Difference between pages "Training Courses and Providers" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Under the hood)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{Expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are 2 main branches of Windows:
|- style="background:#bfbfbf; font-weight: bold"
+
* the DOS-branch: i.e. Windows 95, 98, ME
! Title
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Date/Location
+
 
! Website
+
== Features ==
! Limitation
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|-
+
 
|Computer Network Investigations Training Program (CNITP)
+
=== Introduced in Windows NT ===
|Jun 16-27, Glynco, GA
+
* [[NTFS]]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
=== Introduced in Windows 2000 ===
|-
+
 
|Intermediate Data Recovery and Analysis(IDRA)
+
=== Introduced in Windows XP ===
|Jun 16-20, St. Louis, MO
+
* [[Prefetch]]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* System Restore (Restore Points); also present in Windows ME
|Limited to Law Enforcement
+
 
|-
+
==== SP2 ====
|Basic Data Recovery and Acquisition(BDRA)
+
* Windows Firewall
|Jun 16-19, Hamilton, NJ
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Introduced in Windows Server 2003 ===
|Limited to Law Enforcement
+
* Volume Shadow Copies
|-
+
 
|EnCase® v6 Computer Forensics II
+
=== Introduced in [[Windows Vista]] ===
|Jun 16-19, Pasig City, Phillipines
+
* [[BitLocker Disk Encryption | BitLocker]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Windows Desktop Search | Search]] integrated in operating system
|-
+
* [[ReadyBoost]]
|Computer Forensics Certification Course (including official X-Ways Training)
+
* [[SuperFetch]]
|Jun 16-27, Hong Kong Police College
+
* [[NTFS|Transactional NTFS (TxF)]]
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|Limited to Law Enforcement
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|-
+
* $Recycle.Bin
|EnCase&reg; v6 Computer Forensics I
+
* [[Windows XML Event Log (EVTX)]]
|Jun 17-20, Houston, TX
+
* [[User Account Control (UAC)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Introduced in Windows Server 2008 ===
|EnCase&reg; v6 Advanced Internet Examinations
+
 
|Jun 17-20, Chicago, IL
+
=== Introduced in [[Windows 7]] ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|-
+
* [[Jump Lists]]
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [[Sticky Notes]]
|Jun 17-20, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Introduced in [[Windows 8]] ===
|-
+
* [[Windows File History | File History]]
|Neutrino-Mobile Phone Forensics
+
* [[Windows Storage Spaces | Storage Spaces]]
|Jun 17-18, Los Angeles, CA
+
* [[Search Charm History]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
=== Introduced in Windows Server 2012 ===
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
* [[Resilient File System (ReFS)]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
== Forensics ==
|EnCase&reg; v6 Advanced Computer Forensics
+
 
|Jun 17-20, Washington DC
+
=== Partition layout ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Default partition layout, first partition starts:
|-
+
* at sector 63 in Windows 2000, XP, 2003
|Introduction to Automated Forensic Tools(AFT)
+
* at sector 2048 in Windows Vista, 2008, 7
|Jun 23-27, Meriden, CT
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Filesystems ===
|Limited to Law Enforcement
+
* [[FAT]], [[FAT|exFAT]]
|-
+
* [[NTFS]]
|BlackBag Introductory MacIntosh Forensics
+
* [[Resilient File System (ReFS) | ReFS]]
|Jun 23-27, San Jose, CA
+
 
|http://www.blackbagtech.com/products/training.htm
+
=== Recycle Bin ===
|-
+
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
|Macintosh Forensic Survival Course (MFSC)  
+
 
|Jun 23-27, Melbourne, Australia
+
==== RECYCLER ====
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
The Recycler format is used by Windows 2000, XP.
|Limited to Law Enforcement
+
 
|-
+
Per user Recycle Bin folder in the form:
|Secure Techniques for Onsite Preview(STOP)
+
<pre>
|Jun 23-24, Shawano, WI
+
C:\Recycler\%SID%\
|http://www.nw3c.org/ocr/courses_desc.cfm
+
</pre>
|Limited to Law Enforcement
+
 
|-
+
Which contains:
|e-fense - Live Forensics and Incident Response Featuring Helix
+
* INFO2 file; "Recycled" files metadata
|Jun 24-26, Jacksonville, FL
+
 
