Topic outline

  • Advanced Windows® 10 Forensic Analysis

    The Advanced Windows® 10 Forensic analysis class is an expert-level training course, designed for examiners who are familiar with the principles of digital forensics.

    Course Details

    Synopsis

    The Spyder Forensic Advanced Windows® 10 Forensic Analysis course will give participants unbiased knowledge and skills necessary to analyze artifacts left behind through system and user interaction with the host system, utilizing industry standard tools and open source applications to explore the data in greater depth by learning how applications function and store data in the file system. Students will learn to use various applications and utilities to successfully identify, process, understand and document numerous Windows® artifacts that are vitally important to forensic investigations. The participant will also gain knowledge on how to process Edge browser history, cookies, temp files InPrivate browsing challenges and analysis, BitLocker encryption, Windows® Action Center (Notifications SQLite Database) and other Windows® 10 specific artifacts. The course includes gaining in depth knowledge of JumpLists, Registry analysis and prefetch files, Timeline and how they relate to forensic investigations and conclude with an in-depth look into OneDrive and synchronization processes between trusted devices.

    Prerequisites

    To get the most out of this class, you should:

    •Have 6 months experience of forensic examinations.

    •Be familiar with Windows Operating systems.

    Course Modules

    • 1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
    • Windows 10 Overview

      During this module we will be reviewing the latest artifact updates to Windows 10 (1803)
      Overview of Windows 10
      Examine the version characteristics between Windows® 10 Operating systems
      Explore the challenges the recent update has presented to the forensic examiner
      Learn of the new RecycleBin structure
      Discuss Windows Logon Options
      • BitLocker Encryption

        In This Module You Will:

        •Learn how BitLocker encryption functions
        •Explore System Volume BitLocker implementation and metadata artifacts
        •Discuss BitLocker To Go on data volumes and USB devices
        •Learn of examination techniques of a BitLocked volume.
        • Windows Registry

          In This Module You Will:

          •Define the Windows Registry
          •Discuss Forensic benefits of the Registry
          •Correlate files on disk to registry data
          •Navigating the Registry
          •Registry key structure
          •Registry block structure
          •Locating and Identifying deleted registry data
          • User Account Examination

            In This Module You Will:

            •Define the Security Accounts Manager (SAM)
            •Operating System access management
            •Describe a Security Identifier (SID)
            •Describe a Relative Identifier (RID)
            •Identify OneDrive Accounts
            •User Profile data in NTUSER.DAT file
            •User Profile data in SOFTWARE file
            • Hardware Device Tracking

              In This Module You Will:

              •Identify the purpose of the SYSTEM registry file
              •Review core items of forensic interest
              •Learn how Windows tracks
              HDD’s
              USB’s
              •Tracking a USB through the system
              • Software Usage Analysis

                In This Module You Will:

                •Locate items of interest within NTUSER.DAT and SYSTEM registry files
                •UserAssist Analysis
                •Review the purpose of BAM
                •Identify forensic implications of the registry artifacts
                • Windows® Shortcuts

                  In This Module You Will:

                  •Overview of Windows® Shortcuts
                  •Deep dive into Jump List Analysis
                  •Learn of the correction between the Distributed Link Tracking Service and Windows® link files
                  Learn of the intricate link with the NT File System.
                  •Explore the structure of Jump List data files
                  •Examine effects of destructive processes on jump lists
                  •Learn of File System artifacts associated with user activity on host files and link file creation.
                  • Windows® Timeline

                    In This Module You Will:

                    •Learn of the new Timeline feature introduced with Windows® 10 - 1803
                    •Review the backend storage locations of application data
                    •Gain knowledge on how SQLite databases function
                    •Explore artifacts stored in the backend SQLite database
                    •Compare local account storage configurations Vs. OneDrive and SharePoint accounts
                    •Examine the SQL database tables to identify file usage across multiple devices
                    • WINDOWS IMMERSIVE APPLICATIONS REVIEW

                      In This Module You Will:

                      •Describe the purpose of Live Tiles
                      •Examine backend structures of Immersive apps
                      •Describe the function of each folder location storing user cached data.
                      • Windows® 10 Notifications

                        In This Module You Will:

                        •Learn of the Action Centre functionality
                        •Review the backend storage locations the Notifications database
                        •Explore artifacts stored in the backend SQLite database
                        •Write SQL queries to present data in a clearer format
                        •Describe the correlation between displayed images on live tiles and backend storage
                        • Photo’s Application Artifacts

                          In This Module You Will:

                          •Review the Photo’s application from a user perspective
                          •Identify storage locations of cached data
                          •Identify recently viewed files
                          •Examine the TimeLine Cache data file and its implications
                          •Learn of key artifacts identified within the SQL database.
                          Geo Location
                          Folder identification
                          Date and Times of interactions
                          Camera metadata
                          • Cortana Integration

                            In This Module You Will:

                            •Learn of Microsoft digital assistant
                            •Identify storage location of hosted data
                            •Identify key folder locations of collected data
                            •Review data stored in txt, cfg, ttl and JSON structured files pertaining to Cortana’s collection phases
                            •Discuss cloud integration and synchronization processes.
                            • Edge Browser Forensics

                              In This Module You Will:

                              •Review the Edge Browser application
                              •Locate key folders of interested within the user profile
                              •Identify cached data from untrusted and trusted sites
                              •Learn of Edge Recovery stores and processing techniques
                              •Explore InPrivate browsing and learn of recoverable artifacts
                              •Learn of the new data storage files and their interpretation
                              •Extensive hands on processing techniques.
                              • ONEDRIVE - CLOUD SYNCRONIZATION

                                In This Module You Will:

                                •Review the function of the OneDrive processes
                                •Locate key folders of interest
                                •Identify the locations of user files
                                •Explore the many artifacts located in the Synchronization logs
                                •Learn how to interoperate user settings
                                •Learn interpretation of stored settings files
                                •Discover Office 365 cloud integration
                                •Use the registry to locate recent file interaction
                                •Interpret stored data in the subkeys
                                •Introduction to Office 365 synchronized data.
                                • Windows® 10 Mail

                                  In This Module You Will:

                                  •Learn of the function of the default Mail client
                                  •Explore the locations of Trusted and Untrusted data
                                  •Review the “Comms” folder and ESE structured database
                                  •Extract key data from the Store.vol ese database
                                  •Review the storage of email data within the sub-folders of the Comms and S0 folders
                                  •Learn techniques on correlating data in the ESE database and files in the sub-folders