Windows Forensics Vista
This 3 day advanced AccessData workshop provides the knowledge and skills necessary to analyse Microsoft's Windows Vista operating system artifacts and file system mechanics using Forensic Toolkit (FTK), FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer.
During this 3-day workshop, participants will review the following:
- GUID Partition Tables. (GPT): Students will use FTK Imager to
navigate the new GPT formatted drive partitioning scheme.
- File Structure Changes: Students will learn the mechanics of
reparse and mount points in the Windows Vista file structure.
- BitLocker-Full Volume Encryption (FVE): Students will use FTK
Imager and Windows Vista technology to decrypt and acquire a sector-by-sector
image of an FVE drive.
- Windows Vista Artifacts such as:
- Vista EFS - Updated EFS Algorithms
- Recycle Bin - Updated File Recovery Mechanics
- Thumbcache - Enhanced Thumbs.db Functionality
- Activity History - Local Machine and Browser Indices
- Link and Spool Files - Structure and Content Changes
- Windows Event Logs - Enhanced XML Output and Viewing
- Volume Shadow Copy - Previous File Version Recovery (SVI)
- Windows Vista Registry
- NTUser.DAT Changes - MRU and UserAssist Changes
- SAM Hive User Changes - Domain and User Value Additions
- System USBStor Information - Device Identification and Protection
- Auto Complete & Search Terms - Updated for Vista & Internet Explorer 7
The workshop includes multiple hands-on labs that allow students to apply what they have learned in the workshop.
Prerequisites: To obtain the maximum benefit from this workshop, attendees should be familiar with:
- Windows XP forensic analysis
- Windows NT file system (NTFS) mechanics
- FTK, FTK Imager and Registry Viewer
Course Materials and Software:
- Attendees will receive reference documentation and workshop files.
|
