CFI1081 — Advanced Windows Forensics
CFI 1081 - Advanced Windows Forensics CFI 1081 - Advanced Windows Forensics Hours/Week: Lecture 2 Lab 2 Course Description: This course provides an in-depth examination of the forensic evidence left on Windows-based file systems using a variety of methods and tools to investigate any event for the workplace. It covers Windows methods that ensure maximum evidence capture without poisoning key evidence residing in disk space and memory. MnTC Goals None db Shortcut/Link (LNK) Files Prefetch Restore Points File metadata Volume Shadow Copy Log files Live Analysis & Incident Response Understand requirements for live response Perform analysis on a live system Employ automated toolkits to collect information from Windows-based systems Understand and implement Incident Response technologies Perform imaging and analysis of Windows-based systems Memory Analysis Issues in collecting Windows memory Image and analyze Windows memory Identify registry data in memory Identify process information in memory Identify passwords in memory Web Browser Analysis (Internet Explorer, Firefox, Chrome) Internet history Cookies Cached files Recovering deleted history Private browsing Windows Registry Analysis Identify the structure of the Windows registry Identify and understand Windows registry artifacts Locate and examine deleted Windows registry data Perform testing of applications in the Windows registry Perform analysis of the Windows registry Learning
Prerequisites: CFI1065