Tuesday, January 08, 2013


For those readers who may not be aware, I teach a couple of training courses through my employer, at our facility in Reston, VA.  We're also available to deliver those courses at your location, if requested.  As such, I thought it might be helpful to provide some information about the courses, so in this post, I'll talk about the courses we offer, some we're looking to offer, and what you can expect to get out of the courses.

Windows Forensic Analysis
Day 1 starts with a course introduction, and then we get right into discussing some core analysis concepts, which will be addressed again and again throughout the training.  From there, we begin exploring and discussing some of the various data sources and artifacts available on Windows 7 systems.  Knowing that XP is still out there, we don't ignore that version of Windows, we simply focus primarily on Windows 7.  Artifacts specific to other systems are discussed, as they come up.

Throughout the course, we also discuss the various artifact categories, and how to create and use an analysis matrix to focus and document your analysis. We discuss what data is available, how to get it, how to correlate that data with other available data, and how to get previous versions of that data by accessing Volume Shadow Copies.  All of this is accompanied by hands-on demonstrations of tools and techniques; many of the tools used are only available to those attending the training.

Day 2 starts with a quick review of the previous day's materials and answering any questions attendees may have; if there's any material that needs to be completed from the first day, we finish up with that, and then move into the hands-on exercises.  Depending upon the attendee's familiarity with the tools and techniques used, these exercises may be guided, or they will be completed by attendees, in teams or individually.

Do you want to know what secrets lie hidden within Windows shortcut files and Jump Lists?  Want to know more about "shellbags"?  How about other artifacts?  This course will tell...no, show...you.  Not only that, we'll show you how to use this information  to a greater effect, in a more timely and efficient manner, in order to extend your analysis.

Each attendee receives a copy of Windows Forensic Analysis Toolkit 3/e

Timeline Analysis 
Day 1 - Much like the Windows Forensic Analysis course, we start the first day with some core analysis concepts specific to timeline analysis, and then we jump right into exploring and discussing various data sources and artifacts as they relate to creating and analyzing timelines.  We discuss the various artifact and event categories, and how this information can be used to get more out of your timeline analysis.

Day 2 starts off with completing any material from the first day, answering any questions the attendees may have, and then kicking off into a series of scenarios where questions are answered based on findings from a timeline; we not only go over how to create a timeline, but also how to go about analyzing that timeline and finding the answers to the questions.

If you can't remember all of the commands that we go over in the course, don't worry...you can write down notes on the provided copies of the slides, or you can turn to the provided cheat sheet for hints and reminders.  Many of the tools used in this course are only available to those attending the course.

Each attendee receives a copy of Windows Forensic Analysis Toolkit 3/e.

Registry Analysis
This 1-day course is based on the material in my book, Windows Registry Forensics. As such, we spend some time in this course discussing not only the structure of the Registry, but also the value of performing Registry analysis.  There is a good deal of information in the Registry that can significantly impact your analysis, and the goal of this course is to allow you to go beyond assumption to determining explicitly why you're seeing what you're seeing. 

As you would guess, we spend some time discussing various tools, and some attention is given to RegRipper.  For those interested, attendees will receive plugins that are not available through the public distribution.  We also spend some time discussing the RegRipper components and structure, how it's used, and how to get the most out of it.

One of the take-aways we provide with this course is a graphic illustrating various components of USB device analysis, showing artifacts that aren't addressed anywhere else.

Each attendee receives a copy of Windows Registry Forensics.

Why Should I Attend?
That's always a great question; it's one I ask myself, as well, whenever I have an option to attend training.

Each attendee is provided the tools for the course, which includes tools that are only available to you if you attend the course.  Tools for parsing various data structures, including RegRipper plugins that you can't get any place else.  Several publicly available tools are discussed in the courses, but due to licenses, are not provided with the course materials.  In such cases, the materials provide links to the tools.

I continually update the course materials.  I sit down with the materials immediately following a course and look at my notes, any questions asked by attendees, and I pay particular attention to the course evaluation forms.  When something new pops up in the media, I like to be sure to include it in the course for discussion.  Updates come from other areas, as well...most notably, what I get from and how I perform my analysis.  New techniques and findings are continually incorporated directly into the training materials.

As the Windows operating systems have gotten more complex, it's proven to be difficult for a lot of analysts to maintain current knowledge of the various artifacts, as well as analysis tools and techniques.  These courses will not only provide you with the information, but also provide you with an opportunity to use those tools and employ those techniques, developing an understanding of each so that you can incorporate them into your analysis processes.

What Do I Need To Know Before Attending?
For the currently available courses, we ask that you arrive with a laptop with Windows 7 installed (can be a VM), a familiarity with operating at the command prompt, and a desire to learn.  Bring your questions.  While sample data is provided with the course materials, feel free to bring your own data, if you like.

The courses are developed so that you do NOT want to book all of these courses in a single 5-day training course.  The reason is that a great deal of information is provided in the Windows Forensic Analysis course, and if you've never done timeline analysis before (and in some cases, even if you have), you do not want to immediately step off into the Timeline Analysis course. It is best to take the Windows Forensic Analysis (and perhaps the Registry Analysis) course(s), return to your shop, and make develop your familiarity with the data sources before taking the Timeline Analysis course.

If you've ever seen or heard me present, you know that I am less about lecturing and more about interacting.  If you're interested in engaging and interacting with others to better understand data sources and artifacts, as well as how they can be used to further your analysis, then sign up for one of our courses.

Upcoming Course(s)
Malware Detection - By request, I'm working a course that addresses malware detection within an acquired image.  I've taught courses similar to this before, and I think that in a lot of ways, it's an eye-opener for a lot of folks, even those who deal with malware regularly.  This is NOT a malware analysis course...the purpose of this course is to help analysts understand how to locate malware within an acquired image.  This is one of those analysis skills that traverses a number of cases, from breaches to data theft, even to claims of the "Trojan Defense".

Others - TBD.

Our website includes information regarding the schedule of courses, as well as the cost for each course.  Check back regularly, as the schedule may change.  Also, if you're interested in having us come to you to provide the training, let us know.

No comments: