on a live system
    3. Employ automated toolkits to collect information from Windows-based systems
    4. Understand and implement Incident Response technologies
    5. Perform imaging and analysis of Windows-based systems
  6. Memory Analysis
    1. Issues in collecting Windows memory
    2. Image and analyze Windows memory
    3. Identify registry data in memory
    4. Identify process information in memory
    5. Identify passwords in memory
  7. Web Browser Analysis (Internet Explorer, Firefox, Chrome)
    1. Internet history
    2. Cookies
    3. Cached files
    4. Recovering deleted history
    5. Private browsing
  8. Windows Registry Analysis
    1. Identify the structure of the Windows registry
    2. Identify and understand Windows registry artifacts
    3. Locate and examine deleted Windows registry data
    4. Perform testing of applications in the Windows registry
    5. Perform analysis of the Windows registry

Learning Outcomes
At the end of this course students will be able to:

  1. employ automated toolkits to collect information from Windows-based systems
  2. perform analysis of the Windows registry
  3. identify and recover encrypted and hidden data
  4. implement Incident Response Technologies
  5. perform imaging and analysis of Windows-based systems
  6. perform analysis on a live system

Competency 1 (1-6)
None
Competency 2 (7-10)
None


Courses and Registration



Add to Portfolio (opens a new window)