Nuix Workstation Forensic Practitioner Windows

Duration: 2 days.

Objective

The Nuix Workstation Forensic Practitioner Windows certification class is designed to teach investigators advance techniques for a Windows investigations using Nuix Workstation and third party utilities in the following ways:

• Identify, analyze and report on common artifacts of user activity on Microsoft Windows systems
• Examine how Windows stores information in the Windows Registry, the recycle bin, recent items, user directories and system folders in all versions of Windows
• Include a detailed look at email including how to identify, sort, search and deduplicate.
• Learn how browsers store history, cookies, cache files
• Understand how the operating system uses link files, prefetch files, and metadata that can be forensically useful

Students will be enrolled in the Nuix Workstation Forensic Practitioner Windows exam. The Nuix Workstation Forensic Practitioner Windows is a requisite class for the Nuix Workstation Forensic Practitioner Windows Certified Master pathway.

MODULE 1: Introduction & Class Overview

• Class introductions
• Class objectives
• Nuix history
• Overview of Nuix technology
• Nuix support

MODULE 2: Metadata

• Overview of Metadata
• Metadata types in Nuix Workstation
• Filter and Search Metadata
• Date and Time Metadata
  • Communication date
  • Source Timezone
• Image Metadata
• MS and Open Office Document Metadata
• Derived Metadata fields
• Custom Metadata fields

MODULE 3: File & Security Systems

• Disks, partitions & File systems
• The baseline PC boot process
• Reparse points & Symbolic links
• Windows File system & partition structure
• Windows Security & identify foundations

MODULE 4: Recovering Data

• Understanding data deletion
• The Recycle Bin
• Unallocated space
• Slack space
• Windows 10 Recycle Bin
  • Processing
• Understanding data deletion
• The Recycle Bin
• Unallocated space
• Slack space
• Windows 10 Recycle Bin
  • Processing
  • Tagging
  • $I File
• Windows XP Recycle Bin
  • Recycler
  • INFO2 File
• Recovering Unallocated and Slack space
  • Carve
  • Work with results
  • Exclusions

MODULE 5: Event Logs

• What are Windows Event Logs and how they are Formatted?
  • Where are they stored and backed up?
  • Windows Event Viewer
• Windows 10 Event Logs
  • Log types
  • Log views
  • Using the Event Viewer
  • Using Nuix Workstation
  • Create Metadata Profiles for review
  • Search and Filter
• Windows XP Event Logs
  • Processing in Nuix Workstation
  • Create Metadata Profiles for review
  • Search and Filter

MODULE 6: Registry Basics

• Registry overview
• Understanding the NT registry files
• Understanding forensic usefulness of browser data
• Processing the registry
  • Smart processing
• Reviewing comply useful SAM, system & software registry artifacts

MODULE 7: Link & Jump Files

• Overview of Windows shortcuts
• Link files & jump lists
• Distributed link tracking service
• File system artifacts
• Processing Link files in Nuix
• Windows 8 immersive app link files

MODULE 8: Emails

• Why is email important?
• Email transport and structure standards
• Email transport protocol
• Email store processing
• Exchange server databases
• Online web mail
• Processing settings
• Filtering emails
• Metadata Profiles for emails
• Search and review emails
• Email deduplication
• Cluster Runs
• Export emails

MODULE 9: Browsers

• The Main Browsers
  • IE, Firefox & Chrome
• Examining cached data, User Settings & History
• Processing browser data in Nuix
• Searching & filtering browser data

MODULE 10: Prefetch & Superfetch

• Overview of PreFetch and SuperFetch
• Settings & Configuration
• Prefetch files
• Layout.INI files
• Examining specific event types