Difference between pages "Upcoming events" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
(Windows Firewall)
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
{{Expand}}
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
There are 2 main branches of Windows:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* the DOS-branch: i.e. Windows 95, 98, ME
|- style="background:#bfbfbf; font-weight: bold"
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Title
+
! Due Date
+
! Website
+
|-
+
|PacSec Applied Security Conference
+
|Jul 27, 2007
+
|http://www.pacsec.jp/speakers.html
+
|-
+
|Journal of Digital Forensic Practice
+
|Jul 31, 2007
+
|http://www.tandf.co.uk/journals/titles/15567281.asp
+
|-
+
|American Academy of Forensic Sciences 2008 Annual Meeting
+
|Aug 01, 2007
+
|http://www.aafs.org/abstracts/your_online_presentation_submiss.htm
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Aug 31, 2007
+
|http://www.dff-prague.com/News/article/sid=17.html
+
|-
+
|Internet Investigations Training Program (IITP) Sep 24-28, FLETC
+
|Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/internet-investigations-training-program-iitp/
+
|Limited to Law Enforcement
+
|-
+
|}
+
  
== Conferences ==
+
== Features ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|SANSFire 2007
+
|Jul 25-Aug 03, Washington, DC
+
|http://www.sans.org/sansfire07/index.php?portal=e1bc55a0898bf3774408826c9368ae40
+
|-
+
|BlackHat Briefings
+
|Jul 28-Aug 02, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|DefCon
+
|Aug 03-05, Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|ForenSec Canada 2007
+
|Sep 17-18, Regina, Saskatchewan, Canada
+
|http://www.csiservices.ca/events.html#ForenSec
+
|-
+
|SANS Network Security
+
|Sep 22-30, Las Vegas, NV
+
|http://www.sans.org/ns2007/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
|Sep 26-28, Milwaukee, WI
+
|http://www.byteoutofcrime.org
+
|-
+
|6th Annual Internet Crimes Against Children National Conference
+
|Oct 15-18, San Jose, CA
+
|http://www.icactraining.org/website/registration.html
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Global Conference on Economic and High-Tech Crime (NW3C Membership Required)
+
|Oct 24-26, Crystal City, VA
+
|https://conference.nw3c.org/index.cfm
+
|-
+
|European Network Forensic and Security Conference 2007
+
|Oct 24-26,  Zuyd University, Heerlen, Netherlands
+
|http://www.enfsc2007.com/
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|PacSec Applied Security Conference
+
|Nov 29-30, Tokyo, Japan
+
|http://www.pacsec.jp/index.html
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
=== Introduced in Windows NT ===  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* [[NTFS]]
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location or Venue
+
! Website
+
|-
+
|Basic Computer Examiner Course
+
|Computer Forensic Training Online
+
|http://www.cftco.com
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|}
+
  
== Scheduled Training Courses ==
+
=== Introduced in Windows 2000 ===  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== Introduced in Windows XP ===
! Title
+
* [[Prefetch]]
! Date/Location
+
* System Restore (Restore Points); also present in Windows ME
! Website
+
 
! Limitation
+
==== SP2 ====
|-
+
* Windows Firewall
|Seized Computer Evidence Recovery Specialist (SCERS)
+
 
|Jul 16-27, FLETC, Glynco, GA
+
=== Introduced in Windows 2003 (Server) ===
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
* Volume Shadow Copies
|Limited to Law Enforcement
+
 
|-
+
=== Introduced in Windows Vista ===
|EnCase Enterprise v6 - Phase II
+
* [[BitLocker Disk Encryption | BitLocker]]
|Jul 16-19, Washington DC
+
* [[Windows Desktop Search | Search]] integrated in operating system
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[SuperFetch]]
|-
+
* [[NTFS|Transactional NTFS (TxF)]]
|SMART Windows Data Forensics
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|Jul 16-18, Austin, TX
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|http://asrdata.com/training/training2.html
+
* $Recycle.Bin
|-
+
* [[Windows XML Event Log (EVTX)]]
|EnCase v6 Computer Forensics I
+
* [[User Account Control (UAC)]]
|Jul 17-20, Los Angeles, CA and Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Introduced in Windows 2008 (Server) ===
|-
+
 
|EnCase v6 Computer Forensics II
+
=== Introduced in Windows 7 ===
|Jul 17-20, Chicago, IL and United Kingdom
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Jump Lists]]
|-
+
* [[Sticky Notes]]
|EnCase v6 Advanced Computer Forensics
+
 
