Advanced Analysis of Windows Artifacts with EnCase®
CPE: 32 créditos. Nivel: avanzado.
Método de enseñanza: grupo.
Nivel NASBA definido: avanzado.
Código: DF320.
Duración: 4 días.
Para más información, descargue el programa completo de los cuatro días en PDF:
Temario
About the course
This hands-on course is designed for examiners with solid computer skills, seeking to learn advanced concepts in analyzing Windows artifacts. The participants will be provided instruction that includes parsing and analysis techniques on registry data, volume shadow service, random access memory, zip file structures, prefetch, and SQLite content.
Audience
This course is intended for law enforcement officers, computer forensic examiners, corporate and private investigators, and network security personnel. A basic understanding of the concepts of computer forensics is required. The class curriculum builds upon the foundation of the DF320-Building an Investigation course, continuing with a focus on file and operating system examinations.
Prerequisites
DF210 - Building an Investigation with EnCase or EnCE Certification.
Summary
This course provides in-depth coverage on topics, including:
- Examination of the Microsoft Windows Registry
- The use of block-based file hash analysis for file recovery
- Examination of Volume Shadow Copy (VSC) data maintained by the Windows Volume Shadow Service (VSS)
- Examination and recovery of Windows event logs
- Hardware and software RAID technology, acquisition, and examination
- Understanding SQLite databases and querying their data
- Recovering deleted SQLite data
- The purpose and function of prefetch files and how to analyze them
- Principles of encrypted data recovery
- Various techniques on the examination RAM
- Low-level data recovery from Zip files and the latest version of Microsoft Word documents