Difference between pages "Training Courses and Providers" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Under the hood)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{Expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are 2 main branches of Windows:
|- style="background:#bfbfbf; font-weight: bold"
+
* the DOS-branch: i.e. Windows 95, 98, ME
! Title
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Date/Location
+
 
! Website
+
== Features ==
! Limitation
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|-
+
 
|Computer Network Investigations Training Program (CNITP)
+
=== Introduced in Windows NT ===
|Jun 02-13, Glynco, GA
+
* [[NTFS]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
=== Introduced in Windows 2000 ===
|-
+
 
|ILook® Automated Forensic Application(ILook)
+
=== Introduced in Windows XP ===
|Jun 02-06, Vassalboro, ME
+
* [[Prefetch]]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* System Restore (Restore Points); also present in Windows ME
|Limited to Law Enforcement
+
 
|-
+
==== SP2 ====
|EnCase® v6 Computer Forensics I
+
* Windows Firewall
|Jun 02-06, Pasig City, Phillipines
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Introduced in Windows Server 2003 ===
|-
+
* Volume Shadow Copies
|Core Skills for the Investigation of Cellular Telephones
+
 
|Jun 02-05, Sacramento, CA
+
=== Introduced in [[Windows Vista]] ===
|http://www.search.org/programs/hightech/calendar.asp
+
* [[BitLocker Disk Encryption | BitLocker]]
|Limited To Law Enforcement
+
* [[Windows Desktop Search | Search]] integrated in operating system
|-
+
* [[ReadyBoost]]
|EnCase&reg; v6 Computer Forensics I
+
* [[SuperFetch]]
|Jun 03-06, Houston, TX
+
* [[NTFS|Transactional NTFS (TxF)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|-
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|EnCase&reg; v6 NTFS
+
* $Recycle.Bin
|Jun 03-06, Houston, TX
+
* [[Windows XML Event Log (EVTX)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[User Account Control (UAC)]]
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
=== Introduced in Windows Server 2008 ===
|Jun 03-06, Chicago, IL and Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Introduced in [[Windows 7]] ===
|-
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|EnCase&reg; v6 Advanced Internet Examinations
+
* [[Jump Lists]]
|Jun 03-06, United Kingdom
+
* [[Sticky Notes]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Introduced in [[Windows 8]] ===
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [[Windows File History | File History]]
|Jun 03-06, Los Angeles, CA
+
* [[Windows Storage Spaces | Storage Spaces]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Search Charm History]]
|-
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
|AccessData&reg; BootCamp
+
 
|Jun 03-05, London, United Kingdom
+
=== Introduced in Windows Server 2012 ===
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[Resilient File System (ReFS)]]
|-
+
 
|Macintosh Forensic Survival Course (MFSC)  
+
== Forensics ==
|Jun 09-13, San Jose, CA
+
 
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
=== Partition layout ===
|Limited to Law Enforcement
+
Default partition layout, first partition starts:
|-
+
* at sector 63 in Windows 2000, XP, 2003
|Core Skills for the Investigation of Cellular Telephones
+
* at sector 2048 in Windows Vista, 2008, 7
|Jun 09-12, Sacramento, CA
+
 
|http://www.search.org/programs/hightech/calendar.asp
+
=== Filesystems ===
|Limited To Law Enforcement
+
* [[FAT]], [[FAT|exFAT]]
|-
+
* [[NTFS]]
|X-Ways Forensics
+
* [[Resilient File System (ReFS) | ReFS]]
|Jun 09-11, New York City, NY
+
 
|http://www.x-ways.net/training/new_york.html
+
=== Recycle Bin ===
|-
+
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
|AccessData&reg; BootCamp
+
 
|Jun 10-12, St Paul, MN
+
==== RECYCLER ====
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
The Recycler format is used by Windows 2000, XP.
|-
+
 
|Neutrino-Mobile Phone Forensics
+
Per user Recycle Bin folder in the form:
|Jun 10-11, Washington DC
+
<pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
C:\Recycler\%SID%\
|-
+
</pre>
|EnCase&reg; v6 Computer Forensics I
+
 
