SANS Institute
SANS - Computer Forensics and e-Discovery with Rob Lee
Course PDF
Investigations involving Windows-based operating systems occur every day. As a result, it is essential for the investigator to know how to examine the critical files and structures of a Windows operating system. This day will provide an in-depth study and examination of the forensic evidence left on Windows 7, VISTA, Windows XP, and Windows server-based operating systems. This hands-on forensic course will arm you with methods and techniques to investigate critical areas of the Windows operating system for any case.
Beginning with the Windows Registry, the investigator will learn how to discover critical user and system information from the Registry that is pertinent to any investigation. Each examiner will learn how to examine the Registry to obtain user profile data and system data. The course will also teach each investigator how to show that a specific user performed key word searches, ran specific programs, opened and saved files, and list the most recent items in use.
Finally, USB Device investigations are becoming more and more a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Win7, Vista, and WinXP machines. We will show you when the device was first plugged in, last plugged in, the vendor/make/model, and even tell you the unique device that was used.
Throughout the day, the investigator will utilize their skills in a real hands-on case, exploring evidence and artifacts discussed throughout the day.
- Day 3 Topics
- Registry Forensics In-Depth
- Registry Basics
- Hives, Keys, and Values
- Registry Last Write Time
- Profile Users and Groups
- Discover Usernames and the SID mapped to them
- Last Login
- Last Failed Login
- Logon Count
- Password Policy
- Core System Information
- Identify Current Control Set
- System Name and Version
- Timezone
- Local IP Address Info
- Wireless/Wired/3G Networks
- Network Shares
- Last Shut Down Time
- User Forensic Data
- XP and Win7 Search History
- Typed URLS
- Recent Documents
- Last Commands Executed
- Open-> Save/Run Dialog Boxes
- Application Execution History (UserAssist)
- USB Device Forensic Examinations
- Vendor/Make/Version
- Unique Serial Number
- Last Drive Letter
- Volume Name
- The username that used the USB Device
- Time of First Use of USB Device
- Time of Last Use of USB Device
- Registry Basics
- Registry Forensics In-Depth
- Day 3 Topics (Continued)
- Registry Forensics In-Depth
- Tools Utilized
- Harlan Carvey's Regripper
- Access Data's Registry Viewer
- Tools Utilized
- E-mail Forensics
- How E-mail Works
- Locations
- Examination of Email
- Types of E-mail Formats
- Microsoft Outlook/Outlook Express/Windows Mail
- Web Based Mail
- Microsoft Exchange
- Lotus Notes
- E-mail Analysis
- E-mail Searching and Examination
- Registry Forensics In-Depth
- Day 3 Exercises
- Profile a computer system using evidence found in the registry.
- Profile a user’s activities using evidence found in the registry.
- Examine USB device residue in the registry and filesystem
- Find e-mail evidence containing a specific set of keywords.
- Find e-mail evidence sent to a specific e-mail address.
| SECURITY 408 Upcoming Events | |||
| Event | Location | Dates | Delivery Method |
| SANS vLive! - Security 408 - Rob Lee | SANS vLive! SEC408-200911, VA | Nov 30, 2009 - Feb 01, 2010 | |
| SANS CDI East 2009 | Washington DC | Dec 11, 2009 - Dec 18, 2009 | Live Event |
| SANS Security East 2010 | New Orleans, LA | Jan 10, 2010 - Jan 18, 2010 | Live Event |
| SANS 2010 | Orlando, FL | Mar 06, 2010 - Mar 15, 2010 | Live Event |
| SANS Security West 2010 | San Diego, CA | May 07, 2010 - May 15, 2010 | Live Event |
| SANS vLive! - SEC 408 - Rob Lee | SANS vLive! SEC408 - 201006, VA | Jun 08, 2010 - Aug 24, 2010 | |
