FOR500: Windows Forensic Analysis has been updated
The new update increases the capabilities of investigators across a wide range of forensic artifacts. Nearly every hands-on lab was improved. Many lab updates were required to take advantage of the latest tool updates, and a new course virtual machine has been updated to include the latest versions of the best tools available for the job. A new email lab was included to put into practice the upgraded course material and more. Learn about the update here
Master Windows Forensics - "You Can't Protect the Unknown."
All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Corporations, governments, and law enforcement agencies increasingly require trained forensics specialists to perform investigations, recover vital intelligence from Windows systems, and ultimately get to the root cause of the crime. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.
FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and available artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track individual user activity on your network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. You'll be able to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data and use it to your advantage.
Proper analysis requires real data for students to examine. This continually updated course trains digital forensic analysts through a series of hands-on laboratory exercises incorporating evidence found on the latest technologies, including Microsoft Windows versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage providers, Microsoft Teams, SharePoint, Exchange, and Outlook. Students will leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.
FOR500 starts with an intellectual property theft and corporate espionage case taking over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor course development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. Example cases demonstrate the latest artifacts and technologies an investigator might encounter while analyzing Windows systems in the enterprise. The detailed workbook teaches the tools and techniques that every investigator should employ step by step to solve a forensic case. The tools provided form a complete forensic lab that can be used long after the end of class.
Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. The course authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.
Through practical exercises and real-life case studies, students in FOR500: Windows Forensic Analysis will gain hands-on experience and develop the skills to:
- Perform in-depth Windows forensic analysis by applying peer-reviewed techniques focusing on Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Windows Server products
- Use state-of-the-art forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geolocation, browser history, profile USB device usage, cloud storage usage, and more
- Perform "fast forensics" to rapidly assess and triage systems to provide quick answers and facilitate informed business decisions
- Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
- Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
- Audit cloud storage usage, including detailed user activity, identifying deleted files, signs of data exfiltration, and even uncovering detailed information and hash values on files available only in the cloud
- Identify items searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding, and accomplish detailed damage assessments
- Use Windows ShellBag analysis tools to articulate every folder and directory a user or attacker interacted with while accessing local, removable, and network drives
- Determine each time a unique and specific USB device was attached to the Windows system, the files and folders accessed on it, and what user plugged it in by parsing Windows artifacts such as Registry hives and Event Log files
- Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
- Mine the Windows Search Database to uncover a massive collection of file metadata and even file content from local drives, removable media, and applications like Microsoft Outlook, OneNote, SharePoint, and OneDrive
- Determine where a crime was committed using Registry data and pinpoint the geolocation of a system by examining connected networks and wireless access points
- Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite, LevelDB, and ESE databases, and leverage memory forensics and session recovery artifacts to identify web activity, even if privacy cleaners and in-private browsing software are used
- Parse Electron and WebView2 application LevelDB databases allowing the investigation of hundreds of third-party applications including most chat clients
- Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted
FOR500 Windows Forensic Analysis Course Topics
- The Course Is Fully Updated to Include the Latest Microsoft Windows Artifacts, Tools, and Techniques
- Windows Operating Systems Focus: Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Server 2008/2012/2016/2019/2022
- Windows File Systems (NTFS, FAT, exFAT)
- Advanced Evidence Acquisition Tools and Techniques
- Registry Forensics
- Shell Item Forensics
- Shortcut Files (LNK) - Evidence of File Opening
- ShellBags - Evidence of Folder Opening
- Jump Lists - Evidence of File Opening and Program Execution
- Windows Artifact Analysis
- Browser and Webmail Analysis
- Microsoft Office Document Analysis
- System Resource Usage Database
- Windows Search Index Forensics
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Myriad Application Execution Artifacts, including Several New to Windows 10 and 11
- Universal Windows Platform and Electron/WebView2 applications
- Cloud Storage File and Metadata Examinations
- OneDrive and OneDrive for Business, Dropbox, Google Drive, and Box
- Email Forensics (Host, Server, Web), including Microsoft 365 and Google Workspace (G Suite)
- Microsoft Unified Audit Logging
- Event Log Analysis
- Chrome, Edge, Internet Explorer, and Firefox Browser Forensics
- Chat clients, including Microsoft Teams and Skype, based on the Electron framework.
- Microsoft 365 SharePoint, OneDrive, Teams, and Email
- Google Workspace (G Suite) Applications and Logging
- Deleted Registry Key and File Recovery
- Recovering Missing Data from Registry and ESE Database .log Files
- Data Recovery, String Searching and File Carving
- Examination of Cases Involving Windows 7 through Windows 11
- Media Analysis and Exploitation to:
- Track User Communications Using a Windows Device (Email, Chat, Webmail)
- Identify Files Transferred To or Present on a Removable Device
- Determine the Exact Time and Number of Times a Suspect Executed a Program
- Show When Any File Was First and Last Opened by a Suspect
- Prove How Long an Application was Running and How Much Network Data was Sent and Received
- Determine If a Suspect Had Knowledge of a Specific File
- Show the Exact Physical Location of the System
- Track and Analyze Removable Media and USB Mass Storage Class Devices
- Show How the Suspect Logged on to the Machine via the Console, RDP, or Network
- Recover and Examine Browser Artifacts, including Those from Private Browsing Mode
- Extract Chat Messages from A Variety of Chat Clients
- Recover Email from Servers, Cloud Instances, and Endpoint Residue Like Local Archives and the Windows Search Database
- Discover the Use of Anti-Forensics, including File Wiping, Time Manipulation, and Application Removal
What is Windows Forensics?
