SANS Institute
SANS - Computer Forensics and e-Discovery with Rob Lee
GIAC Certification Available
Course PDF
Investigations involving Windows-based operating systems occur frequently. As a result, it is essential to make an in-depth study and examination of the forensic evidence left on Windows-based operating systems. This hands-on forensic course will arm you with methods and techniques to respond and investigate complex events for your organization. It covers Windows methods that will ensure maximum evidence capture without poisoning key evidence that might reside on the system and in memory.
You will learn how to use freely available Windows tools and methods to secure a system without disturbing it, discover hidden malware, and find hidden clues that may still reside on the system. Each student will also learn how to examine restore point snapshots in Windows XP and examine Shadow Copy volumes on Windows Vista and Windows 7.
This course covers Microsoft Windows 2000, Windows XP, Windows 2003, Windows Vista, and Windows 7. Even though they all use NTFS or FAT for the file system, each one is different and there are some variations on the type of forensic data that might be found on each operating system.
- Key Windows File System Analysis Concepts
- How to Mount/Examine Windows Forensic Images
- Difference in Vista/XP Forensics
- Detecting Malware Easily
- Restore Points, Shadow Copy, and Registry Data
- Recovering Deleted Windows Key Files
- Windows Incident Response Methodology
- Collecting Volatile Data Automatically
- Recovering Passwords
- Getting Around Locked Computer (Screensaver)
- Proper Way to Execute Command Prompts
- Windows Registry Analysis for Forensic Analysts
- Registry Hive Basics
- Timeline of Registry Last Write Times
- Registry Slack
- Deleted Registry Artifacts
- Restore Point and Shadow Copy Forensics
- Acquiring Shadow Copy Volume Image
- Shadow Copy Data Analysis
- XP Restore Point Data Analysis
- Looking at Registry Files in XP Restore Point
- Day 4 Exercises
- Examine System Registry For User and Application Forensic Data
- Using Automated Toolkits to Collect Information from Windows-Based Systems
- Using Autopsy, Foremost, and The Sleuth Kit to Examine NTFS/FAT Image
- Recover Files from a USB Key Used in a Crime
- Utilize Prefetch, Registry Forensics, Restore Points, and More in a Real Case
| SECURITY 508 Upcoming Events | |||
| Event | Location | Dates | Delivery Method |
| SANS SelfStudy | Books & MP3s Only | Anytime | Self Paced |
| SANS OnDemand | Online | Anytime | Self Paced |
| SANS London 2009 | London, United Kingdom | Nov 28, 2009 - Dec 06, 2009 | Live Event |
| Community SANS Tucson 2009 | Tucson, AZ | Nov 30, 2009 - Dec 05, 2009 | Community SANS |
| Community SANS Colorado Springs 2009 | Colorado Springs, CO | Nov 30, 2009 - Dec 05, 2009 | Community SANS |
| Mentor Session - SEC508 | Atlanta, GA | Dec 02, 2009 - Feb 17, 2010 | Mentor |
| Mentor Session - SEC508 | Medellín, Colombia | Dec 02, 2009 - Dec 04, 2009 | Mentor |
| SANS CDI East 2009 | Washington DC | Dec 11, 2009 - Dec 18, 2009 | Live Event |
| Mentor Session - Security 508 | Charlotte, NC | Jan 14, 2010 - Mar 18, 2010 | Mentor |
| Mentor Session - Security 508 | Denver, CO | Jan 19, 2010 - Mar 23, 2010 | Mentor |
| Community SANS Lake Tahoe 2010 | Lake Tahoe, CA | Jan 25, 2010 - Jan 30, 2010 | Community SANS |
| SANS Phoenix 2010 | Phoenix, AZ | Feb 14, 2010 - Feb 20, 2010 | Live Event |
| SANS India 2010 | Bangalore, India | Feb 22, 2010 - Feb 27, 2010 | Live Event |
| SANS 2010 | Orlando, FL | Mar 06, 2010 - Mar 15, 2010 | Live Event |
| Mentor Session - SEC508 | Greeley, CO | Mar 11, 2010 - May 13, 2010 | Mentor |
| Community SANS Boston 2010 | Boston, MA | Mar 15, 2010 - Mar 20, 2010 | Community SANS |
| SANS vLive! - SEC 508 - Rob Lee | SANS vLive! SEC508 - 201003, VA | Mar 23, 2010 - Apr 29, 2010 | |
| SANS Northern Virginia Bootcamp 2010 | Reston, VA | Apr 06, 2010 - Apr 13, 2010 | Live Event |
| Mentor Session - SEC508 | Boise, ID | Sep 28, 2010 - Nov 30, 2010 | Mentor |
