Difference between pages "Training Courses and Providers" and "OpenSaveMRU"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(On-going / Continuous Training)
 
(New page)
 
Line 1: Line 1:
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.   Conferences which may include training are located on the [[Upcoming_events]] page.   
+
The OpenSaveMRU key exists in the [[Windows Registry]] and tracks files that have been opened or saved within a Windows shell dialog box.  It is part of a set of keys recording information from the Windows Common Dialog. The Common Dialog libraries can be used by any Windows application and Microsoft highly recommends that developers use them instead of creating novel user interface elements  [http://msdn.microsoft.com/en-us/library/windows/desktop/aa511274.aspx].  Data is commonly found in this key from web browsers, document viewers, archiving utilities, and image viewers.   
  
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
== Registry Key Location ==
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section. Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite). Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
The key is present in each user's NTUSER.DAT hive in the \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU [[List of Windows MRU Locations | location]]. The values stored in the key itself are items that do not have file extensions associated with them [http://computer-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru]. Since most files in Windows have extensions, what often ends up here is auto-complete information. Consider an OpenSave dialog box that allows you to choose a file type from a list (e.g. .jpg, .png, .bmp). User input into this dialog will typically be the name of the file without the extension, since the dropdown filetype menu takes care of filling in the extension. Thus what will be stored in the OpenSaveMRU value is auto-complete information for that transaction, and the full filename is not stored.
  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
== Sub-Keys ==
== On-going / Continuous Training ==
+
The possibility for a large number of subkeys exist within the OpenSaveMRU key. All but one of the sub-keys correspond to file extensions and store full path information for files of that extension that have been opened or saved. Each subkey keeps its own Most Recently Used (MRU) list and last write time.  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.onlineforensictraining.com/courses.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Champlain College - CCE Course
+
|Online / Distance Learning Format
+
|http://online.champlain.edu/computer-forensics-digital-investigation/CFDI_440
+
|-
+
|National Center for Media Forensics
+
|Distance and Concentrated Audio/Video/Image Forensics
+
|http://cam.ucdenver.edu/ncmf
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|Evidence Recovery for Windows 7&reg; operating system;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows 8&reg;
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2008 and 2012
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|}
+
  
==Non-Commercial Training==
+
One outlier is the * subkey. This key tracks the last ten files of any extension (including no extension) that have been input into the OpenSave dialog [http://www.forensicfocus.com/index.php?name=Content&pid=73&page=8].
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|Defense Cyber Investigations Training Academy (DCITA)
+
|http://www.dc3.mil/dcita/dcitaAbout.php
+
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
+
|-
+
|Federal Law Enforcement Training Center
+
|http://www.fletc.gov/training/programs/technical-operations-division
+
|Limited To Law Enforcement
+
|-
+
|MSU National Forensics Training Center
+
|http://www.security.cse.msstate.edu/ftc
+
|Limited To Law Enforcement
+
|-
+
|IACIS
+
|http://www.iacis.com/training/course_listings
+
|Limited To Law Enforcement and Affiliate Members of IACIS
+
|-
+
|SEARCH
+
|http://www.search.org/programs/hightech/courses/
+
|Limited To Law Enforcement
+
|-
+
|National White Collar Crime Center
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited To Law Enforcement
+
|-
+
|}
+
  
==Tool Vendor Training==
+
== OpenSaveMRU in Windows 7 ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Starting with Windows Vista, the key has been renamed to [[OpenSavePidlMRU]]
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|AccessData (Forensic Tool Kit FTK)
+
|http://accessdata.com/training
+
|-
+
|ASR Data (SMART)
+
|http://www.asrdata.com/forensic-training/overview/
+
|-
+
|ATC-NY (P2P Marshal, Mac Marshal)
+
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
+
|-
+
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
+
|https://www.blackbagtech.com/training.html
+
|-
+
|Cellebrite (UFED)
+
|http://cellebrite.com/mobile-forensics-products/ufed-training.html
+
|-
+
|CPR Tools (Data Recovery)
+
|http://www.cprtools.net/training.php
+
|-
+
|Digital Intelligence (FRED Forensics Platform)
+
|http://www.digitalintelligence.com/forensictraining.php
+
|-
+
|e-fense, Inc. (Helix3 Pro)
+
|http://www.e-fense.com/training/index.php
+
|-
+
|Guidance Software (EnCase)
+
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
+
|-
+
|Micro Systemation (XRY)
+
|http://www.msab.com/training/schedule
+
|-
+
|Nuix (eDiscovery)
+
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
+
|-
+
|Paraben (Paraben Suite)
+
|http://www.paraben-training.com/schedule.html
+
|-
+
|Software Analysis & Forensic Engineering (CodeSuite)
+
|http://www.safe-corp.biz/training.htm
+
|-
+
|Technology Pathways(ProDiscover)
+
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
|-
+
|SubRosaSoft (MacForensicsLab)
+
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
|-
+
|Volatility Labs (Volatility Framework)
+
|http://volatility-labs.blogspot.com/search/label/training
+
|-
+
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|X-Ways Forensics (X-Ways Forensics)
+
|http://www.x-ways.net/training/
+
|-
+
|}
+
  
==Commercial Training (Non-Tool Vendor)==
+
== External Links ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
Harlan Carvey, Windows Forensic Analysis DVD Toolkit, 2009
! width="40%"|Title
+
! width="40%"|Website
+
! width="20%"|Limitation
+
|-
+
|Applied Security (Digital Forensics Training)
+
|http://www.appliedsec.com/forensics/training.html
+
|-
+
|BerlaCorp iOS and GPS Forensics Training
+
|http://www.berlacorp.com/training.html
+
|-
+
|Computer Forensic Training Center Online (CFTCO)
+
|http://www.cftco.com/
+
|-
+
|CCE Bootcamp
+
|http://www.cce-bootcamp.com/
+
|-
+
|Cyber Security Academy
+
|http://www.cybersecurityacademy.com/
+
|-
+
|Dera Forensics Group
+
|http://www.deraforensicgroup.com/courses.htm
+
|-
+
|e-fense Training
+
|http://www.e-fense.com/training/index.php
+
|-
+
|Forward Discovery, Inc.
+
|http://www.forwarddiscovery.com
+
|-
+
|H-11 Digital Forensics
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
+
|-
+
|High Tech Crime Institute
+
|http://www.gohtci.com
+
|-
+
|Infosec Institute
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
|-
+
|Intense School (a subsidiary of Infosec Institute)
+
|http://www.intenseschool.com/schedules
+
|-
+
|MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX)
+
|http://www.md5group.com
+
|-
+
|Mile 2 (Security and Forensics Certification Training)
+
|https://www.mile2.com/mile2-online-estore/classess.html
+
|-
+
|Mobile Forensics, Inc
+
|http://mobileforensicsinc.com/
+
|-
+
|NetSecurity
+
|http://www.netsecurity.com/training/registration_schedule.html
+
|-
+
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
+
|http://www.nidforensics.com.br/
+
|-
+
|NTI (an Armor Forensics Company) APPEARS DEFUNCT
+
|http://www.forensics-intl.com/training.html
+
|-
+
|Security University
+
|http://www.securityuniversity.net/classes.php
+
|-
+
|Steganography Analysis and Research Center (SARC)
+
|http://www.sarc-wv.com/training
+
|-
+
|Sumuri, LLC - Mac, Mobile, iLook Training
+
|http://www.sumuri.com/index.php/features/training-and-events-calendar
+
|-
+
|SysAdmin, Audit, Network, Security Institute (SANS)
+
|http://computer-forensics.sans.org/courses/
+
|-
+
|Teel Technologies Mobile Device Forensics Training
+
|http://www.teeltech.com/tt3/training.asp
+
|-
+
|viaForensics Advanced Mobile Forensics Training
+
|http://viaforensics.com/education/calendar/
+
|-
+
|Zeidman Consulting (MCLE)
+
|http://www.zeidmanconsulting.com/speaking.htm
+
|-
+
|}
+

Latest revision as of 19:18, 7 June 2013

The OpenSaveMRU key exists in the Windows Registry and tracks files that have been opened or saved within a Windows shell dialog box. It is part of a set of keys recording information from the Windows Common Dialog. The Common Dialog libraries can be used by any Windows application and Microsoft highly recommends that developers use them instead of creating novel user interface elements [1]. Data is commonly found in this key from web browsers, document viewers, archiving utilities, and image viewers.

Contents

Registry Key Location

The key is present in each user's NTUSER.DAT hive in the \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU location. The values stored in the key itself are items that do not have file extensions associated with them [2]. Since most files in Windows have extensions, what often ends up here is auto-complete information. Consider an OpenSave dialog box that allows you to choose a file type from a list (e.g. .jpg, .png, .bmp). User input into this dialog will typically be the name of the file without the extension, since the dropdown filetype menu takes care of filling in the extension. Thus what will be stored in the OpenSaveMRU value is auto-complete information for that transaction, and the full filename is not stored.

Sub-Keys

The possibility for a large number of subkeys exist within the OpenSaveMRU key. All but one of the sub-keys correspond to file extensions and store full path information for files of that extension that have been opened or saved. Each subkey keeps its own Most Recently Used (MRU) list and last write time.

One outlier is the * subkey. This key tracks the last ten files of any extension (including no extension) that have been input into the OpenSave dialog [3].

OpenSaveMRU in Windows 7

Starting with Windows Vista, the key has been renamed to OpenSavePidlMRU

External Links

Harlan Carvey, Windows Forensic Analysis DVD Toolkit, 2009