|Jul 17-20, Washington DC
+
=== Introduced in Windows 8 ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Windows Shadow Volumes | File History]]
|-
+
* [[Windows Storage Spaces | Storage Spaces]]
|EnCase v6 NTFS
+
* [[Resilient File System (ReFS)]]; server edition will likely be available in Windows Server 2012
|Jul 17-20, Perth, Australia
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
== Forensics ==
|-
+
 
|AccessData BootCamp
+
=== Partition layout ===
|Jul 17-19, Boise, ID
+
Default partition layout, first partition starts:
|http://www.accessdata.com/training
+
* at sector 63 in Windows 2000, XP, 2003
|-
+
* at sector 2048 in Windows Vista, 2008, 7
|Paraben Handheld Forensic Course
+
 
|Jul 23-26, Potomac Falls, VA
+
=== Filesystems ===
|http://www.paraben-training.com/
+
* [[FAT]], [[FAT|exFAT]]
|-
+
* [[NTFS]]
|EnCase v6 Advanced Computer Forensics
+
* [[Resilient File System (ReFS) | ReFS]]
|Jul 24-27, Chicago, IL and United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Recycle Bin ===
|-
+
 
|EnCase v6 Computer Forensics I
+
==== RECYCLER ====
|Jul 24-27, United Kingdom
+
Used by Windows 2000, XP.
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Uses INFO2 file.
|-
+
 
|EnCase v6 Computer Forensics II
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
|Jul 24-27, Houston, TX and Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== $RECYCLE.BIN ====
|-
+
Used by Windows Vista.
|EnCase v6 Network Intrusion Investigations - Phase I
+
Uses $I and $R files.
|Jul 24-27, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
|-
+
 
|AccessData Windows Forensics
+
=== Registry ===
|Jul 24-26, Albuquerque, NM
+
 
|http://www.accessdata.com/training
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|-
+
 
|Network Forensics and Investigations Workshop
+
=== Thumbs.db Files ===
|Jul 25-27, Washington, DC
+
 
|http://www.strozllc.com/trainingcenter/
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|-
+
 
|EnCase v6 Network Intrusion Investigations - Phase II
+
See also: [[Vista thumbcache]].
|Jul 30-Aug 02, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Browser Cache ===
|-
+
 
|First Responder to Digital Evidence Program (FRDE)
+
=== Browser History ===
|Jul 31-Aug 02, FLETC, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|Limited to Law Enforcement
+
 
|-
+
=== Search ===
|EnCase v6 Advanced Computer Forensics
+
See [[Windows Desktop Search]]
|Jul 31-Aug 03, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Setup log files (setupapi.log) ===
|-
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
|EnCase v6 Computer Forensics I - Private Sector
+
 
|Jul 31-Aug 03, Houston, TX
+
=== Sleep/Hibernation ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|EnCase Enterprise v6 - Phase I
+
 
|Jul 31-Aug 03, United Kingdom
+
=== Users ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|-
+
<pre>
|EnCase v6 Computer Forensics II
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|Jul 31-Aug 03, Ypsilanti, MI and Orlando, FL
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
The %SID%\ProfileImagePath value should also contain the username.
|EnCase v6 Advanced Internet Examinations
+
 
|Jul 31-Aug 03, Sydney, Australia
+
=== Windows Error Reporting (WER) ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|Paraben Wireless Forensics
+
<pre>
|Aug 01-03, Potomac Falls, VA
+
C:\ProgramData\Microsoft\Windows\WER\
|http://www.paraben-training.com/
+
</pre>
|-
+
 
|SARC Steganography Examiner Training
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|Aug 04-05, Fairfax, VA (RCFG/GMU Conference 2007)
+
<pre>
|http://www.sarc-wv.com/training.aspx
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|-
+
</pre>
|SMART for Linux
+
 
|Aug 06-09, Austin, TX
+
Corresponding registry key:
|http://asrdata.com/training/training2.html
+
<pre>
|-
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|Introduction to Cyber Crime
+
</pre>
|Aug 06-08, Mississippi State University
+
 
