SDF Windows Prefetch Forensics
What you’ll learn
Understand what the Windows Prefetch artifact is
Be able to explain the artifact
Know what types of user behavior affects the artifact
Know how to conduct validation testing
Understand how to properly interpret Prefetch results
Know how to use several freely available Prefetch forensic tools
Requirements
Windows 8 or 10 system (Windows 10 recommended)
All in-class forensic programs are freely available and download links provided
Student testing and validation material provided
Description
Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge – all in about one hour.
As with previous SDF classes you will learn by doing. The class begins with Windows prefetch fundamentals and will provide an understanding of how the artifact works. Then students delve into several validation exercises to observe how user driven activity affects Windows prefetch evidence. The last section teaches students how to use several freely available DFIR community built forensic tools to examine prefetch evidence. By the end of the class students will have a solid understanding of how to use the Windows prefetch as evidence, understand the types of user behaviors that affect the prefetch and know how to use Windows prefetch forensic tools.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows prefetch but you will learn a method you can use to answer questions that may come up in the future.
A PC running Windows 8 or Windows 10 is required for this course. The forensic tools we use are all freely available, so beyond your laptop and operating system all you need is the desire to become a better computer forensic examiner.
Overview
Section 1: Introduction
Lecture 1 Welcome to Windows Prefetch Forensics
Lecture 2 Class outline
Lecture 3 Class Tools & Downloads
Lecture 4 Operating system for class
Lecture 5 Tools for the practical exercises
Section 2: Understanding Windows Prefetch
Lecture 6 What is Windows Prefetch?
Lecture 7 Forensic Value
Lecture 8 Forensic Breakdown
Lecture 9 File Headers
Lecture 10 Prefetch Registry Key
Lecture 11 Caveats
Section 3: Validation Exercises
Lecture 12 Overview
Lecture 13 First Run Time
Lecture 14 Last Run Time
Lecture 15 Run from USB
Lecture 16 Deleted Executable
Lecture 17 DLLs & Other Support Files
Lecture 18 Latency Issues
Lecture 19 Validation Wrap-up
Section 4: Forensic Tools
Lecture 20 Overview
Lecture 21 Sample prefetch data
Lecture 22 FTK Imager
Lecture 23 WinPrefetchView
Lecture 24 CDQR
Lecture 25 RegRipper
Lecture 26 Windows Prefetch Parser – Setup on Windows
Lecture 27 Windows Prefetch Parser – Usage
Section 5: Conclusion
Lecture 28 Conclusion
Lecture 29 Thank you!
Computer forensic analysts,Security Analyst,IT Professionals,Students
Course Information:
Udemy | English | 1h 23m | 382.15 MB
Created by: Michael Leclair
You Can See More Courses in the IT & Software >> Greetings from CourseDown.com