Windows Forensics Vista - Computer Forensics Course Catalogue

Advanced • One-Day Instructor-Led Course

For more information contact: [email protected]

This one-day AccessData® course follows up on the AccessData Windows® Forensic Training by covering the Microsoft® Windows Vista operating system. It provides the knowledge and skills necessary to use AccessData tools to conduct forensic investigations on Vista systems. Participants learn where and how to locate Vista system artifacts using AccessData Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer®, and Password Recovery Toolkit® (PRTK®).

Prerequisites:

This hands-on course is intended for forensic investigators with a basic working knowledge of the following AccessData tools:

• Forensic Toolkit / FTK Imager / Registry Viewer / Password Recovery Toolkit Participants should also meet the following requirements:

• Able to understand course curriculum presented in English • Able to perform basic operations on a personal computer

• Attend AccessData BootCamp and Windows Forensic training or equivalent experience with FTK, Imager, Registry Viewer, and PRTK

• Have previous investigative experience in computer forensic case work Class Materials and Software:

You will receive the associated materials prior to the course.

During this one-day course, participants will perform the following tasks:

• GUID Partition Tables (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme.

• File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure.

• BitLocker Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive.

• Windows Vista feature changes such as:

o Recycle Bin / Thumbcache / Link and Spool Files / Windows Event Logs / Updated SuperFetch Structure / Enhanced thumbs.db Functionality / Vista security model / Structure and Content Changes / Reparse Points / Vista File Structure / Vista Registry Entries, PSSP, and IntelliForms data / New Locations for Ol Windows Artifacts / Device Identification and Protection

Students will have hands-on labs that allow them to apply what they have learned to a mock case.

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.

Windows Forensics - Vista

Advanced • One-Day Instructor-Led Course

For more information contact: [email protected]

Module 1: Introduction Topics:

• Prepare system and install AccessData software • Course information and outline

• How to receive upgrades and support for AccessData tools

Lab:

• Install AccessData software Module 2: Bitlocker

Objectives:

• Describe the BitLocker full-volume encryption system

• Determine which versions of Vista support BitLocker

• Describe how BitLocker works, specifically:

o How BitLocker encrypts and decrypts the drive

o How BitLocker interacts with the system when it boots

o When encryption and decryption occur

o What to do when BitLocker locks out to the Recovery Mode

• Identify the requirements necessary to enable BitLocker

• Describe how a Trusted Platform Module (TPM) chip functions in the BitLocker process

• Identify which portions of the drive are encrypted

• List the user options available to protect a BitLocker drive

• Describe the Recovery Mode and what causes BitLocker to invoke it

• Identify a BitLocker drive and its accompanying recovery key sets

• Name the items to look for during search and seizure to unlock a BitLocker drive

• Identify the different imaging methods for BitLocker and when and how to apply them

• Prepare the investigative machine to image a BitLocker drive

• Successfully unlock and image a BitLocker encrypted drive

Lab:

• The objective of this lab is to identify a BitLocker encrypted drive and create an image of the drive.

Module 3: GUID Partition Table (GPT) Objectives:

• Discuss the Vista upgrades to NTFS 3.1

• Describe the format and structure of the GUID Partition Table HDD format system

• Effectively read a new GPT notation

• List the rules and limitations of a GPT Lab:

• The objective of this lab is to identify a GPT formatted drive.

Module 4: Security – File Structure Objectives:

• Describe the three-tiered layer of the new Vista security model

• Describe and identify a reparse point in Vista

• Effectively navigate the Vista file structure

• Identify new locations for old Windows artifacts

Lab:

• The objective of this lab is to familiarize the student with the locations of possible

evidence files in the Windows Vista operating system.

Module 5: Windows Vista DPAPI Objectives:

• Compare and contrast the Protected Storage System Provider (PSSP) in Windows 2000/XP systems with Windows Vista DPAPI

• List the steps required to decrypt the protected information located in the IntelliForms subkey

• List the steps required to break the user’s logon password

Lab

• The objective of this lab is to identify Vista registry entries for IntelliForms and review the steps necessary to decrypt IntelliForms data.

Windows Forensics - Vista

Advanced • One-Day Instructor-Led Course

For more information contact: [email protected]

Module 6: Vista Event Logs Objectives:

• Describe the difference between Windows XP and Windows Vista event logs

• Identify where event logs are stored on Windows Vista systems

• Navigate the Windows Vista Event Viewer Using the Windows Vista Event Viewer, view and correlate the following types of events:

o Shutdown

o USB installation

o Time change events

o Wireless connections Lab:

• The objective of this lab is to identify event logs in Vista, export a log from a case, and open the log in the Vista Event Viewer. You will also use Registry Viewer to identify a USB device inserted in a computer.

Module 7: Recycle Bin Objectives:

• Compare and contrast the Windows XP Recycler with the Vista $Recycle.Bin

• Describe the structure of the Vista $Recycle.Bin

• Describe the differences between deleted files and orphaned files

• Describe how NTFS uses the $MFT to track individual files

• List the values used to designate file status in the $Recycle.Bin

• Recover deleted file information Lab:

• The objective of this lab is to familiarize the student with the Vista $Recycle.bin. The student will also create a regular expression that locates deleted entry records.

Module 8: Thumbcache Objectives:

• Compare and contrast thumbs.db files on Windows XP and 2000 systems with thumbcache files in Windows Vista

• Identify where all thumbnail images are stored in Windows Vista

• Review thumbcache files in FTK

• Identify the values stored in every thumbcache record

Lab:

• The objective of this lab is to familiarize the student with the Vista thumbcache file location and structure.

Module 9: Windows Vista Superfetch (Prefetch) Objectives:

• Accurately define Prefetch, Superfetch and their related functions

• Define the forensic importance of Prefetch Registry entries and Prefetch files

• View and analyze pertinent Prefetch artifacts as they relate to case analysis and user behavior

Lab:

• The objective of this lab is to locate and identify Superfetch files in the Windows Vista operating system. The student will identify the last time and the number of times a program or file was accessed or executed.

In document Computer Forensics Course Catalogue (Page 61-63)