Windows forensics is the recovery, analysis and authentication of electronically stored information on systems running the Microsoft Windows operating system.
Business Takeaways
- Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions.
- Enable more capable analysts, threat hunters, and incident response team members who can use deep-dive digital forensics to help solve Windows data breach cases, perform damage assessments, and develop indicators of compromise.
- Understand the wealth of telemetry available in the Windows Enterprise, at the endpoint and in cloud resources like Microsoft 365, Exchange, Unified Audit Logs, cloud storage, and chat clients
- Identify forensic artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file tranfers, anti-forensics, and detailed system and user activity.
- Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
- Build tool-agnostic investigative capabilities by focusing on analysis techniques instead of how to use a particular tool. Deeper understanding of concepts, core forensic artifacts, and stronger analysis skills make any available tool more effective for attendees.
Skills Learned
FOR500 Windows Forensic Analysis Training Will Prepare Your Team To:
- Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows 7, Windows 8/8.1, Windows 10, Windows 11 and Windows Server products.
- Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file transfers, anti-forensics, and detailed system and user activity.
- Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
- Extract critical findings and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.
- Establish structured analytical techniques to be successful in any security role.
Hands-On Windows Forensic Analysis
SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in a hands-on environment.
- lab 1.1 - Mounting Disk Images
- lab 1.2 - Triage Imaging with KAPE
- lab 1.3 - Mounting Triage VHDX Evidence
- lab 1.4 - Memory Carving and MFT Parsing
- lab 2.1 - User Account Profiling
- lab 2.2 - System Profiling
- lab 2.3 - NTUSER.DAT Analysis
- lab 2.4 - Application Execution Analysis
- lab 2.5 - Cloud Storage Forensics - OneDrive
- lab 2.6 - Cloud Storage Forensics - Google Drive
- lab 3.2 - LNK Shell Item Analysis
- lab 3.3 - Jump List and ShellBags Shell Item Analysis
- lab 3.4 - USB and Removable Device Profiling and Analysis
- lab 4.1 - Email and Unified Audit Log Forensics
- lab 4.2 - Windows Search Database and Recycle Bin Analysis
- lab 4.3 - System Resource Usage Database (SRUM) Analysis
- lab 4.4 - Event Log Analysis
- lab 5.1 - Automating Artifact Processing with KAPE
- lab 5.2 - Chrome Browser Forensics
- lab 5.3 - Edge and Internet Explorer Analysis
- lab 5.4 - Firefox and Electron Application Forensics
- lab 6.1 - FOR500 Forensic Challenge
What You Will Receive
- Windows 10 Enterprise version of the SIFT Workstation Virtual Machine with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response (DFIR) tools prebuilt into the environment
- Trial licenses for the following commercial tool suites:
- ISO images filled with real-world cases and artifacts to examine during and after the course
- FOR500 exercise workbook with 590+ pages of detailed step-by-step instructions
- MP3 audio files of the complete course lecture
Important! Bring your own system configured according to these instructions.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all the specified requirements.
Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.
MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
- CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
- 16GB of RAM or more is required.
- 300GB of free storage space or more is required.
- At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
- Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
Additional optional components for this course:
- A USB storage device is necessary to complete one optional lab step in the course. The storage size of the USB media should be larger than the amount of RAM in the laptop.
MANDATORY FOR500 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
- Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
- Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
- Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
- Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
- Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
- Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
- On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
- Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.
Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.
Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.
Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.
If you have additional questions about the laptop specifications, please contact support.
"After 30 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. This course was designed to impart these critical skills to students. Unlike many other training courses that focus on teaching a single tool, FOR500 provides training on many tools. While there are some exceptional tools available, forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best one for each task. However, forensic analysts are not great because of the tools they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR500 teaches analysts to apply digital forensic methodologies to a variety of case types and situations, enabling them to apply the right methodology to achieve the best outcome in the real world. Finally, the course presents the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR500 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR500 is a must-have course." - Ovie Carroll
"Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of FOR500 are the front-line troops deployed when you need accurate digital forensic, incident response, and media exploitation analysis. From analyzing terrorist laptops and data breaches to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they have learned how to properly conduct analyses and run investigations. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that FOR500 helped prepare them to solve cases and fight crime." - Rob Lee
"Digital forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal." - Chad Tilbury
"Ovie has been great as an instructor for this course. His knowledge and passion to share his insight with us has excited me in learning and reviewing the case materials again even after lessons. I stayed back to spend extra time to read and learn so that I could prepare in anticipation of what he is offering us the next morning. He conducts start-of-the-day recaps and end-of-the-day pop quizzes to tie in knowledge that would have otherwise been just 'another artifact' that was taught. He showed us how to think critically, to tell the story, and to always ask questions." - Yao Guang Tan