Thanks to visit codestin.com
Credit goes to www.scribd.com

0% found this document useful (0 votes)
607 views2 pages

SANS Institute FOR500 Brochure

Uploaded by

Jose Luis Silva
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
607 views2 pages

SANS Institute FOR500 Brochure

Uploaded by

Jose Luis Silva
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

GCFE

FOR500: Windows Forensic Analysis Forensic Examiner


giac.org/gcfe

6 36 Laptop MASTER WINDOWS FORENSICS – YOU CAN’T PROTECT THE UNKNOWN


Day Program CPEs Required
All organizations must prepare for cybercrime occurring on computer systems and within
corporate networks. Demand has never been greater for analysts who can investigate
You Will Be Able To crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer
• Perform in-depth Windows forensic analysis by applying intrusions. Corporations, governments, and law enforcement agencies increasingly require
peer-reviewed techniques focusing on Windows 7, trained forensics specialists to perform investigations, recover vital intelligence from
Windows 8/8.1, Windows 10, Windows 11, and Windows
Server products Windows systems, and ultimately get to the root cause of the crime. To help solve these
• Use state-of-the-art forensic tools and analysis methods cases, SANS is training a new cadre of the world’s best digital forensic professionals, incident
to detail nearly every action a suspect accomplished responders, and media exploitation experts capable of piecing together what happened on
on a Windows system, including who placed an artifact computer systems second by second.
on the system and how, program execution, file/folder
opening, geolocation, browser history, profile USB device FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge
usage, cloud storage usage, and more of Microsoft Windows operating systems. You can’t protect what you don’t know about,
• Perform “fast forensics” to rapidly assess and triage and understanding forensic capabilities and available artifacts is a core component of
systems to provide quick answers and facilitate
informed business decisions information security. You will learn how to recover, analyze, and authenticate forensic data on
• Uncover the exact time that a specific user last executed Windows systems, track individual user activity on your network, and organize findings for use
a program through Registry and Windows artifact analysis, in incident response, internal investigations, intellectual property theft inquiries, and civil or
and understand how this information can be used to criminal litigation. You’ll be able to validate security tools, enhance vulnerability assessments,
prove intent in cases such as intellectual property theft,
hacker-breached systems, and traditional crimes identify insider threats, track hackers, and improve security policies. Whether you know it or
• Determine the number of times files have been opened by not, Windows is silently recording an unbelievable amount of data about you and your users.
a suspect through browser forensics, shortcut file analysis FOR500 teaches you how to mine this mountain of data and use it to your advantage.
(LNK), email analysis, and Windows Registry parsing
• Audit cloud storage usage, including detailed user
Proper analysis requires real data for students to examine. This continually updated
activity, identifying deleted files, signs of data course trains digital forensic analysts through a series of hands-on laboratory exercises
exfiltration, and even uncovering detailed information incorporating evidence found on the latest technologies, including Microsoft Windows
and hash values on files available only in the cloud versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage
• Identify items searched by a specific user on a Windows
providers, Microsoft Teams, SharePoint, Exchange, and Outlook. Students will leave the
system to pinpoint the data and information that the
suspect was interested in finding, and accomplish course armed with the latest tools and techniques and prepared to investigate even the most
detailed damage assessments complicated systems they might encounter. Nothing is left out - attendees learn to analyze
• Use Windows ShellBag analysis tools to articulate every everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.
folder and directory a user or attacker interacted with
while accessing local, removable, and network drives FOR500 starts with an intellectual property theft and corporate espionage case taking over
• Determine each time a unique and specific USB device six months to create. You work in the real world, so your training should include real-world
was attached to the Windows system, the files and practice data. Our instructor course development team used incidents from their own
folders accessed on it, and what user plugged it in by
parsing Windows artifacts such as Registry hives and
investigations and experiences to create an incredibly rich and detailed scenario designed to
Event Log files immerse students in an actual investigation. Example cases demonstrate the latest artifacts
• Learn Event Log analysis techniques and use them to and technologies an investigator might encounter while analyzing Windows systems in the
determine when and how users logged into a Windows enterprise. The detailed workbook teaches the tools and techniques that every investigator
system, whether via a remote session, at the keyboard,
should employ step by step to solve a forensic case. The tools provided form a complete
or simply by unlocking a screensaver
• Mine the Windows Search Database to uncover a
forensic lab that can be used long after the end of class.
massive collection of file metadata and even file content Please note that this is an analysis-focused course; FOR500 does not cover the basics of
from local drives, removable media, and applications like
Microsoft Outlook, OneNote, SharePoint, and OneDrive evidentiary handling, the “chain of custody,” or introductory drive acquisition. The course
• Determine where a crime was committed using Registry authors update FOR500 aggressively to stay current with the latest artifacts and techniques
data and pinpoint the geolocation of a system by discovered. This course is perfect for you if you are interested in in-depth and current
examining connected networks and wireless access points Microsoft Windows Operating System forensics and analysis for any incident that occurs. If
• Use browser forensic tools to perform detailed web you have not updated your Windows forensic analysis skills in the past three years or more,
browser analysis, parse raw SQLite, LevelDB, and ESE
databases, and leverage memory forensics and session this course is essential.
recovery artifacts to identify web activity, even if privacy
cleaners and in-private browsing software are used
• Parse Electron and WebView2 application LevelDB “This is a very high-intensity course with extremely current course
databases allowing the investigation of hundreds of
third-party applications including most chat clients material that is not available anywhere else in my experience.”
• Specifically determine how individuals used a system,  lexander Applegate, Auburn University
—A
who they communicated with, and files that were
downloaded, modified, and deleted

• Watch a preview of this course


sans.org/for500 • Discover how to take this course: Online, In-Person
Section Descriptions
SECTION 1: Digital Forensics and Advanced SECTION 3: Shell Items and Removable Who Should Attend
Data Triage Device Profiling • Information security professionals
The Windows Forensic Analysis course starts with Being able to show the first and last time a file or folder was • Incident response team members
an examination of digital forensics in today’s opened is a critical analysis skill. Shell item analysis, including
• Law enforcement officers, federal
interconnected environments and discusses challenges shortcut (LNK), Jump List, and ShellBag artifacts, allows
agents, and detectives
associated with mobile devices, tablets, cloud storage, investigators to quickly pinpoint the times of file and folder
and modern Windows operating systems. Hard drive usage per user. The knowledge obtained by examining shell items • Media exploitation analysts
and digital media sizes are increasingly difficult and is crucial to perform damage assessments, track user activity in • Anyone interested in a deep
time-consuming to handle appropriately in digital cases. intellectual property theft cases, and track where hackers spent understanding of Windows forensics
Being able to acquire data in an efficient and forensically time in the network. Removable storage device investigations who has a background in information
sound manner is crucial to every investigator today. are an essential part of performing digital forensics. In this systems, information security, and
In this course section, we review the core techniques course section, students will learn how to perform in-depth USB computers
while introducing new triage-based acquisition and device examinations on all modern Windows versions. You will
extraction capabilities that will increase the speed and learn how to determine when a storage device was first and last
efficiency of the acquisition process. We demonstrate plugged in, its vendor/make/model, drive capacity, and even the NICE Framework Work Roles
how to acquire memory, the NTFS MFT, Windows logs, unique serial number of the device used. • Cyber Crime Investigator (OPM 221)
Registry, and critical files in minutes instead of the hours TOPICS: Shell Item Forensics; USB and BYOD Forensic Exams • Cyber Defense Forensics Analyst
or days currently spent on acquisition. We also begin
(OPM 212)
processing our collected evidence using stream-based
and file-carving-based extraction capabilities employing SECTION 4: Email Analysis, Windows Search, SRUM, • Law Enforcement/Counter Intelligence
both commercial and open-source tools and techniques. and Event Logs Forensics Analyst (OPM211)
Students come away with the knowledge necessary Depending on the type of investigation and authorization, a
to target the specific data needed to rapidly answer wealth of evidence can be unearthed through the analysis of
fundamental questions in their cases. email files. Recovered email can bring excellent corroborating
TOPICS: Windows Operating System Components; Core information to an investigation, and its informality often provides GCFE
Forensic Principles; Live Response and Triage-Based very incriminating evidence. Finding and collecting email is Forensic Examiner
Acquisition Techniques; Windows Image Mounting and often one of our biggest challenges as it is common for users to giac.org/gcfe
Examination; NTFS File System Overview; Document and have email existing simultaneously on their workstation, on the
File Metadata; File and Stream Carving; Memory, Pagefile, company email server, on a mobile device, and in multiple cloud GIAC Certified Forensic Examiner
and Unallocated Space Analysis or webmail accounts. The Windows Search Index can index up to The GIAC Certified Forensic Examiner
a million items on the file system, including file content, email, (GCFE) certification validates a
and over 600 kinds of metadata per file. It is an under-utilized
SECTION 2: Registry Analysis, Application practitioner’s knowledge of computer
resource providing profound forensic capabilities. Similarly, the forensic analysis, with an emphasis on
Execution, and Cloud Storage Forensics System Resource Usage Monitor (SRUM), one of our most exciting core skills required to collect and analyze
Our journey continues with the Windows Registry, where digital artifacts, can help determine many important user actions, data from Windows computer systems.
the digital forensic investigator will learn how to discover including network usage per application and historical VPN and GCFE certification holders have the
critical user and system information pertinent to almost wireless network usage. Imagine the ability to audit network knowledge, skills, and ability to conduct
any investigation. You’ll learn how to navigate and usage by cloud storage and identify 60 days of remote access tool typical incident investigations including
analyze the Registry to obtain user profile and system usage even after execution of counter-forensic programs. Finally, e-Discovery, forensic analysis and
data. During this course section, we will demonstrate Windows event log analysis has solved more cases than possibly reporting, evidence acquisition, browser
investigative methods to prove that a specific user any other type of analysis. Windows 11 now includes over 300 logs, forensics and tracing user and application
performed keyword searches, executed specific and understanding the locations and content of the available log activities on Windows systems.
programs, opened and saved files, perused folders, and files is crucial to the success of any investigator. Many researchers
used removable devices. Throughout this course section, overlook these records because they do not have adequate • Windows Forensics and Data Triage
students will use their skills in a real hands-on case, knowledge or tools to get the job done efficiently. This section • Windows Registry Forensics, USB
exploring and analyzing a rich set of evidence. arms investigators with the core knowledge and capability to Devices, Shell Items, Email Forensics and
TOPICS: Registry Forensics In-Depth; Registry Core; maintain and build upon this crucial skill for many years to come. Log Analysis
Profile Users and Groups; Core System Information; User TOPICS: Email Forensics; Forensicating Additional Windows OS • Advanced Web Browser Forensics
Forensic Data; Cloud Storage Forensics Artifacts; Windows Event Log Analysis (Chrome, Edge, Firefox, Internet Explorer)

SECTION 5: Web Browser Forensics SECTION 6: Windows Forensics Challenge


With the increasing use of the web and the shift toward web-based applications and cloud computing, Nothing will prepare you more as an investigator than a complete
browser forensic analysis is a critical skill. During this section, students will comprehensively explore hands-on challenge requiring you to use all the skills and
web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, knowledge presented throughout the course. With the option to
and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow work individually or in teams, students are provided new case
investigators to extend these methods to nearly any browser they encounter. Students will learn how evidence to analyze. The exercise steps through the entire case
to examine every significant artifact stored by the browser, including web storage, cookies, visit and flow, including proper acquisition, analysis, and reporting of
download history, Internet cache files, browser extensions, and form data. We will show you how to investigative findings. Fast forensics techniques will be used to
find these records and identify the common mistakes investigators make when interpreting browser rapidly profile computer usage and discover the most critical
artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser pieces of evidence to answer investigative questions. This complex
artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and case involves an investigation into one of the most recent
private browsing remnants. Browser synchronization is explained, providing investigative artifacts versions of the Windows operating system. The evidence is from
derived from other devices in use by the subject of the investigation. Finally, skills to investigate real devices and provides the most realistic training opportunity
Chromium-based Electron/Webview2 Applications are introduced, opening capabilities to investigate currently available. Solving the case requires students to use all
hundreds of third-party Windows applications using this framework, including chat clients like the skills gained from each of the previous course sections. The
Discord, Signal, Skype, Microsoft Teams, Slack, WhatsApp, Yammer, Asana, and more. Throughout the section concludes with a mock trial involving presentations of the
section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, evidence collected. The team with the best in-class presentation
Firefox, Microsoft Edge, and Internet Explorer correlated with other Windows operating system artifacts. and documentation wins the challenge—and solves the case!
TOPICS: Browser Forensics; Chrome; Edge; Internet Explorer; Electron and WebView2 Applications TOPICS: Digital Forensics Capstone; Reporting
and Chat Client Forensics; Firefox; Private Browsing and Browser Artifact Recovery; SQLite and ESE
Database Carving and Examination of Additional Browser Artifacts

You might also like