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
== Advanced Format (4KB Sector) Hard Drives ==
|Limited to Law Enforcement
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|-
+
 
|X-Ways Forensics
+
== %SystemRoot% ==
|Aug 06-08, Seattle, WA
+
The actual value of %SystemRoot% is store in the following registry value:
|http://www.x-ways.net/training/seattle.html
+
<pre>
|-
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
Value: SystemRoot
|Aug 07-10, Chicago, IL
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
== See Also ==
|EnCase v6 Advanced Computer Forensics
+
* [[Windows Event Log (EVT)]]
|Aug 07-10, Houston, TX
+
* [[Windows XML Event Log (EVTX)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
== External Links ==
|EnCase Enterprise v6 - Phase I
+
 
|Aug 07-10, Los Angeles, CA
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|-
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|EnCase eDiscovery with v6
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|Aug 07-10, Washington DC
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Under the hood ===
|EnCase v6 Network Intrusion Investigations - Phase II
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|Aug 07-10, United Kingdom
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|EnCase v6 Computer Forensics I - Private Sector
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|Aug 07-10, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== MSI ===
|-
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|Forensics Tools and Techniques
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|Aug 08-10, Mississippi State University
+
 
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
=== Side-by-side (WinSxS) ===
|Limited to Law Enforcement
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|-
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|File Systems Revealed
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|Aug 09-10, Seattle, WA
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|http://www.x-ways.net/training/seattle.html
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|Search and Seizure of Computers and Electronic Evidence
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|Aug 09-10, Oxford, MS
+
 
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
=== Application Compatibility Database ===
|Limited to Law Enforcement
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
|-
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
|Macintosh Forensic Survival Course
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
|Aug 13-17, Fredricksburg, VA
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
|http://www.phoenixdatagroup.com/cart/index.php
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
|-
+
 
|EnCase Enterprise v6 - Phase II
+
=== System Restore (Restore Points) ===
|Aug 13-16, Los Angeles, CA
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|-
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
|X-Ways Forensics
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|Aug 13-15, Long Beach, CA
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|http://www.x-ways.net/training/long_beach.html
+
 
|-
+
=== Tracking removable media ===
|SMART Linux Data Forensics
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|Aug 13-15, Austin, TX
+
 
|http://asrdata.com/training/training2.html
+
=== Crash dumps ===
|-
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Network Forensics and Investigations Workshop
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|Aug 13-15, Los Angeles, CA
+
 
|http://www.strozllc.com/trainingcenter/
+
=== ReadyBoost ===
|-
+
* [http://en.wikipedia.org/wiki/ReadyBoost Wikipedia: ReadyBoost]
|Paraben Cellular/GPS Signal Analysis
+
* [http://windowsir.blogspot.ch/2013/04/plugin-emdmgmt.html Plugin: EMDMgmt], by [[Harlan Carvey]], April 05, 2013
|Aug 13-14, Potomac Falls, VA
+
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-65-understanding-artifacts.html Understanding the artifacts EMDMgmt], by [[David Cowen]], August 27, 2013
|http://www.paraben-training.com/
+
 
|-
+
=== Windows Firewall ===
|Computer Network Investigations Training Program (CNITP)
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|Aug 14-24, FLETC, Glynco, GA
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
 
|Limited to Law Enforcement
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
|-
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|EnCase v6 NTFS
+
 
|Aug 14-17, Chicago, IL
+
=== Windows XP ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|-
+
 
|EnCase v6 Computer Forensics II – Private Sector
+
=== Windows 8 ===
|Aug 14-17, Washington DC and United Kingdom
+
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
|-
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
|EnCase v6 Computer Forensics I
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
|Aug 14-17, Houston, TX
+
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
|-
+
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
|AccessData Internet Forensics
+
 