|Jun 10-13, Los Angeles, CA
+
Which contains:
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* INFO2 file; "Recycled" files metadata
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
==== $RECYCLE.BIN ====
|Jun 10-13, United Kingdom
+
The $Recycle.Bin is used as of Windows Vista.
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
Per user Recycle Bin folder in the form:
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
<pre>
|Jun 10-13, Chicago, IL
+
C:\$Recycle.Bin\%SID%\
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
</pre>
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
Which contains:
|Jun 10-13, Houston, TX
+
* $I files; "Recycled" file metadata
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* $R files; the original data
|-
+
 
|File Systems Revealed
+
=== Registry ===
|Jun 12-13, New York City, NY
+
 
|http://www.x-ways.net/training/new_york.html
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|-
+
 
|Computer Network Investigations Training Program (CNITP)
+
=== Thumbs.db Files ===
|Jun 16-27, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|Limited to Law Enforcement
+
 
|-
+
See also: [[Vista thumbcache]].
|Intermediate Data Recovery and Analysis(IDRA)
+
 
|Jun 16-20, St. Louis, MO
+
=== Browser Cache ===
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
=== Browser History ===
|-
+
 
|Basic Data Recovery and Acquisition(BDRA)
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|Jun 16-19, Hamilton, NJ
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Search ===
|Limited to Law Enforcement
+
See [[Windows Desktop Search]]
|-
+
 
|EnCase® v6 Computer Forensics II
+
=== Setup API Logs ===
|Jun 16-19, Pasig City, Phillipines
+
Windows Vista introduced several new [[Setup API Logs|Setup API Log files]].
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
Also see [http://support.microsoft.com/kb/927521].
|Computer Forensics Certification Course (including official X-Ways Training)
+
 
|Jun 16-27, Hong Kong Police College
+
=== Sleep/Hibernation ===
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
 
|Limited to Law Enforcement
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
=== Users ===
|Jun 17-20, Houston, TX
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
<pre>
|-
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|EnCase&reg; v6 Advanced Internet Examinations
+
</pre>
|Jun 17-20, Chicago, IL
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
The %SID%\ProfileImagePath value should also contain the username.
|-
+
 
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
=== Windows Error Reporting (WER) ===
|Jun 17-20, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|-
+
<pre>
|Neutrino-Mobile Phone Forensics
+
C:\ProgramData\Microsoft\Windows\WER\
|Jun 17-18, Los Angeles, CA
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|EnCase&reg; v6 Computer Forensics II
+
<pre>
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
</pre>
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
Corresponding registry key:
|Jun 17-20, Washington DC
+
<pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|-
+
</pre>
|Introduction to Automated Forensic Tools(AFT)
+
 
|Jun 23-27, Meriden, CT
+
== Advanced Format (4KB Sector) Hard Drives ==
|http://www.nw3c.org/ocr/courses_desc.cfm
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|Limited to Law Enforcement
+
 
|-
+
== %SystemRoot% ==
|BlackBag Introductory MacIntosh Forensics
+
The actual value of %SystemRoot% is store in the following registry value:
|Jun 23-27, San Jose, CA
+
<pre>
|http://www.blackbagtech.com/products/training.htm
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|-
+
Value: SystemRoot
|Macintosh Forensic Survival Course (MFSC)  
+
</pre>
|Jun 23-27, Melbourne, Australia
+
 
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
== See Also ==
|Limited to Law Enforcement
+
* [[Prefetch]]
|-
+
* [[Setup API Logs]]
|Secure Techniques for Onsite Preview(STOP)
+
* [[SuperFetch]]
|Jun 23-24, Shawano, WI
+
* [[Windows Application Compatibility]]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [[Windows Desktop Search]]
|Limited to Law Enforcement
+
* [[Windows Event Log (EVT)]]
|-
+
* [[Windows XML Event Log (EVTX)]]
|e-fense - Live Forensics and Incident Response Featuring Helix
+
* [[Windows Vista]]
|Jun 24-26, Jacksonville, FL
+
* [[Windows 7]]
|https://www.e-fense.com/register.php
+
* [[Windows 8]]
|-
+
 
|WetStone- Hacking BootCamp for Investigators
+
== External Links ==
|Jun 24-27, Toronto, Canada
+
 
|https://www.wetstonetech.com/trainings.html
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|-
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|EnCase&reg; v6 Computer Forensics I
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|Jun 24-27, Washington DC
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|-
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html Search history on windows 8.1 - Part 2], by [[Yogesh Khatri's]], April 21, 2014
|Jun 24-27, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Recycle Bin ===
|-
+
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
|EnCase&reg; v6 Advanced Internet Examinations
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
|Jun 24-27, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Malware/Rootkits ===
|-
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
|EnCase&reg; Enterprise v6 - Phase I
+
 
|Jun 24-27, Los Angeles, CA
+
=== Program execution ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
|-
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
|EnCase&reg; v6 Advanced Computer Forensics
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
|Jun 24-27, Toronto, Canada
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Tracking removable media ===
|-
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|EnCase&reg; v6 Computer Forensics II
+
 
|Jun 24-27, Houston, TX
+
=== Under the hood ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|-
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|AccessData&reg; Windows Forensics
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|Jun 24-26, Manchester, United Kingdom
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|-
+
* [http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx Load Library Safely], by Swamy Shivaganga Nagaraju, 13 May 2014
|Advanced Responders - Search and Seizure of SOHO Networks
+
 
|Jun 24-26, Sacramento, CA
+
==== MSI ====
|http://www.search.org/programs/hightech/calendar.asp
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|Limited To Law Enforcement
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|-
+
 
|Secure Techniques for Onsite Preview(STOP)
+
==== Side-by-side (WinSxS) ====
|Jun 25-26, Shawano, WI
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|Limited to Law Enforcement
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|Macintosh Forensic Survival Course (MFSC)
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|Jun 30-Jul 04, Brisbane, Australia
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|Limited to Law Enforcement
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
|-
+
 
|EnCase&reg; Enterprise v6 - Phase II
+
==== System Restore (Restore Points) ====
|Jun 30-Jul 03, Los Angeles, CA
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|-
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
|AccessData&reg; BootCamp
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|Jul 01-03, Manchester, United Kingdom
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
==== Crash dumps ====
|BlackBag Intermediate MacIntosh Forensics
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Jul 07-11, Los Angeles, CA
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|http://www.blackbagtech.com/products/training.htm
+
 
|Limited to Law Enforcement
+
==== RPC ====
|-
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
|Linux /Unix Security
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
|Jul 07-10, Reston, VA
+
 
|http://www.securityuniversity.net/classes_linux_sec.php
+
==== User Account Control (UAC) ====
|-
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
 
|Jul 07-10, San Francisco, CA
+
==== Windows Event Logs ====
|http://www.securityuniversity.net/classes_QSH.php
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
|-
+
 
|Mobile Device Investigations Program (MDIP)
+
==== Windows Scripting Host ====
|Jul 14-18, Glynco, GA
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
==== USB ====
|-
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|AccessData&reg; Applied Decryption
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|Jul 15-17, St Paul, MN
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
==== WMI ====
|-
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
|AccessData&reg; Windows Forensics
+
 
|Jul 15-17, London, United Kingdom
+
==== Windows Error Reporting (WER) ====
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|-
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
|WetStone- Steganography Investigator Training
+
 
|Jul 16-17, Online Training
+
==== Windows Firewall ====
|https://www.wetstonetech.com/trainings.html
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|-
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|Computer Network Investigations Training Program (CNITP)
+
 
|Jul 21-Aug 01, Glynco, GA
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|Limited to Law Enforcement
+
 
|-
+
=== Windows XP ===
|Internet Investigations Training Program (IITP
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|Jul 21-25, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
[[Category:Operating systems]]
|Limited to Law Enforcement
+
[[Category:Windows]]
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 21-25, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
|-
+
|Licensed Penetration Tester/Qualified Penetration Tester
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
|-
+
|WetStone- Live Investigator Training
+
|Jul 22-23, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Hacking Forensic Investigator/Qualified Forensics Expert
+
|July 26-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/classes_CHFI.php
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Network Administrator
+
|July 28-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|July 29-Aug 07, San Francisco, CA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Hacking Investigator BootCamp
+
|Aug 02-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|Certified Wireless Security Professional CWSP
+
|Aug 04-07, San Francisco, CA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|Linux /Unix Security
+
|Aug 04-07, Reston, VA
+
|http://www.securityuniversity.net/classes_linux_sec.php
+
|-
+
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
+
|Aug 04-07, Reston, VA
+
|http://www.securityuniversity.net/classes_QEP.php
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Aug 04-08, Huntington Beach, CA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|Aug 05-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|Certified Wireless Network Administrator
+
|Aug 05-08, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 14:40, 13 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP