دوره FOR500: Windows Forensic Analysis

دوره FOR500: Windows Forensic Analysis

متخصص جرم شناسی ویندوز “شما نمی توانید از آنچه نمی دانید محافظت کنید.”

همه سازمان ها باید برای وقوع جرم سایبری در سیستم های رایانه ای و درون شبکه های خود آماده شوند. تقاضا برای تحلیلگرانی که می توانند
در مورد جرائمی از قبیل کلاهبرداری ، تهدیدهای درون سازمانی ، جاسوسی صنعتی ، سوء استفاده کارمندان و مزاحمت های رایانه ای تحقیق کنند ،
آژانس های دولتی به طور فزاینده ای نیاز به متخصصان آموزش دیده در زمینه سوء استفاده از رسانه برای بازیابی اطلاعات حیاتی از سیستم های ویندوز دارند.
برای کمک به حل این موارد ، SANS در حال آموزش کادر جدیدی از بهترین متخصصان جرم شناسی دیجیتال در جهان برای پاسخ دهندگان در مورد حوادث
و کارشناسان متخصص رسانه ای است که قادر به مرتب کردن اتفاقات رخ داده در هر ثانیه در سیستم های رایانه ای هستند.

پیش نیاز دوره:

• MCSA
• SANS401

مخاطبین دوره FOR500: Windows Forensic Analysis

• تحلیل‌گران Forensics
• هکرهای قانونمند
• کارشناسان امنیت
• مدیران امنیت اطلاعات
• کارشناسان واحد پاسخگویی به حوادث
• کارشناسان واحد مرکز عملیات امنیت
• علاقمندان به حوزه امنیت سیستم عامل ویندوز

مزایای دوره

• ارائه مدرک معتبر
• برگزاری دوره ها بصورت کاملا عملی
• استفاده از لابراتور مجهز
• استفاده از برترین اساتید داخلی و با مدرک بین المللی
• با توجه به حضور گروه دوران در بیش از 1000 پروژه سازمانی، امکان معرفی دانشجویان دوره به بازار کار مرتبط به دوره ها
• تخفیف جهت حضور در دوره های بعدی
• دريافت مدرک بين المللی مرتبط

سرفصل دوره

FOR500.1: Windows Digital Forensics and Advanced Data Triage
• Windows Operating System Components
o Key Differences in Windows Versions
o Windows 7 and Higher
o Microsoft Server Variations
• Core Forensic Principles
o Analysis Focus
o Key Questions
o Determining Your Scope
• Live Response and Triage-Based Acquisition Techniques
o RAM Acquisition
o Registry Extraction
o Triage-Based Forensics – Fast Forensic Acquisition – Key Files
o Following the Order of Volatility
o KAPE Triage Collection
• Windows Image Mounting and Examination
• NTFS File System Overview
• Document and File Metadata
• File Carving
o Principles of Data Carving
o Loss of File System Metadata
o File Carving Tools
o Custom Carving Signatures
• Memory, Pagefile, and Unallocated Space Analysis
o Artifact Recovery and Examination
o Facebook Live, MSN Messenger, Yahoo, AIM, GoogleTalk Chat
o IE8-11, Edge, Firefox, Chrome InPrivate/Recovery URLs
o Yahoo, Hotmail, G-Mail, Webmail, Email

FOR500.2: Core Windows Forensics Part 1: Windows Registry Forensics and Analysis
Registry Forensics In-Depth
• Registry Core
o Hives, Keys, and Values
o Registry Last Write Time
o MRU Lists
o Deleted Registry Key Recovery
o Identify Dirty Registry Hives and Recover Missing Data
o Rapidly Search and Timeline Multiple Hives
• Profile Users and Groups
o Discover Usernames and the SID Mapped to Them
o Last Login
o Last Failed Login
o Login Count
o Password Policy
• Core System Information
o Identify Current Control Set
o System Name and Version
o Timezone
o Local IP Address Information
o Wireless/Wired/3G Networks
o Connected Network Auditing and Device Geolocation
o Network Shares and Offline Caching
o Last Shutdown Time
o Registry-Based Malware Persistence Mechanisms
• User Forensic Data
o Evidence of File Downloads
o Office and Office 365 File History Analysis
o Windows 7, Windows 8/8.1, Windows 10 Search History
o Typed Paths and Directories
o Recent Documents (RecentDocs)
o Open-> Save/Run Dialog Boxes Evidence
o Application Execution History via UserAssist, Shimcache, RecentApps, AmCache, and BAM/DAM
• Cloud Storage Forensics
o Microsoft OneDrive
o OneDrive Files on Demand
o Microsoft OneDrive for Business
o OneDrive Unified Audit Logs
o Google Drive
o G Suite File Stream
o G Suite Logging
o Dropbox
o Dropbox Decryption
o Dropbox Logging
o Box Drive
o Box Backup and Sync
o Synchronization and Timestamps
o Forensic Acquisition Challenges
o User activity enumeration
• Tools Used
o Registry Explorer
o TZWork’s CAFAE
o ShimCacheParser
o Amcacheparser
o SQLite Viewer

