Difference between pages "Training Courses and Providers" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Under the hood)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{Expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are 2 main branches of Windows:
|- style="background:#bfbfbf; font-weight: bold"
+
* the DOS-branch: i.e. Windows 95, 98, ME
! Title
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Date/Location
+
 
! Website
+
== Features ==
! Limitation
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|-
+
 
|Computer Network Investigations Training Program (CNITP)
+
=== Introduced in Windows NT ===
|Jun 02-13, Glynco, GA
+
* [[NTFS]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
=== Introduced in Windows 2000 ===
|-
+
 
|ILook® Automated Forensic Application(ILook)
+
=== Introduced in Windows XP ===
|Jun 02-06, Vassalboro, ME
+
* [[Prefetch]]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* System Restore (Restore Points); also present in Windows ME
|Limited to Law Enforcement
+
 
|-
+
==== SP2 ====
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
* Windows Firewall
|Jun 02-06, Reston, VA
+
 
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
=== Introduced in Windows Server 2003 ===
|-
+
* Volume Shadow Copies
|Qualified Software Security Expert 5-day Bootcamp
+
 
|Jun 02-06, Reston, VA
+
=== Introduced in [[Windows Vista]] ===
|http://www.securityuniversity.net/classes_SI_SoftwareSecurity_Bootcamp.php
+
* [[BitLocker Disk Encryption | BitLocker]]
|-
+
* [[Windows Desktop Search | Search]] integrated in operating system
|Licensed Penetration Tester/Qualified Penetration Tester
+
* [[ReadyBoost]]
|Jun 02-06, Reston, VA
+
* [[SuperFetch]]
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
* [[NTFS|Transactional NTFS (TxF)]]
|-
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|EnCase® v6 Computer Forensics I
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|Jun 02-06, Pasig City, Phillipines
+
* $Recycle.Bin
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Windows XML Event Log (EVTX)]]
|-
+
* [[User Account Control (UAC)]]
|Core Skills for the Investigation of Cellular Telephones
+
 
|Jun 02-05, Sacramento, CA
+
=== Introduced in Windows Server 2008 ===
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
=== Introduced in [[Windows 7]] ===
|-
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|EnCase&reg; v6 Computer Forensics I
+
* [[Jump Lists]]
|Jun 03-06, Houston, TX
+
* [[Sticky Notes]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Introduced in [[Windows 8]] ===
|EnCase&reg; v6 NTFS
+
* [[Windows File History | File History]]
|Jun 03-06, Houston, TX
+
* [[Windows Storage Spaces | Storage Spaces]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Search Charm History]]
|-
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
|EnCase&reg; v6 Computer Forensics II
+
 
|Jun 03-06, Chicago, IL and Washington DC
+
=== Introduced in Windows Server 2012 ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Resilient File System (ReFS)]]
|-
+
 
|EnCase&reg; v6 Advanced Internet Examinations
+
== Forensics ==
|Jun 03-06, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Partition layout ===
|-
+
Default partition layout, first partition starts:
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* at sector 63 in Windows 2000, XP, 2003
|Jun 03-06, Los Angeles, CA
+
* at sector 2048 in Windows Vista, 2008, 7
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Filesystems ===
|AccessData&reg; BootCamp
+
* [[FAT]], [[FAT|exFAT]]
|Jun 03-05, London, United Kingdom
+
* [[NTFS]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[Resilient File System (ReFS) | ReFS]]
|-
+
 
|Macintosh Forensic Survival Course (MFSC)  
+
=== Recycle Bin ===
|Jun 09-13, San Jose, CA
+
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|Limited to Law Enforcement
+
==== RECYCLER ====
|-
+
The Recycler format is used by Windows 2000, XP.
|Qualified Network Security Policy Admin and Security Oriented Architect
+
 
|Jun 09-13, Reston, VA
+
Per user Recycle Bin folder in the form:
|http://www.securityuniversity.net/classes_architecture.php
+
<pre>
|-
+
C:\Recycler\%SID%\
|Core Skills for the Investigation of Cellular Telephones
+
</pre>
|Jun 09-12, Sacramento, CA
+
 
|http://www.search.org/programs/hightech/calendar.asp
+
Which contains:
|Limited To Law Enforcement
+
* INFO2 file; "Recycled" files metadata
|-
+
 
|X-Ways Forensics
+
==== $RECYCLE.BIN ====
|Jun 09-11, New York City, NY
+
The $Recycle.Bin is used as of Windows Vista.
|http://www.x-ways.net/training/new_york.html
+
 
|-
+
Per user Recycle Bin folder in the form:
|Certified Wireless Network Administrator
+
<pre>
|Jun 10-13, Reston, VA
+
C:\$Recycle.Bin\%SID%\
|http://www.securityuniversity.net/classes_CWNA.php
+
</pre>
|-
+
 
