Accessdata Forensic Bootcamp

Windows Forensics—Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced • One-day Instructor-led Workshop

his one-day AccessData® workshop follows up on the AccessData T Windows® Forensic Training by covering the Microsoft® Windows Vista operating system. It provides the knowledge and skills necessary to use AccessData tools to conduct forensic investigations on Vista systems. Participants learn where and how to locate Vista system artifacts using AccessData Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer®, and Password Recovery Toolkit® (PRTK®).

During this one-day workshop, participants will review the following:  GUID Partition Tables (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme.  File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure.  BitLocker Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive.  Windows Vista feature changes such as: - Recycle Bin - Structure and Content Changes - Thumbcache - Reparse Points - Link and Spool Files - Vista File Structure - Windows Event Logs - Vista Registry Entries, PSSP, and IntelliForms data - Updated SuperFetch Structure - New Locations for Old Windows Artifacts - Enhanced Thumbs.db Functionality - Device Identification and Protection - Vista security model The class includes multiple hands-on labs that allow students to apply what they have learned in each module.

Prerequisites This course is intended for forensic investigators with a basic working knowledge of the following AccessData tools:  Forensic Toolkit  FTK Imager  Registry Viewer  Password Recovery Toolkit Participants should also meet the following requirements:  AccessData BootCamp and Windows Forensic training or equivalent experience with FTK, Imager, Registry Viewer, and PRTK  Previous investigative experience in computer forensic case work

Class Materials and Software You will receive the student training manual and CD containing the training material, lab exercises and class-related information.

AccessData Group, LLC. 384 South 400 West, Suite 200, Lindon, UT 84042 • www.accesdata.com

Windows Forensics—Vista Page 2 of 3

Module 1: Introduction Lab Topics The objective of this lab is to identify a GPT formatted  Prepare system and install AccessData software drive.  Course information and outline  How to receive upgrades and support for Module 4: Security—File Structure AccessData tools Objectives Lab  Describe the three-tiered layer of the new Vista security model  Install AccessData software.  Describe and identify a reparse point in Vista  Effectively navigate the Vista file structure Module 2: Bitlocker  Identify new locations for old Windows artifacts Objectives Lab  Describe the BitLocker full-volume encryption system The objective of this lab is to familiarize the student with the  Determine which versions of Vista support locations of possible evidence files in the Windows Vista BitLocker operating system.  Describe how BitLocker works, specifically: - How BitLocker encrypts and decrypts the drive Module 5: Windows Vista DPAPI - How BitLocker interacts with the system when Objectives it boots  Compare and contrast the Protected Storage System - When encryption and decryption occur Provider (PSSP) in Windows 2000/XP systems with - What to do when BitLocker locks out to the Windows Vista DPAPI Recovery Mode  List the steps required to decrypt the protected  Identify the requirements necessary to enable information located in the IntelliForms subkey BitLocker  Describe how a Trusted Platform Module (TPM)  List the steps required to break the user’s logon chip functions in the BitLocker process password  Identify which portions of the drive are encrypted Lab  List the user options available to protect a The objective of this lab is to identify Vista registry entries BitLocker drive for IntelliForms and review the steps necessary to decrypt  Describe the Recovery Mode and what causes IntelliForms data. BitLocker to invoke it  Identify a BitLocker drive and its accompanying Module 6: Vista Event Logs recovery key sets  Name the items to look for during search and Objectives seizure to unlock a BitLocker drive  Describe the difference between Windows XP and  Identify the different imaging methods for Windows Vista event logs BitLocker and when and how to apply them  Identify where event logs are stored on Windows Vista  Prepare the investigative machine to image a systems BitLocker drive  Navigate the Windows Vista Event Viewer  Successfully unlock and image a BitLocker  Using the Windows Vista Event Viewer, view and encrypted drive correlate the following types of events:  Shutdown Lab  USB installation The objective of this lab is to identify a BitLocker  Time change events encrypted drive and create an image of the drive.  Wireless connections

Module 3: GUID Partition Table (GPT) Lab The objective of this lab is to identify event logs in Vista, Objectives export a log from a case, and open the log in the Vista Event  Discuss the Vista upgrades to NTFS 3.1 Viewer. You will also use Registry Viewer to identify a  Describe the format and structure of the GUID USB device inserted in a computer. Partition Table HDD format system  Effectively read a new GPT notation  List the rules and limitations of a GPT

AccessData Group, LLC. 384 South 400 West, Suite 200, Lindon, UT 84042 • www.accesdata.com

Windows Forensics—Vista Page 3 of 3

Module 7: Recycle Bin Module 8: Thumbcache Objectives Objectives  Compare and contrast the Windows XP Recycler  Compare and contrast thumbs.db files on Windows XP with the Vista $Recycle.Bin and 2000 systems with thumbcache files in Windows  Describe the structure of the Vista $Recycle.Bin Vista  Describe the differences between deleted files and  Identify where all thumbnail images are stored in orphaned files Windows Vista  Describe how NTFS uses the $MFT to track  Review thumbcache files in FTK individual files  Identify the values stored in every thumbcache record  List the values used to designate file status in the Lab $Recycle.Bin The objective of this lab is to familiarize the student with the  Recover deleted file information Vista thumbcache file location and structure. Lab The objective of this lab is to familiarize the student Module 9: Windows Vista Superfetch (Prefetch) with the Vista $Recycle.bin. The student will also Objectives create a regular expression that locates deleted entry  Accurately define Prefetch, Superfetch and their related records. functions  Define the forensic importance of Prefetch Registry entries and Prefetch files.  View and analyze pertinent Prefetch artifacts as they relate to case analysis and user behavior Lab The objective of this lab is to locate and identify Superfetch files in the Windows Vista operating system. The student will identify the last time and the number of times a program or file was accessed or executed.

Practical Skills Assessment

The AccessData Windows Vista class includes an optional Practical Skills Assessment (PSA). This performance-based assessment requires participants to apply key concepts presented during the class to complete a practical exercise. Participants who successfully complete the exercise receive a PSA certificate of completion.

For a complete listing of scheduled courses or to register for available courses, see www.accessdata.com .

© November 2, 2012 AccessData Group, LLC. – All rights reserved. Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, AD, AD Summation, CaseScan, CaseVantage, CaseVault, Discovery Cracker, Distributed Network Attack, DNA, Forensic Toolkit, FTK, FTK Imager, iBlaze, Mobile Phone Examiner Plus, Password Recovery Toolkit, PRTK, Registry Viewer, SilentRunner, Summation, Summation Blaze, Summation Legal Technologies, Summation WebBlaze, The Key To Cracking It, Transender PLUS, Ultimate Toolkit, UTK, ViewerRT, and WebBlaze are trademarks of AccessData Group, LLC.in the United States and/or other countries. Other trademarks referenced are property of their respective owners.

AccessData Group, LLC. 384 South 400 West, Suite 200, Lindon, UT 84042 • www.accesdata.com