FOR500.3: Core Windows Forensics Part II: USB Devices and Shell Items
• Shell Item Forensics
o Link/Shortcut Files (.lnk) – Evidence of File Opening
o Windows7/Windows10 Jump Lists – Evidence of File Opening and Program Execution
o Shellbag Analysis – Evidence of Folder Access
• USB and Bring Your Own Device (BYOD) Forensic Examinations
o Vendor/Make/Version
o Unique Serial Number
o Last Drive Letter
o MountPoints2 – Last Drive Mapping Per User (Including Mapped Shares)
o Volume Name and Serial Number
o Username that Used the USB Device
o Time of First USB Device Connection
o Time of Last USB Device Connection
o Time of Last USB Device Removal
o Auditing BYOD Devices at Scale
o Bitlocker-To-Go Encrypted USB Devices

FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs
• Email Forensics
o Evidence of User Communication
o How Email Works
o Email Header Examination
o Email Authenticity
o Determining a Sender’s Geographic Location
o Extended MAPI Headers
o Host-Based Email Forensics
o Exchange Recoverable Items
o Exchange Evidence Acquisition and Mail Export
o Exchange Compliance Search and eDiscovery
o Unified Audit Logs in Office 365
o Google G Suite Logging
o G Suite VaultRecovering Deleted Emails
o Web and Cloud-Based Email
o Webmail Acquisition
o Email Searching and Examination
o Mobile Email Remnants
o Business Email Compromise
• Forensicating Additional Windows OS Artifacts
o Windows Search Index Forensics
o Extensible Storage Engine (ESE) Database Recovery and Repair
o Thumbs.db and Thumbscache Files
o Windows Prefetch Analysis (XP, Windows 7 – Windows 10)
o Windows Recycle Bin Analysis (XP, Windows 7 – Windows 10)
o Windows 10 Timeline Database
o System Resource Usage Monitor (SRUM)
 Connected Networks, Duration, and Bandwidth Usage
 Applications Run and Bytes Sent/Received Per Application
 Application Push Notifications
 Energy Usage
• Windows Event Log Analysis
o Events Logs that Matter to a Digital Forensic Investigator
o EVTX and EVT Log Files
 Track Account Usage including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
 Audit and Analyze File and Folder Access
 Prove System Time Manipulation
 Track Bring Your Own Device (BYOD) and External Devices
 Microsoft Office Alert Logging
 Geo-locate a Device via Event Logs

FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer and Chrome
• Browser Forensics
o History
o Cache
o Searches
o Downloads
o Understanding Browser Timestamps
o Internet Explorer
 IE Forensic File Locations
 History files: Index.dat and WebCache.dat
 Cache Recovery and Timestamps
 Microsoft Universal Application Artifact
 Download History
 Credentials Stored in the Windows Vault
 Internet Explorer Tab Recovery Analysis
 Cross-Device Synchronization, Including Tabs, History, Favorites, and Passwords
o Edge
 History, Cache, Cookies, Download History, and Session Recovery
 Spartan.edb
 Reading List, WebNotes, Top Sites, and SweptTabs
o Firefox
 Firefox Artifact Locations
 Mork Format and SQLite FilesFirefox Quantum Updates
 Download History
 Firefox Cache2 Examinations
 Detailed Visit Type Data
 Form History
 Session Recovery
 Firefox Extensions
 Firefox Cross-Device Synchronization
o Chrome
 Chrome File Locations
 Correlating URLs and Visits Tables for Historical Context
 History and Page Transition Types
 Chrome Preferences File
 Web Data, Shortcuts, and Network Action Predictor Databases
 Chrome Timestamps
 Cache Examinations
 Download History
 Chrome Session Recovery
 Chrome Profiles Feature
 Identifying Cross-Device Chrome Synchronization
o Private Browsing and Browser Artifact Recovery
 IE and Edge InPrivate Browsing
 Chrome and Firefox Private Browsing
 Investigating the Tor Browser
 Identifying Selective Database Deletion
o SQLite and ESE Database CarvingExamination of Browser Artifacts
 DOM and Web Storage Objects
 Google Analytics and Universal Cookies
 Rebuilding Cached Web Pages
 Browser Ancestry
o Tools Used
 Nirsoft Tools
 SQLite Parsers
 ESE DatabaseView
 Hindsight
FOR500.6: Windows Forensics Challenge
• Digital Forensic Case
o Analysis
 Begin with a New Set of Evidence
 Following Evidence Analysis Methods Discussed Throughout the Week and Find Critical Evidence
 Examine Memory, Registry, Chat, Browser, Recovered Files, and More
o Reporting
 Focus and Submit the Top Three Pieces of Evidence Discovered and Discuss What They Prove Factually
 Document One of the Submitted Pieces of Evidence for Potential Examination During the Mock Trial
• Presentation
o Each Team Will Be Asked to Prepare the following:
 Executive Summary
 Short Presentation
 Conclusion
o The Team Voted to Have the Best Argument and Presentation Proving Its Case is Awarded the Forensic Challenge Coin

دوران آکادمی زیر مجموعه گروه دوران، مجری برگزاری دوره FOR500: Windows Forensic Analysis در قالب آموزش امنیت به صورت آموزش آنلاین و حضوری با بهره گیری از لابراتور آنلاین اختصاصی بهمراه گواهی معتبرارائه می‌شود.