Advanced Computer Forensics (AX250) is an expert-level course, designed for participants who are familiar with the principles of digital forensics and who are seeking to leverage Magnet AXIOM to increase their ability to investigate complex crimes utilizing AXIOM and complementary third-party tools. At the conclusion of this 4-day training course, participants will have the knowledge and skills they need to track computer access and file usage, utilizing Magnet AXIOM to explore the evidence in greater depth by learning about the newest sign-on technologies such as pin password, Windows Hello, picture password, fingerprint recognition, and Facial recognition. In this course a deeper understanding of investigating Windows computers will be provided by searching through artifacts like Windows Notification, Windows System Resource Utilization, Windows Error Reporting (WER) Logs, Event Logs (EVT), Event Tracing Logs (ETL), as well as a breakdown of the taskbar and whether an artifact was system pinned or user pinned to it. Also investigating EMDMgmt, to dig deep into tracking drives attached to the windows OS that may leave traces nowhere else. Investigating AppCompatFlags and AMCACHE, to determine executable files which were previously executed on the system but no longer exist. Tracking file and folder location on profiles based on information recovered from Shellbags. Maximizing the data from Prefetch files, Jumplists, and Recent Docs to correlate the data recovered from the previously artifacts. This course also takes a look at collecting RAM images and parsing those images for actionable intelligence in support of the investigation. Using Passware and the AXIOM Wordlist Generator to crack iTunes backups and Windows passwords from information in the Image of the suspect Hard Disk Drive including the most up to date versions of that software. Finally, participants of this course will investigate Google Drive, Modern Apps (Windows Store Apps), UsnJrnl and an in-depth look at File history and the extensible Database files tracking it.
Because AX250 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the mobile part of investigations in AX250. Click here to find out more about AX200.
OBJECTIVES OF MAGNET ADVANCED COMPUTER FORENSICS
- Course Scenario and overview of Windows 10 artifacts of sign in technologies, such as pin password, Windows hello, picture password, fingerprint recognition, and facial recognition and how those technologies affect the forensic community
- Focus on utilizing not so well know registry locations to track volume serial numbers of volumes being accessed by the Windows Operating System and what files on those volumes were accessed
- Investigate the Program Compatibility Assistant of the Windows Operating System to track software and the usage of executables on the suspect system regardless if it has since been removed
- Interrogate Shelbags to give participants an understanding of what Shellbags are and how they can be used in an investigation to determine the if a file or path was accessed by a specific user
- Examine prefetch files to track the use of encrypted containers as well as a wiping utility, you may or may not know is built into Windows in a much more in-depth view. Determine the secrets prefetch files may hold as well as how Windows stores and deletes them to ensure when they testify they are doing so with knowledge and confidence
- Understanding Jumplists is just the beginning, being able to utilize the data provided to correlate information about previously existing drives and the files located on them which are no longer part of the system
- Using Recent Docs to correlate data with the data from the previous lessons to continuously track key pieces of information across the system and see how and possibly when and where that data was accessed
- Discuss the collection of RAM and where and why it is important. Besides collecting this lesson also goes into the basics of RAM examination using volatility and AXIOM for carving Artifacts
- Determining when the first and last time data was shared with other devices via Sync technology as well as how settings of one Windows system can be shared with other Windows systems including live Wi-Fi profiles and deleted profiles
- Refresher on IOS backups and use of the AXIOM Wordlist generator (AWG) and Passware to gain entry to the IOS backup and obtain the password. The password will then be used to gain access to the keychain data containing additional passwords
- Utilization of AXIOM, the AXIOM Wordlist Generator, and a combination of software to extract the Windows 10 password from the Sam hive using the algorithm stored in the System hive and the possible uses of those passwords
- Interrogation of Backup and Sync artifacts which will be used to investigate uploading and downloading of files to a specific computer system
- Investigate File History, which is a Windows 10 program which regularly backs up versions of files in the Documents, Music, Pictures, Videos, and Desktop folders and the OneDrive files available offline on a PC
- Investigating Modern Apps, participants will gain an understanding that internet history and cache for Modern Apps are not stored in the usual locations where an examiner would expect and the recovery of those artifacts
- Examine USN journal, which is a log of changes to files on an NTFS volume. Such changes can for instance be the creation, deletion or modification of files or directories. Participants will learn how to investigate the USNJrnl to retrieve forensic Artifacts in support of their Examination
- A final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the individual modules of this course
Prerequisites: AX200 strongly recommended
Who Should Attend: Participants who are unfamiliar with the principles of digital forensics
Advanced Preparation: None
Program Level: Advanced-level
Delivery Method: Virtual Instructor Led (Group Live)
Refunds and Cancellations: Training Course(s) can be rescheduled to a later date or canceled by either Magnet Forensics or your without charge or penalty if written notice is received twenty-one (21) days or more prior to the date of the Training Course. No rescheduling shall be permitted on less than twenty-one (21) days written notice, which shall constitute a cancellation without a refund. Your written rescheduling or cancellation notice must be emailed to firstname.lastname@example.org. If Magnet Forensics cancels a training course due to insufficient attendance, you will have the option to register in a different scheduled training course or receive a full refund. Please do not book travel until you have confirmed that the training course will be running.
For more information and registration on Magnet Forensics Training and Certification programs, visit magnetforensics.com/digital-forensics-training/. In order to be awarded the full credit hours, you must attend all 4 days of training.
Participants will earn 32.0 CPE credits
Field of Study: Specialized Knowledge
Magnet Forensics is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:www.nasbaregistry.org.
Select from the sessions below to register.