Topic outline

  • Digital Forensics – Windows Artifacts Foundations

    Windows® Artifacts Foundations will introduce the participant to the many forensically relevant items stored on a Windows based system through user interaction and host operating system functionality.

    Course Details

    Synopsis

    Students will use various applications and utilities to successfully identify, process, understand and document numerous Windows® artifacts that are vitally important to perform a successful forensic investigation of the seized system. Students will gain knowledge to identify where and why Windows stores information in the Registry files, Recycle Bin, Recent folder, User directory and system folders. The participant will also learn how to process Internet Explorer history, cookies, temp files and user settings and compare them with the Edge browser released with Windows® 10.

    Prerequisites

    To get the most out of this class, you should:

    •Have 6 months experience of forensic examinations

    •Be familiar with Windows Operating systems.

    Course Modules

    • 1
      2
      3
      4
      5
      6
      7
    • MODULE 1

      OPERATING SYSTEMS OVERVIEW

      In This Module You Will:

      •Learn to identify the core features of each NT Operating System
      •List the key artifacts contained on modern systems
      •Identify and review common folders on a NT Operating System.
      • MODULE 2

        WINDOWS SYSTEM ARTIFACTS

        In This Module You Will:

        •Describe the purpose of User Account Control
        •Discuss the forensic importance of Windows Prefetch and Superfetch
        •Learn how to examine ShadowCopies
        •Examine the function and forensic importance of the Recycle Bin.
        • MODULE 3

          INTRODUCTION TO THE WINDOWS REGISTRY

          In This Module You Will:

          •Define the Windows Registry
          •Discuss Forensic benefits of examining the Registry
          •Recovering evidentially relevant data from the following registry files:
          SAM
          SYSTEM
          SOFTWARE
          NTUSER.DAT
          • MODULE 4

            WINDOWS SHORTCUTS

            In This Module You Will:

            •Introduction to Windows Shortcuts
            •Examine Link File Anatomy
            •Introduction to Jump Lists and analysis.
            • MODULE 5

              THUMBNAIL CACHING

              In This Module You Will:

              •Learn of the functions Windows uses to cache thumbnail images
              •Discuss user interaction characteristics
              •Examine the internal structure of each cached database.
              • MODULE 6

                WINDOWS START SCREEN EXAMINATION

                In This Module You Will:

                •Describe the purpose of Windows Immersive Applications
                •Examine how the Live Tiles database functions
                •Explore the storage areas for Immersive Applications.
                • MODULE 7

                  BROWSER EXAMINATION

                  In This Module You Will:

                  •Gain an overview of Internet Explorer
                  Discuss Legacy Features
                  •Examination of data storage locations and artifacts of forensic interest
                  •Introduction to Microsoft Edge
                  Examine storage locations
                  Learn of travel logs and their examination
                  Discuss implications of InPrivate browsing
                  •Introduction to ESE Database analysis
                  •Overview of Cortana digital assistant
                  Examine cached data from user interaction.