Windows Forensic Junior - 5 days
Description
Digital investigation makes it possible to reconstruct and understand in detail the chronology of a system’s present and past activities. In the case of this training, we are interested in the Windows 10 and 11 operating system. Whether it is a security incident or a search for computer malware, the first responses aim to establish the perimeter of compromise and the attacker's methods. The technical approach presented is intended to be as exhaustive and reproducible as possible.
During these five days of training, the participants will be exposed to the forensic fundamentals in order to carry out a digital investigation for Windows and thus identify the traces of malicious intent. Each module will be illustrated by guided practical work allowing to apply the theoretical concepts previously taught. Finally, the training will conclude with a simulation of several traces (disk, memory, pcap).
This training is focused on the workstation and does not integrate the business dimension like Azure/AD (another training course will address this aspect soon).
-
5 days (35 hours)
-
11 course modules covering the fundamentals of Windows forensic investigation
-
Cold or hot approach to cover several intervention situations
-
Practical work on example artifacts
Public and prerequisites
This training was designed for people with initial experience understanding Windows environments (administration, troubleshooting, advanced usage) and wishing to go further in the field of digital investigation. It requires basic knowledge of the Linux environment because this system is used to carry out some investigations.
-
Advanced users (developers)
-
System administrators
-
Level 2 SOC analysts or from a cybersecurity team
-
Beginner forensic analysts
Concepts of offensive security and good Windows & Unix knowledge are recommended to follow this training.
Content
Day 1
Getting started: training environment (virtual machine, Linux system). Reminders of the Linux command line. Windows: description of how Windows works (Windows history, processes, services, drivers, files, security model, network stack, main attacks). Windows events: description of the Windows logging model and the events to be aware of per use case. Scenario on event files.
Day 2
NTFS: study of the privileged file system of the Windows environment. MFT, USN Log and other special files. Decoding deleted dates and files. Reconstruct the chronology of events and pivot on an element (date, IOC). Registry: Registry contents. Use cases and configuration of the Windows system. Persistence Mechanisms: the means of persistence favored by an attacker are reviewed and thus identify the malicious programs executed by an attacker.
Day 3
Execution of commands: traces linked to the execution of remote commands on the workstation through the different Windows protocols (WinRM, PsExec, WMI, RPC). Malicious code and files: analysis tools and methods allowing an initial study to be carried out on malicious code and thus extract the information of interest (behavior, IOC). By extension, files that can carry a malicious payload are also studied. Network protocols: particular attention is proposed in order to identify unusual network communications of a Windows system as well as the characterization of certain attacks (DNS tunnel, TOR).
Day 4 and 5
Artifacts: the study of most important forensic artifacts (prefetch, srum, amcache, navigation) in order to complete the timeline of the malware. Collection and acquisition methods are also presented in order to make the files available to be studied by the analyst (DFIR ORC). Memory analysis: techniques for acquiring and identifying suspicious elements are discussed to complement the analysis of offline elements. Running processes, network connections, cached files, memory injections and API hooking. Case study: several images are provided to the participants to put into practice all the techniques studied during the training. These images include various data such as a disk image, a memory capture and network captures.