Difference between pages "Training Courses and Providers" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Under the hood)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{Expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are 2 main branches of Windows:
|- style="background:#bfbfbf; font-weight: bold"
+
* the DOS-branch: i.e. Windows 95, 98, ME
! Title
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Date/Location
+
 
! Website
+
== Features ==
! Limitation
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|-
+
 
|Seized Computer Evidence Recovery Specialist (SCERS)
+
=== Introduced in Windows NT ===
|May 12-23, Glynco, GA
+
* [[NTFS]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
=== Introduced in Windows 2000 ===
|-
+
 
|Internet Investigations Training Program (IITP)
+
=== Introduced in Windows XP ===
|May 12-16, Glynco, GA
+
* [[Prefetch]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* System Restore (Restore Points); also present in Windows ME
|Limited to Law Enforcement
+
 
|-
+
==== SP2 ====
|Qualified Software Security Expert Bootcamp
+
* Windows Firewall
|May 12-16, San Francisco, CA
+
 
|http://www.securityuniversity.net/classes_SI_SoftwareSecurity_Bootcamp.php
+
=== Introduced in Windows Server 2003 ===
|-
+
* Volume Shadow Copies
|Systems Security Certified Practitioner and Security Plus 
+
 
|May 12-16, Reston, VA
+
=== Introduced in [[Windows Vista]] ===
|http://www.securityuniversity.net/classes_SSCP.php
+
* [[BitLocker Disk Encryption | BitLocker]]
|-
+
* [[Windows Desktop Search | Search]] integrated in operating system
|Fast CyberForensic Triage(FCT)
+
* [[ReadyBoost]]
|May 12-15, Meriden, CT
+
* [[SuperFetch]]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [[NTFS|Transactional NTFS (TxF)]]
|Limited to Law Enforcement
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|-
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|EnCase&reg; Enterprise v6 - Phase II
+
* $Recycle.Bin
|May 12-15, Toronto, Canada
+
* [[Windows XML Event Log (EVTX)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[User Account Control (UAC)]]
|-
+
 
|Secure Techniques for Onsite Preview(STOP)
+
=== Introduced in Windows Server 2008 ===
|May 12-13, Pullman, WA
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Introduced in [[Windows 7]] ===
|Limited to Law Enforcement
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|-
+
* [[Jump Lists]]
|Boot Camp Certified Wireless Network Administrator
+
* [[Sticky Notes]]
|May 13-16, San Francisco, CA
+
 
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
=== Introduced in [[Windows 8]] ===
|-
+
* [[Windows File History | File History]]
|Boot Camp Certified Wireless Network Admin/Wireless Security Professional
+
* [[Windows Storage Spaces | Storage Spaces]]
|May 13-22, San Francisco, CA
+
* [[Search Charm History]]
|http://www.securityuniversity.net/www.classes_wireless_bootcamp.php
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
=== Introduced in Windows Server 2012 ===
|May 13-16, Chicago, IL
+
* [[Resilient File System (ReFS)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
== Forensics ==
|EnCase&reg; v6 Computer Forensics II
+
 
|May 13-16, Houston, TX
+
=== Partition layout ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Default partition layout, first partition starts:
|-
+
* at sector 63 in Windows 2000, XP, 2003
|EnCase&reg; v6 Advanced Computer Forensics
+
* at sector 2048 in Windows Vista, 2008, 7
|May 13-16, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Filesystems ===
|-
+
* [[FAT]], [[FAT|exFAT]]
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
* [[NTFS]]
|May 13-16, Washington DC
+
* [[Resilient File System (ReFS) | ReFS]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Recycle Bin ===
|AccessData&reg; Windows Forensics
+
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
|May 13-15, Sydney, NSW, Australia
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
==== RECYCLER ====
|-
+
The Recycler format is used by Windows 2000, XP.
|AccessData&reg; Internet Forensics
+
 
|May 13-15, Ft Lauderdale, FL
+
Per user Recycle Bin folder in the form:
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
<pre>
|-
+
C:\Recycler\%SID%\
|Advanced Responders - Search and Seizure of SOHO Networks
+
</pre>
|May 13-15, Sacramento, CA
+
 
|http://www.search.org/programs/hightech/calendar.asp
+
Which contains:
|Limited To Law Enforcement
+
* INFO2 file; "Recycled" files metadata
|-
+
 
|Secure Techniques for Onsite Preview(STOP)
+
==== $RECYCLE.BIN ====
|May 14-15, Pullman, WA
+
The $Recycle.Bin is used as of Windows Vista.
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
Per user Recycle Bin folder in the form:
|-
+
<pre>
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
+
C:\$Recycle.Bin\%SID%\
|May 19-22, Reston, VA
+
</pre>
|http://www.securityuniversity.net/classes_QEP.php
+
 
|-
+
Which contains:
|Certified Wireless Security Professional
+
* $I files; "Recycled" file metadata
|May 19-22, San Francisco, CA
+
* $R files; the original data
|http://www.securityuniversity.net/www.classes_wireless_CWSP.php
+
 
|-
+
=== Registry ===
|Computer Hacking Forensic Investigator/Qualified Forensic Expert
+
 
|May 19-23, San Francisco, CA
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
 
|-
+
=== Thumbs.db Files ===
|Macintosh Forensic Survival Course (MFSC)  
+
 
|May 19-23, Grand Rapids, MI
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|-
+
See also: [[Vista thumbcache]].
|Core Skills for the Investigation of Computer Crime
+
 
|May 19-23, Sacramento, CA
+
=== Browser Cache ===
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
=== Browser History ===
|-
+
 
|MacForensicsLab Examiner Certification Training
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|May 19-22, Newark, CA
+
 
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
=== Search ===
|-
+
See [[Windows Desktop Search]]
|Basic On-Line Technical Skills(BOTS)
+
 
|May 19, Lynchburg, VA
+
=== Setup API Logs ===
|http://www.nw3c.org/ocr/courses_desc.cfm
+
Windows Vista introduced several new [[Setup API Logs|Setup API Log files]].
|Limited to Law Enforcement
+
 
|-
+
Also see [http://support.microsoft.com/kb/927521].
|Fundamentals of Computer Forensics Imaging
+
 
|May 20-23, Falls Church, VA
+
=== Sleep/Hibernation ===
|http://www.mantech.com/msma/isso.asp
+
 
|-
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|Boot Camp Certified Wireless Network Admin/Wireless Security Professional
+
 
|May 20-29, San Francisco, CA
+
=== Users ===
|http://www.securityuniversity.net/www.classes_wireless_bootcamp.php
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|-
+
<pre>
|EnCase&reg; v6 Computer Forensics II
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|May 20-23, United Kingdom
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
The %SID%\ProfileImagePath value should also contain the username.
|EnCase&reg; v6 Computer Forensics I
+
 
|May 20-23, Houston, TX and Washington DC
+
=== Windows Error Reporting (WER) ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|EnCase&reg; v6 Advanced Computer Forensics
+
<pre>
|May 20-23, Chicago, IL
+
C:\ProgramData\Microsoft\Windows\WER\
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
</pre>
|-
+
 
|AccessData&reg; Windows Forensics
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|May 20-22, London, United Kingdom
+
<pre>
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|-
+
</pre>
|Certified Wireless Network Administrator
+
 
|May 26-30, Rome Italy
+
Corresponding registry key:
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php 
+
<pre>
|-
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
</pre>
|May 26-30, Reston, VA
+
 
|http://www.securityuniversity.net/classes_CEH_QEH.php
+
== Advanced Format (4KB Sector) Hard Drives ==
|-
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|Catching the Hackers Intro to IDS
+
 
|May 27-30, Reston, VA
+
== %SystemRoot% ==
|http://www.securityuniversity.net/classes_introIDS.php
+
The actual value of %SystemRoot% is store in the following registry value:
|-
+
<pre>
|Catching the Hackers II: Systems to Monitor Your Network
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|May 27-30, Reston, VA
+
Value: SystemRoot
|http://www.securityuniversity.net/classes_IDSII.php
+
</pre>
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
== See Also ==
|May 27-30, Toronto, Canada
+
* [[Prefetch]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Setup API Logs]]
|-
+
* [[SuperFetch]]
|AccessData&reg; BootCamp
+
* [[Windows Application Compatibility]]
|May 27-29, San Jose, CA
+
* [[Windows Desktop Search]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[Windows Event Log (EVT)]]
|-
+
* [[Windows XML Event Log (EVTX)]]
|WetStone- Steganography Investigator Training
+
* [[Windows Vista]]
|May 30-31, 2008 Techno Security
+
* [[Windows 7]]
|https://www.wetstonetech.com/trainings.html
+
* [[Windows 8]]
|-
+
 
|WetStone- Live Investigator Training
+
== External Links ==
|May 30-31, 2008 Techno Security
+
 
|https://www.wetstonetech.com/trainings.html
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|-
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|Computer Network Investigations Training Program (CNITP)
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|Jun 02-13, Glynco, GA
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|Limited to Law Enforcement
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
|-
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html Search history on windows 8.1 - Part 2], by [[Yogesh Khatri's]], April 21, 2014
|ILook® Automated Forensic Application(ILook)
+
 
|Jun 02-06, Vassalboro, ME
+
=== Recycle Bin ===
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
|Limited to Law Enforcement
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
|-
+
 
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
=== Malware/Rootkits ===
|Jun 02-06, Reston, VA
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
 
|-
+
=== Program execution ===
|Qualified Software Security Expert 5-day Bootcamp
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
|Jun 02-06, Reston, VA
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
|http://www.securityuniversity.net/classes_SI_SoftwareSecurity_Bootcamp.php
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
|-
+
 
|Licensed Penetration Tester/Qualified Penetration Tester
+
=== Tracking removable media ===
|Jun 02-06, Reston, VA
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
 
|-
+
=== Under the hood ===
|EnCase® v6 Computer Forensics I
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|Jun 02-06, Pasig City, Phillipines
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|Core Skills for the Investigation of Cellular Telephones
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|Jun 02-05, Sacramento, CA
+
* [http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx Load Library Safely], by Swamy Shivaganga Nagaraju, 13 May 2014
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
==== MSI ====
|-
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|EnCase&reg; v6 Computer Forensics I
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|Jun 03-06, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== Side-by-side (WinSxS) ====
|-
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|EnCase&reg; v6 NTFS
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|Jun 03-06, Houston, TX
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|EnCase&reg; v6 Computer Forensics II
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|Jun 03-06, Chicago, IL and Washington DC
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
|-
+
 
|EnCase&reg; v6 Advanced Internet Examinations
+
==== System Restore (Restore Points) ====
|Jun 03-06, United Kingdom
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|-
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|Jun 03-06, Los Angeles, CA
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== Crash dumps ====
|AccessData&reg; BootCamp
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Jun 03-05, London, United Kingdom
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
==== RPC ====
|Macintosh Forensic Survival Course (MFSC)  
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
|Jun 09-13, San Jose, CA
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|Limited to Law Enforcement
+
==== User Account Control (UAC) ====
|-
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
|Qualified Network Security Policy Admin and Security Oriented Architect
+
 
|Jun 09-13, Reston, VA
+
==== Windows Event Logs ====
|http://www.securityuniversity.net/classes_architecture.php
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
|-
+
 
|Core Skills for the Investigation of Cellular Telephones
+
==== Windows Scripting Host ====
|Jun 09-12, Sacramento, CA
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
==== USB ====
|-
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|X-Ways Forensics
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|Jun 09-11, New York City, NY
+
 
|http://www.x-ways.net/training/new_york.html
+
==== WMI ====
|-
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
|Certified Wireless Network Administrator
+
 
|Jun 10-13, Reston, VA
+
==== Windows Error Reporting (WER) ====
|http://www.securityuniversity.net/classes_CWNA.php
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|-
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
 
|Jun 10-19, Reston, VA
+
==== Windows Firewall ====
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|-
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|AccessData&reg; BootCamp
+
 
|Jun 10-12, St Paul, MN
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|-
+
 
|Neutrino-Mobile Phone Forensics
+
=== Windows XP ===
|Jun 10-11, Washington DC
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
[[Category:Operating systems]]
|EnCase&reg; v6 Computer Forensics I
+
[[Category:Windows]]
|Jun 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 10-13, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
|Jun 10-13, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 10-13, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|File Systems Revealed
+
|Jun 12-13, New York City, NY
+
|http://www.x-ways.net/training/new_york.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jun 16-27, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Intermediate Data Recovery and Analysis(IDRA)
+
|Jun 16-20, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Jun 16-19, Reston, VA
+
|http://www.securityuniversity.net/classes_CWSP.php
+
|-
+
|Certified Ethical Hacker/Qualified Security Hacker Class
+
|Jun 16-20, Rome Italy
+
|http://www.securityuniversity.net/classes_QSH.php 
+
|-
+
|Systems Security Certified Practitioner and Security Plus
+
|Jun 16-20, Reston, VA
+
|http://www.securityuniversity.net/classes_SSCP_Security+_Bootcamp.php
+
|-
+
|Basic Data Recovery and Acquisition(BDRA)
+
|Jun 16-19, Hamilton, NJ
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase® v6 Computer Forensics II
+
|Jun 16-19, Pasig City, Phillipines
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Computer Forensics Certification Course (including official X-Ways Training)
+
|Jun 16-27, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 17-20, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 17-20, Chicago, IL
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 17-20, United Kingdom
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Neutrino-Mobile Phone Forensics
+
|Jun 17-18, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Jun 23-27, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Jun 23-27, San Jose, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Jun 23-27, Melbourne, Australia
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 23-24, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|e-fense - Live Forensics and Incident Response Featuring Helix
+
|Jun 24-26, Jacksonville, FL
+
|https://www.e-fense.com/register.php
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Jun 24-27, Toronto, Canada
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 24-27, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 24-27, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jun 24-26, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Advanced Responders - Search and Seizure of SOHO Networks
+
|Jun 24-26, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 25-26, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Jun 30-Jul 04, Brisbane, Australia
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Jun 30-Jul 03, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jul 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 07-11, Los Angeles, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|Linux /Unix Security
+
|Jul 07-10, Reston, VA
+
|http://www.securityuniversity.net/classes_linux_sec.php
+
|-
+
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
|Jul 07-10, San Francisco, CA
+
|http://www.securityuniversity.net/classes_QSH.php
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Jul 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Applied Decryption
+
|Jul 15-17, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 15-17, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Jul 16-17, Online Training
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jul 21-Aug 01, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP
+
|Jul 21-25, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 21-25, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
|-
+
|Licensed Penetration Tester/Qualified Penetration Tester
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
|-
+
|WetStone- Live Investigator Training
+
|Jul 22-23, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Hacking Forensic Investigator/Qualified Forensics Expert
+
|July 26-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/classes_CHFI.php
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Network Administrator
+
|July 28-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|July 29-Aug 07, San Francisco, CA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Hacking Investigator BootCamp
+
|Aug 02-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Aug 04-08, Huntington Beach, CA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|Aug 05-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|Certified Wireless Network Administrator
+
|Aug 05-08, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 14:40, 13 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP