Defensive Unit – Digital Investigation – Network and Windows (4 days)

Acquire the skills and methodology for a digital investigation on the Windows operating system

Day 1 morning 

❏ Section 1 – State of the art of digital investigation 

❏ Course objective 

❏ Introduction to digital investigation 

❏ Link between different Forensics disciplines 

❏ Methodology of forensic investigation (Chain of custody, Chain of 

custody, Chain of evidence) 

❏ Presentation of the MITRE ATT & CK framework and entry points of Cyber attacks 

❏ Attack trees 

❏ Signs of compromise (Correlation 

ATT&CK) 

❏ Vocabulary, taxonomy 

❏ The different Windows OS

❏ Section 2 – Windows fundamentals

❏ Windows basics 

❏ File system / Tree structure 

❏ Windows boot sequence 

❏ Registry 

❏ Logs (evtx, driver log, etc) 

❏ Environment variables

Day 1 afternoon 

❏Services and the different accesses (services.exe, 

Powershell) 

❏ Fundamentals of FAT32 

❏ Fundamentals of NTFS 

❏ Tutorials 1 / Analysis of a disk 

❏ Practical training 1 / Disk analysis 

❏ Practical Work 2 / Knowledge quiz 

❏ Section 3 – Collecting datas 

❏ Market tools (Kape, Arsenal, FTKimager, 

Plaso,Hindsight..) 

❏ Physical data collection and virtualisation 

❏ Presentation of the Lab 

❏ Tutorials / Data collection (Continuous)

Day 2 morning 

❏ Section 4 – Artefacts 

❏ Various internet artefacts 

❏ Attachments 

❏ Open/Save MRU 

❏ ADS Zone.identifier feed 

❏ Downloads 

❏ Skype history 

❏ Internet browsers 

❏ History 

❏ Cache 

❏ Restored sessions 

❏ Cookies 

Day 2 afternoon 

❏ Various execution artefacts 

❏ UserAssist 

❏ Timeline Windows 10 

❏ RecentApps 

❏ Shimcache 

❏ Jumplist 

❏ Amcache.hve 

❏ BAM/DAM 

❏ Last-Visited MRU 

❏ Prefetch

Day 3 morning

❏ Different file/folder artefact 

❏ Shellbags 

❏ Fichiers récents 

❏ Raccourcis (LNK) 

❏ Documents Office 

❏ IE/Edge Files 

Day 3 afternoon

❏ Different network artefacts 

❏ Browser search terms 

❏ Cookie 

❏ History 

❏ SRUM (resource usage monitor) 

❏ Log wifi 

Day 4 morning 

❏ Various user account artifacts 

❏ Last logins 

❏ Password change 

❏ Authentication failure/success 

❏ Service event (startup) 

❏ Authentication event 

❏ Authentication type 

❏ RDP usage 

❏ Different USB artefacts 

❏ Naming of volumes 

❏ PnP (Plug & Play) event 

❏ Serial numbers 

❏ Different artefacts deleted files 

❏ tools 

❏ Recovering the recycle bin 

❏ Thumbcache 

❏ Thumb.db 

❏ WordWheelQuery 

❏ Active Directory specifics 

❏ Practical Work 3 / investigation 

Day 4 afternoon 

❏ Section 5 – Advanced techniques

❏ VSS

Carving 

❏ Anti-forensic and Timestomping 

Practical Work 4 / Second investigation

❏ Section 6 –  Introduction to volatility  

❏ Volatile data 

❏ Analysis of a memory dump 

❏ Process extraction and analysis 

❏ Practical Work / Malware search using Volatility