|Aug 14-16, Austin, TX
+
[[Category:Operating systems]]
|http://www.accessdata.com/training
+
|-
+
|File Systems Revealed
+
|Aug 16-17, Long Beach, CA
+
|http://www.x-ways.net/training/long_beach.html
+
|-
+
|EnCase v6 Computer Forensics II
+
|Aug 21-24, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Aug 21-24, Melbourne, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Aug 21-24, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Aug 21-24, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Aug 21-24, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase II
+
|Aug 21-24, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|SARC Steganography Examiner Training
+
|Aug 24-25, San Diego, CA (HTCIA Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Aug 28-31, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Aug 28-31, Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Aug 28-31, Savannah, Georgia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Aug 28-31, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Aug 28-31, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Aug 30-31, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Handheld Forensic Course
+
|Sep 04-07, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Sep 04-07, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Sep 04-07, Melbourne, Australia and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Sep 04-07, The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Sep 04-07, Austin, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData BootCamp
+
|Sep 04-06, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Sep 10-12, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
|Sep 10-14, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics II
+
|Sep 11-14, United Kingdom and Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Sep 11-14, Houston, TX and Washington, DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase I
+
|Sep 11-14, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Sep 11-14, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Sep 13-14, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Network Incident Response
+
|Sep 17-21, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Sep 18-21, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Sep 18-21, Houston, TX and Leipzig, Germany
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Sep 18-21, Sydney, Australia and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Sep 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Sep 20-21, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Sep 24-26, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Introduction to Cyber Crime
+
|Sep 24-26, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Sep 24-28, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 24-28, Richmond, VA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Sep 25-28, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Sep 25-28, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Sep 25-28, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Sep 25-28, Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Sep 26-28, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Sep 27-28, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Wireless Forensics
+
|Oct 01-03, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 02-05, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Oct 02-05, Los Angeles, CA, Washington, DC and Perth, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 02-05, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 02-05, The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 EnScript Programming - Phase II
+
|Oct 02-05, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 02-05, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Oct 04-05, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Handheld Forensic Course
+
|Oct 8-11, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Handheld Forensic Course
+
|Oct 8-11, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 09-12, Los Angeles, CA and The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Oct 09-12, Sydney, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 09-12, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 09-12, Washington, DC and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 09-12, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 09-12, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Oct 15-26, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 15-19, Tacoma, WA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
|Oct 15-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Oct 15-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Oct 15-17, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 16-19, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 16-19, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 16-19, Washington DC and Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 16-19, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase II
+
|Oct 16-19, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Oct 16-19, The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 16-19, Austin, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 EnScript Programming - Phase I
+
|Oct 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Oct 18-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|X-Ways Forensics
+
|Oct 22-24, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Oct 23-26, Canberra, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 23-26, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Oct 23-26, Los Angeles, CA and Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase eDiscovery with v6
+
|Oct 23-26, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 23-26, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Oct 29-Nov 9, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Oct 29-30, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II
+
|Oct 30-Nov 02, Los Angeles, CA and The Netherlands
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Oct 30-Nov 02, Washington DC and Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Oct 30-Nov 02, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Oct 30-Nov 02, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase I
+
|Oct 30-Nov 02, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Oct 30-Nov 02, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Handheld Forensic Course
+
|Nov 05-08, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Nov 05-08, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase Enterprise v6 - Phase II
+
|Nov 05-08, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Cyber Crime
+
|Nov 05-07, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Nov 06-09, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Nov 06-09, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Nov 06-09, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 06-09, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Nov 07-09, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Computer Forensics I - Private Sector
+
|Nov 13-16, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Nov 13-16, The Netherlands and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Nov 13-16, Sydney, Australia and Singapore
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Nov 13-16, Chicago, IL and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 13-16, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData BootCamp
+
|Nov 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics II
+
|Nov 20-23, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Nov 20-23, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Nov 27-30, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Nov 27-30, Sydney, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Nov 27-30, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics I
+
|Nov 27-30, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase eDiscovery with v6
+
|Nov 27-30, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Internet Investigations Training Program (IITP)
+
|Dec 03-07, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Dec 03-05, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Computer Forensics I
+
|Dec 04-07, Chicago, IL; Los Angeles, CA; Houston, TX; and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase I
+
|Dec 04-07, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Computer Forensics II
+
|Dec 04-07, Washington DC, Leipzig, Germany and Toronto, Ontario, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Dec 04-07, Vancouver, BC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Dec 05-07, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|EnCase v6 Network Intrusion Investigations - Phase II
+
|Dec 10-13, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v6 Computer Forensics II
+
|Dec 11-14, Chicago, IL; Houston, TX; Los Angeles, CA; United Kingdom; and Melbourne, Australia
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Dec 11-14, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Computer Forensics
+
|Dec 17-20, Chicago, IL and Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 FIM/Mobile Use of EE Live Forensics
+
|Dec 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 Advanced Internet Examinations
+
|Dec 17-20, Washington, DC and United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase v6 NTFS
+
|Dec 17-20, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Dec 17-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|EnCase v6 Computer Forensics II – Private Sector
+
|Dec 18-21, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Dec 20-21, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|}
+

Revision as of 01:32, 3 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows 2003 (Server)

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows 2008 (Server)

Introduced in Windows 7

Introduced in Windows 8

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

RECYCLER

Used by Windows 2000, XP. Uses INFO2 file.

See: [2]

$RECYCLE.BIN

Used by Windows Vista. Uses $I and $R files.

See: [3]

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup log files (setupapi.log)

Windows Vista introduced several setup log files [4].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Under the hood

MSI

Side-by-side (WinSxS)

Application Compatibility Database

System Restore (Restore Points)

Tracking removable media

Crash dumps

ReadyBoost

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP

Windows 8