Course Topics & Program

Day Four Overview

Continuing to process your case, this day starts with a review of the Windows Registry and continues to expand your knowledge concerning other key Windows artifacts. You will learn how to perform a detailed investigation of user Internet History, Windows Event Logs, and other artifacts typically overlooked by most forensic examiners lacking in the knowledge that we will be covering.

You will also be learning how to create a timeline of events that will help you to focus on what took place on the computer system and when, enabling you to quickly locate relevant evidence.

DAY FOUR TOPICS

User Registry Information - NTUSER.DAT

  • Program Execution
  • File and Folder Access
  • File Downloads and Creation
  • Computer Search History
  • URLS Typed By The User
  • Recently Accessed Documents/Files
  • Usernames/Passwords Used For Internet

Memory Artifacts

  • Examining Memory Dumps
  • Converting and Examining Hibernation Files
  • Techniques for Pagefile Analysis

Logfiles and Trace Evidence

  • .EVT and .EVTX
  • Firewall Logs
  • IIS Logs
  • Shortcut Files
  • Jump Lists
  • Thumbs.db
  • $I30 Information
  • Windows Prefetch
  • Printing and Print Spool Artifacts

    Internet and Browser Forensics
  • Cookies and Their Value
  • Rebuilding the User's Cache
  • Interpreting History Files
  • Identifying Downloads
  • Firefox Artifacts
  • Private Browsing Modes and Artifacts

Chat and Social Networking

  • MSN Messenger
  • Facebook
  • Yahoo
  • AIM
  • GoogleTalk
  • MySpace

Metadata

  • Office Documents
  • PDF's
  • Exif Data

Evening Session: Optional, Until 21:00
Open Topics Based On Student Requests