|https://www.e-fense.com/register.php
+
==== $RECYCLE.BIN ====
|-
+
The $Recycle.Bin is used as of Windows Vista.
|WetStone- Hacking BootCamp for Investigators
+
 
|Jun 24-27, Toronto, Canada
+
Per user Recycle Bin folder in the form:
|https://www.wetstonetech.com/trainings.html
+
<pre>
|-
+
C:\$Recycle.Bin\%SID%\
|EnCase&reg; v6 Computer Forensics I
+
</pre>
|Jun 24-27, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Which contains:
|-
+
* $I files; "Recycled" file metadata
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* $R files; the original data
|Jun 24-27, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Registry ===
|-
+
 
|EnCase&reg; v6 Advanced Internet Examinations
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|Jun 24-27, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Thumbs.db Files ===
|-
+
 
|EnCase&reg; Enterprise v6 - Phase I
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|Jun 24-27, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
See also: [[Vista thumbcache]].
|-
+
 
|EnCase&reg; v6 Advanced Computer Forensics
+
=== Browser Cache ===
|Jun 24-27, Toronto, Canada
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Browser History ===
|-
+
 
|EnCase&reg; v6 Computer Forensics II
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|Jun 24-27, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Search ===
|-
+
See [[Windows Desktop Search]]
|AccessData&reg; Windows Forensics
+
 
|Jun 24-26, Manchester, United Kingdom
+
=== Setup API Logs ===
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
Windows Vista introduced several new [[Setup API Logs|Setup API Log files]].
|-
+
 
|Advanced Responders - Search and Seizure of SOHO Networks
+
Also see [http://support.microsoft.com/kb/927521].
|Jun 24-26, Sacramento, CA
+
 
|http://www.search.org/programs/hightech/calendar.asp
+
=== Sleep/Hibernation ===
|Limited To Law Enforcement
+
 
|-
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|Secure Techniques for Onsite Preview(STOP)
+
 
|Jun 25-26, Shawano, WI
+
=== Users ===
|http://www.nw3c.org/ocr/courses_desc.cfm
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|Limited to Law Enforcement
+
<pre>
|-
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|Macintosh Forensic Survival Course (MFSC)
+
</pre>
|Jun 30-Jul 04, Brisbane, Australia
+
 
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
The %SID%\ProfileImagePath value should also contain the username.
|Limited to Law Enforcement
+
 
|-
+
=== Windows Error Reporting (WER) ===
|EnCase&reg; Enterprise v6 - Phase II
+
 
|Jun 30-Jul 03, Los Angeles, CA
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
<pre>
|-
+
C:\ProgramData\Microsoft\Windows\WER\
|AccessData&reg; BootCamp
+
</pre>
|Jul 01-03, Manchester, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|-
+
<pre>
|BlackBag Intermediate MacIntosh Forensics
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|Jul 07-11, Los Angeles, CA
+
</pre>
|http://www.blackbagtech.com/products/training.htm
+
 
|Limited to Law Enforcement
+
Corresponding registry key:
|-
+
<pre>
|Linux /Unix Security
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|Jul 07-10, Reston, VA
+
</pre>
|http://www.securityuniversity.net/classes_linux_sec.php
+
 
|-
+
== Advanced Format (4KB Sector) Hard Drives ==
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|Jul 07-10, San Francisco, CA
+
 
|http://www.securityuniversity.net/classes_QSH.php
+
== %SystemRoot% ==
|-
+
The actual value of %SystemRoot% is store in the following registry value:
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
<pre>
|Jul 12-16, Reston, VA
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
Value: SystemRoot
|-
+
</pre>
|Mobile Device Investigations Program (MDIP)
+
 
|Jul 14-18, Glynco, GA
+
== See Also ==
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [[Prefetch]]
|Limited to Law Enforcement
+
* [[Setup API Logs]]
|-
+
* [[SuperFetch]]
|AccessData&reg; Applied Decryption
+
* [[Windows Application Compatibility]]
|Jul 15-17, St Paul, MN
+
* [[Windows Desktop Search]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[Windows Event Log (EVT)]]
|-
+
* [[Windows XML Event Log (EVTX)]]
|AccessData&reg; Windows Forensics
+
* [[Windows Vista]]
|Jul 15-17, London, United Kingdom
+
* [[Windows 7]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[Windows 8]]
|-
+
 
|WetStone- Steganography Investigator Training
+
== External Links ==
|Jul 16-17, Online Training
+
 
|https://www.wetstonetech.com/trainings.html
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|-
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|Computer Network Investigations Training Program (CNITP)
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|Jul 21-Aug 01, Glynco, GA
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|Limited to Law Enforcement
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
|-
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html Search history on windows 8.1 - Part 2], by [[Yogesh Khatri's]], April 21, 2014
|Internet Investigations Training Program (IITP
+
 
|Jul 21-25, Glynco, GA
+
=== Recycle Bin ===
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
|Limited to Law Enforcement
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
|-
+
 
|BlackBag Intermediate MacIntosh Forensics
+
=== Malware/Rootkits ===
|Jul 21-25, Santa Clara, CA
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
|http://www.blackbagtech.com/products/training.htm
+
 
|-
+
=== Program execution ===
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
|Jul 21-25, San Francisco, CA
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
|-
+
 
|Licensed Penetration Tester/Qualified Penetration Tester
+
=== Tracking removable media ===
|Jul 21-25, San Francisco, CA
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
 
|-
+
=== Under the hood ===
|WetStone- Live Investigator Training
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|Jul 22-23, Fairfax, VA
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|https://www.wetstonetech.com/trainings.html
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|AccessData&reg; Windows Forensics
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|Jul 22-24, St Louis, MO
+
* [http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx Load Library Safely], by Swamy Shivaganga Nagaraju, 13 May 2014
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
==== MSI ====
|Computer Hacking Forensic Investigator CHFI Prep/Qualified Forensics Expert
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|July 28-Aug 01, San Francisco, CA
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
 
|-
+
==== Side-by-side (WinSxS) ====
|ILook® Automated Forensic Application(ILook)
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|Jul 28-Aug 01, St. Louis, MO
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|Limited to Law Enforcement
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|Certified Wireless Network Administrator
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|July 28-Aug 01, San Francisco, CA
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
|-
+
 
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
==== System Restore (Restore Points) ====
|July 29-Aug 07, San Francisco, CA
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|-
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
|WetStone- Steganography Investigator Training
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|Aug 02-03, 04-05, Black Hat USA
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|https://www.blackhat.com
+
 
|-
+
==== Crash dumps ====
|WetStone- Live Investigator Training
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Aug 02-03, 04-05, Black Hat USA
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|https://www.blackhat.com
+
 
|-
+
==== RPC ====
|WetStone- Hacking Investigator BootCamp
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
|Aug 02-05, Black Hat USA
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
|https://www.blackhat.com
+
 
|-
+
==== User Account Control (UAC) ====
|Certified Wireless Security Professional CWSP
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
|Aug 04-07, San Francisco, CA
+
 
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
==== Windows Event Logs ====
|-
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
|Linux /Unix Security
+
 
|Aug 04-07, Reston, VA
+
==== Windows Scripting Host ====
|http://www.securityuniversity.net/classes_linux_sec.php
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
|-
+
 
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
+
==== USB ====
|Aug 04-07, Reston, VA
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|http://www.securityuniversity.net/classes_QEP.php
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|-
+
 
|Macintosh Forensic Survival Course (MFSC)
+
==== WMI ====
|Aug 04-08, Huntington Beach, CA
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|-
+
==== Windows Error Reporting (WER) ====
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Aug 05-14, Reston, VA
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
 
|-
+
==== Windows Firewall ====
|Certified Wireless Network Administrator
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|Aug 05-08, Reston, VA
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
 
|-
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
|AccessData&reg; BootCamp
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|Aug 05-07, London, United Kingdom
+
 
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
=== Windows XP ===
|-
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|AccessData&reg; Windows Forensics
+
 
|Aug 05-07, Louisville, KY
+
[[Category:Operating systems]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
[[Category:Windows]]
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Sep 08-12, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Oct 20-24, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Dec 08-12, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 15:40, 13 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP