Overview

Being able to show the first and last time a file or folder was opened is a critical analysis skill. Shell item analysis, including shortcut (LNK), Jump List, and ShellBag artifacts, allows investigators to quickly pinpoint the times of file and folder usage per user. The knowledge obtained by examining shell items is crucial to perform damage assessments, track user activity in intellectual property theft cases, and track where hackers spent time in the network.

Removable storage device investigations are an essential part of performing digital forensics. In this course section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

Exercises

• Understand the difference between mass storage class (MSC), human interface devices (HID), and media transfer protocol (MTP) devices
• Track USB devices and BYOD devices connected to the system using the Registry, event logs, and file system artifacts.
• Determine first and last connected times of USB devices
• Determine last removal time of USB devices
• Explore the new removable device auditing features introduced in Windows 8 and Windows 10
• Use shortcut (LNK) file analysis to determine first/last times a file was opened, and track files and folders present on removable media and across network shares
• Use Shell Bag Registry Key Analysis to audit accessed folders
• Use Jump List examination to determine when files were accessed by specific programs.

Topics

• Shell Item Forensics
  • Shortcut Files (LNK) – Evidence of File Opening
  • Windows 7-10 Jump Lists – Evidence of File Opening and Program Execution
  • ShellBag Analysis – Evidence of Folder Access
• USB and BYOD Forensic Examinations
  • Vendor/Make/Version
  • Unique Serial Number
  • Last Drive Letter
  • MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
  • Volume Name and Serial Number
  • Username that Used the USB Device
  • Time of First USB Device Connection
  • Time of Last USB Device Connection
  • Time of Last USB Device Removal
  • Drive Capacity
  • Auditing BYOD Devices at Scale
  • Identify Malicious HID USB Devices

Module4 Email Analysis, Windows Search, SRUM, and Event Logs

Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. Finding and collecting email is often one of our biggest challenges as it is common for users to have email existing simultaneously on their workstation, on the company email server, on a mobile device, and in multiple cloud or webmail accounts.

The Windows Search Index can index up to a million items on the file system, including file content, email, and over 600 kinds of metadata per file. It is an under-utilized resource providing profound forensic capabilities. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine many important user actions, including network usage per application and historical VPN and wireless network usage. Imagine the ability to audit network usage by cloud storage and identify excessive usage by remote access tools even after execution of counter-forensic programs

Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Windows 11 now includes over 300 logs, and understanding the locations and content of the available log files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms investigators with the core knowledge and capability to maintain and build upon this crucial skill for many years to come.

Exercises

• Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
• Analyze message headers and gauge email authenticity using SPF and DKIM
• Understand how Extended MAPI Headers can be used in an investigation
• Effectively collect evidence from Exchange, Microsoft 365, and Google Workspace (G Suite)
• Learn the latest on Unified Audit Logs in Microsoft 365
• Search for webmail and mobile email remnants
• Use forensic software to recover deleted objects from email archives
• Gain experience with a commercial email forensics and e-discovery suite
• Extract and review document metadata present in email archives
• Understand the tools and logs necessary to respond to business email compromise events
• Analyze the various versions of the Windows Recycle Bin
• Use the System Resource Usage Monitor (SRUM) to answer questions with data never before available in Windows forensics
• Track cloud storage usage hour by hour on a target system
• Parse the Windows Search Index and take advantage of extended metadata collection
• Merge event logs and perform advanced filtering to easily get through millions of events
• Profile account usage and determine logon session length
• Identify evidence of time manipulation on a system
• Supplement registry analysis with BYOD device auditing
• Analyze historical records of wireless network associations and geolocate a device

Topics

• Email Forensics
  • Evidence of User Communication
  • How Email Works
  • Email Header Examination
  • Email Authenticity
  • Determining a Sender’s Geographic Location
  • Extended MAPI Headers
  • Host-Based Email Forensics
  • Exchange Recoverable Items
  • Exchange and M365 Evidence Acquisition and Mail Export
  • Exchange and M365 Compliance Search and eDiscovery
  • Unified Audit Logs in Microsoft 365
  • Google Workspace (G Suite) Logging
  • Recovering Data from Google Workspace Users
  • Web and Cloud-Based Email
  • Webmail Acquisition
  • Email Searching and Examination
  • Mobile Email Remnants
  • Business Email Compromise Investigations
• Forensicating Additional Windows OS Artifacts
  • Windows Search Index Database Forensics
  • Extensible Storage Engine (ESE) Database Recovery and Repair
  • Windows Thumbcache Analysis
  • Windows Recycle Bin Analysis (XP, Windows 7-10)
  • System Resource Usage Monitor (SRUM)
    • Connected Networks, Duration, and Bandwidth Usage
    • Applications Run and Bytes Sent/Received Per Application
    • Application Push Notifications
    • Energy Usage
• Windows Event Log Analysis
  • Event Logs that Matter to a Digital Forensic Investigator
  • EVTX and EVT Log Files
    • Track Account Usage, including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
    • Prove System Time Manipulation
    • Track BYOD and External Devices
    • Microsoft Office Alert Logging
    • Geo-locate a Device via Event Logs

Module5: : Web Browser Forensics

• Overview

  With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, students will comprehensively explore web browser evidence created during the use of Internet Explorer, Microsoft Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. Students will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and private browsing remnants. Browser synchronization is explained, providing investigative artifacts derived from other devices in use by the subject of the investigation. Finally, skills to investigate Chromium-based Electron Applications are introduced, opening capabilities to investigate hundreds of third-party Windows applications using this framework, including chat clients like Discord, Signal, Skype, Microsoft Teams, Slack, WhatsApp, Yammer, Asana, and more.

   

  Throughout the section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Microsoft Edge, and Internet Explorer correlated with other Windows operating system artifacts.

  Exercises

  • Learn to manually parse SQLite databases from Firefox, Chrome, and Microsoft Edge
  • Explore the similarities and differences between Google Chrome and Microsoft Edge
  • Track a suspect’s activity in browser history and cache files and identify local file access
  • Analyze artifacts found within the Extensible Storage Engine (ESE) database format
  • Examine which files a suspect downloaded
  • Determine URLs that suspects typed, clicked on, bookmarked, or were merely re-directed to while web browsing
  • Parse automatic crash recovery files to reconstruct multiple previous browser sessions
  • Identify anti-forensics activity and re-construct private browsing sessions
  • Investigate browser auto-complete and form data, bringing the investigation closer to a “hands-on keyboard”
  • Learn how each browser synchronizes data with other devices and how to leverage synchronized data to audit activity occurring on previously unknown user devices like mobile phones, tablets, and other workstations.
  • Recover Microsoft Teams chats via local Electron Application databases

  Topics

  • Browser Forensics
    • History
    • Cache
    • Searches
    • Downloads
    • Understanding Browser Timestamps
    • Chrome
      • Chrome File Locations
      • Correlating URLs and Visits Tables for Historical Context
      • History and Page Transition Types
      • Chrome Preferences File
      • Web Data, Shortcuts, and Network Action Predictor Databases
      • Chrome Timestamps
      • Cache Examinations
      • Download History
      • Media History
      • Web Storage, IndexDB, and the HTML5 File System
      • Chrome Session Recovery
      • Chrome Profiles Feature
      • Chromium Snapshots folder
      • Identifying Cross-Device Chrome Synchronization
    • Edge
      • Chromium Edge vs. Google Chrome
      • History, Cache, Cookies, Download History, and Session Recovery
      • Microsoft Edge Collections
      • Edge Internet Explorer Mode
      • Chrome and Edge Extensions
      • Edge Artifact Synchronization and Tracking Multiple Profiles
      • Edge HTML and the Spartan.edb Database
      • Reading List, WebNotes, Top Sites, and SweptTabs
    • Internet Explorer
      • Internet Explorer Essentials and the Browser That Will Not Die
      • WebCache.dat Database Examination
      • Internet Explorer and Local File Access
    • Electron Applications and Chat Client Forensics
      • Electron Application Structure
      • Electron Chromium Cache
      • LevelDB Structure and Tools
      • Manual Parsing of LevelDB
      • Specialized LevelDB parsers
    • Firefox
      • Firefox Artifact Locations
        • SQLite Files and Firefox Quantum Updates
    • Download History
      • Firefox Cache2 Examinations
      • Detailed Visit Type Data
      • Form History
        • Session Recovery
      • Firefox Extensions
      • Firefox Cross-Device Synchronization
    • Private Browsing and Browser Artifact Recovery
      • Chrome, Edge, and Firefox Private Browsing
      • Investigating the Tor Browser
      • Identifying Selective Database Deletion
    • SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
      • DOM and Web Storage Objects
      • Rebuilding Cached Web Pages
      • Browser Ancestry
      • Capturing Stored Browser Credentials

Module6: Windows Forensic Challenge