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
Which contains:
|Jun 10-19, Reston, VA
+
* $I files; "Recycled" file metadata
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
* $R files; the original data
|-
+
 
|AccessData&reg; BootCamp
+
=== Registry ===
|Jun 10-12, St Paul, MN
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|-
+
 
|Neutrino-Mobile Phone Forensics
+
=== Thumbs.db Files ===
|Jun 10-11, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
See also: [[Vista thumbcache]].
|Jun 10-13, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Browser Cache ===
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
=== Browser History ===
|Jun 10-13, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|-
+
 
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
=== Search ===
|Jun 10-13, Chicago, IL
+
See [[Windows Desktop Search]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Setup API Logs ===
|EnCase&reg; v6 Computer Forensics II
+
Windows Vista introduced several new [[Setup API Logs|Setup API Log files]].
|Jun 10-13, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Also see [http://support.microsoft.com/kb/927521].
|-
+
 
|File Systems Revealed
+
=== Sleep/Hibernation ===
|Jun 12-13, New York City, NY
+
 
|http://www.x-ways.net/training/new_york.html
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|-
+
 
|Computer Network Investigations Training Program (CNITP)
+
=== Users ===
|Jun 16-27, Glynco, GA
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
<pre>
|Limited to Law Enforcement
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|-
+
</pre>
|Intermediate Data Recovery and Analysis(IDRA)
+
 
|Jun 16-20, St. Louis, MO
+
The %SID%\ProfileImagePath value should also contain the username.
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
=== Windows Error Reporting (WER) ===
|-
+
 
|Certified Wireless Security Professional
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|Jun 16-19, Reston, VA
+
<pre>
|http://www.securityuniversity.net/classes_CWSP.php
+
C:\ProgramData\Microsoft\Windows\WER\
|-
+
</pre>
|Certified Ethical Hacker/Qualified Security Hacker Class
+
 
|Jun 16-20, Rome Italy
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|http://www.securityuniversity.net/classes_QSH.php 
+
<pre>
|-
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|Systems Security Certified Practitioner and Security Plus
+
</pre>
|Jun 16-20, Reston, VA
+
 
|http://www.securityuniversity.net/classes_SSCP_Security+_Bootcamp.php
+
Corresponding registry key:
|-
+
<pre>
|Basic Data Recovery and Acquisition(BDRA)
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|Jun 16-19, Hamilton, NJ
+
</pre>
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
== Advanced Format (4KB Sector) Hard Drives ==
|-
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|EnCase® v6 Computer Forensics II
+
 
|Jun 16-19, Pasig City, Phillipines
+
== %SystemRoot% ==
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
The actual value of %SystemRoot% is store in the following registry value:
|-
+
<pre>
|Computer Forensics Certification Course (including official X-Ways Training)
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|Jun 16-27, Hong Kong Police College
+
Value: SystemRoot
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
</pre>
|Limited to Law Enforcement
+
 
|-
+
== See Also ==
|EnCase&reg; v6 Computer Forensics I
+
* [[Prefetch]]
|Jun 17-20, Houston, TX
+
* [[Setup API Logs]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[SuperFetch]]
|-
+
* [[Windows Application Compatibility]]
|EnCase&reg; v6 Advanced Internet Examinations
+
* [[Windows Desktop Search]]
|Jun 17-20, Chicago, IL
+
* [[Windows Event Log (EVT)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Windows XML Event Log (EVTX)]]
|-
+
* [[Windows Vista]]
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [[Windows 7]]
|Jun 17-20, United Kingdom
+
* [[Windows 8]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
== External Links ==
|Neutrino-Mobile Phone Forensics
+
 
|Jun 17-18, Los Angeles, CA
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|-
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|EnCase&reg; v6 Computer Forensics II
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
|-
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html Search history on windows 8.1 - Part 2], by [[Yogesh Khatri's]], April 21, 2014
|EnCase&reg; v6 Advanced Computer Forensics
+
 
|Jun 17-20, Washington DC
+
=== Recycle Bin ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
|-
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
|Introduction to Automated Forensic Tools(AFT)
+
 
|Jun 23-27, Meriden, CT
+
=== Malware/Rootkits ===
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
|Limited to Law Enforcement
+
 
|-
+
=== Program execution ===
|BlackBag Introductory MacIntosh Forensics
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
|Jun 23-27, San Jose, CA
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
|http://www.blackbagtech.com/products/training.htm
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
|-
+
 
|Macintosh Forensic Survival Course (MFSC)  
+
=== Tracking removable media ===
|Jun 23-27, Melbourne, Australia
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|Limited to Law Enforcement
+
=== Under the hood ===
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|Secure Techniques for Onsite Preview(STOP)
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|Jun 23-24, Shawano, WI
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|Limited to Law Enforcement
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|-
+
* [http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx Load Library Safely], by Swamy Shivaganga Nagaraju, 13 May 2014
|e-fense - Live Forensics and Incident Response Featuring Helix
+
 
|Jun 24-26, Jacksonville, FL
+
==== MSI ====
|https://www.e-fense.com/register.php
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|-
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|WetStone- Hacking BootCamp for Investigators
+
 
|Jun 24-27, Toronto, Canada
+
==== Side-by-side (WinSxS) ====
|https://www.wetstonetech.com/trainings.html
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|-
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|EnCase&reg; v6 Computer Forensics I
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|Jun 24-27, Washington DC
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|Jun 24-27, Washington DC
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== System Restore (Restore Points) ====
|EnCase&reg; v6 Advanced Internet Examinations
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|Jun 24-27, Los Angeles, CA
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
|-
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|EnCase&reg; Enterprise v6 - Phase I
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|Jun 24-27, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== Crash dumps ====
|-
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|EnCase&reg; v6 Advanced Computer Forensics
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|Jun 24-27, Toronto, Canada
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== RPC ====
|-
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
|EnCase&reg; v6 Computer Forensics II
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
|Jun 24-27, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== User Account Control (UAC) ====
|-
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
|AccessData&reg; Windows Forensics
+
 
|Jun 24-26, Manchester, United Kingdom
+
==== Windows Event Logs ====
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
|-
+
 
|Advanced Responders - Search and Seizure of SOHO Networks
+
==== Windows Scripting Host ====
|Jun 24-26, Sacramento, CA
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
==== USB ====
|-
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|Secure Techniques for Onsite Preview(STOP)
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|Jun 25-26, Shawano, WI
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
==== WMI ====
|Limited to Law Enforcement
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
|-
+
 
|Macintosh Forensic Survival Course (MFSC)
+
==== Windows Error Reporting (WER) ====
|Jun 30-Jul 04, Brisbane, Australia
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
|Limited to Law Enforcement
+
 
|-
+
==== Windows Firewall ====
|EnCase&reg; Enterprise v6 - Phase II
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|Jun 30-Jul 03, Los Angeles, CA
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
|AccessData&reg; BootCamp
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|Jul 01-03, Manchester, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
=== Windows XP ===
|-
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|BlackBag Intermediate MacIntosh Forensics
+
 
|Jul 07-11, Los Angeles, CA
+
[[Category:Operating systems]]
|http://www.blackbagtech.com/products/training.htm
+
[[Category:Windows]]
|Limited to Law Enforcement
+
|-
+
|Linux /Unix Security
+
|Jul 07-10, Reston, VA
+
|http://www.securityuniversity.net/classes_linux_sec.php
+
|-
+
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
|Jul 07-10, San Francisco, CA
+
|http://www.securityuniversity.net/classes_QSH.php
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Jul 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Applied Decryption
+
|Jul 15-17, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 15-17, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Jul 16-17, Online Training
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jul 21-Aug 01, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP
+
|Jul 21-25, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 21-25, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
|-
+
|Licensed Penetration Tester/Qualified Penetration Tester
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
|-
+
|WetStone- Live Investigator Training
+
|Jul 22-23, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Hacking Forensic Investigator/Qualified Forensics Expert
+
|July 26-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/classes_CHFI.php
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Network Administrator
+
|July 28-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|July 29-Aug 07, San Francisco, CA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Hacking Investigator BootCamp
+
|Aug 02-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Aug 04-08, Huntington Beach, CA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|Aug 05-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|Certified Wireless Network Administrator
+
|Aug 05-08, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 14:40, 13 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP