The objective of this course is to show students how to perform a full digital forensic investigation of a Windows system in a complete DYI setup.
The course covers a full digital forensic investigation of a Windows system. It begins with the simple preparation of our lab, which consists of setting up a "victim" VM and a forensic workstation. We'll then run an attack simulation script on the victim VM that simulates attack patterns as commonly observed by threat actors in the industry to create a realistic setting for our investigation. From there, we’ll kick off the forensic process, beginning with the data collection, examination and extraction before diving deeper into the analysis of the information at hand.
The data analysis section consists of a comprehensive investigation, including various tools and many different forensic artifacts with which every analyst should be familiar. We will not only analyze artifacts, but also discuss their behavior to learn when, why and how to interpret the data contained within these artifacts. The investigation covers Windows disk and memory artifacts and ends with the analysis of the timelines generated from both.
This course also covers many important artifacts and concepts relating to Windows forensic analysis. We'll use several freely available tools for the analysis that are well known and recognized in the industry. The student will leave the course with a comprehensive understanding of the forensic process, important Windows artifacts and forensic tools and a forensic workstation available and ready to go for future investigations.
"Everything I wish I knew when I started analyzing Windows systems as a DFIR consultant."
Who / audience
• Beginners wanting to break into cyber security
• SOC Analysts, Junior and senior IT security staff
• Current DFIR and security analysts
• Blue Teamers / Red Teamers / Penetration Testers
• Lawyers and compliance staff
• Basic IT knowledge
• Familiarity with Windows operating systems and virtualization
• Basic knowledge of command line utilities (Windows CMD, PowerShell, Ubuntu)
• Critical thinking, curiosity, passion for investigations and solving cases
• Min. 4GB RAM and 60 GB storage; Ideally, 8GB RAM, 2+ CPUs and 150GB storage (specifically for the last section "Super timelines")
* Where can I find support? You can find support through the Discord channel: https://discord.gg/WKsaGE2CV3 Please be patient, self-determined and willing to learn. That's the only way to gain the skills you want!
* Will you be able to provide any of the VM's? Due to licensing restrictions, unfortunately not.
* Where is the course material hosted? The course material is hosted on Github: https://github.com/bluecapesecurity/PWF
Course Curriculum - 11 Hours
- Build your forensic workstation tutorial and downloads (7:06)
- VirtualBox and Windows 2019 VM installation (8:46)
- WSL and Ubuntu installation on Windows 2019 Server (7:56)
- WSL and Ubuntu installation on Windows 10 (alternative) (4:03)
- Forensic workstation Windows configuration (5:37)
- Downloading and installing forensic tools (12:21)
- Windows registry overview (17:07)
- Exploring the registry with Registry Explorer (9:34)
- Gathering system information with RegRipper (9:25)
- RegRipper analysis continued (10:04)
- Parsing registry hives in bulk with RegRipper (8:52)
- User accounts and SIDs Overview (11:27)
- Analysis of user accounts, groups and profiles (14:22)
- Execution artifacts introduction (1:23)
- Analyzing the Background Activity Moderator (BAM) (7:50)
- Analysis of the Application Compatibility Cache (ShimCache) (12:03)
- Analyzing the Amcache with AmcacheParser (9:47)
- Overview of the Amcache (5:38)
- BONUS: Amcache in-depth analysis and why scheduled tasks matter (14:37)
- Windows Prefetch analysis with PECmd (9:52)
- Windows Prefetch timeline analysis (11:27)
- Analyzing Windows run keys with Registry Explorer and RegRipper (10:02)
- How to find evidence of persistence in startup folders (8:38)
- Windows Services overview and analysis (6:47)
- Detecting and analyzing malicious scheduled tasks (14:18)
- Persistence mechanisms analysis with Sysinternals Autoruns (5:30)
- Windows event logs overview (11:00)
- Analyzing Windows event logs with EventLogExplorer and EvtxECmd (16:44)
- Windows Defender event log analysis (6:45)
- Analyzing service installs using the System event log (4:54)
- Security event log and authentication events (10:11)
- Authentication events and logon IDs (8:20)
- PowerShell event logs overview (9:28)
- Analyzing malicious PowerShell events (15:55)
- Overview of the Sysmon event log and relevant event IDs (2:19)
- Detecting malicious events in Sysmon event logs (12:59)
- Setting up Volatility3 in the Ubuntu environment (7:42)
- Important files for memory analysis (8:40)
- Gathering Windows system information with Volatility3 (7:40)
- Update: If you ran the ART-attack script before July 9th!!
- Detecting suspicious Windows processes (10:40)
- Dumping processes from the memory (7:12)
- Detecting and analyzing injected DLLs (13:46)
- Identifying process owners and associated SIDs (4:37)
- Detecting and analyzing malicious registry key entries from memory (7:47)
- Super timeline analysis process and important requirements (4:43)
- Preparing tools and converting the disk image with QEMU (5:18)
- Memory timeline creation with Volatility3 (5:08)
- Creating a timeline of the disk image with Plaso tools and Log2Timeline (5:55)
- Merging timelines with mactime parser and creating a Super Timeline (5:54)
- Super Timeline overview with Timeline Explorer (5:32)
- Analyzing malicious activity using the Super Timeline (17:28)
About the Instructor
Markus Schober is the founder of Blue Cape Security, where he offers defensive cyber security training and career development services. Prior to founding the company, Markus worked in the incident response and digital forensics (DFIR) industry for over 7 years as a Principal Consultant and manager at IBM X-Force. There, he led numerous engagements responding to cyber attacks as well as trained and mentored cyber security professionals. He also has many years of software engineering experience in both the United States and Europe.
Markus has a Masters in Information Technology and currently holds or has held certifications such as the CISSP, GCFA and GCIH, amongst others.
Markus’ mission is to help close the gap between professionals and organizations in the cyber security industry by democratizing training and disrupting hiring processes. When not working, he enjoys spending time with his family, traveling and following various sport events.
Social media links
Website - https://www.bluecapesecurity.com
LinkedIn - https://www.linkedin.com/in/markusschober123/
Twitter - https://twitter.com/mascho
Discord - https://discord.gg/WKsaGE2CV3
Practical Ethical Hacking - The Complete Course
Learn how to hack like a pro by a pro. 25 hours of up to date practical hacking techniques with absolutely no filler.
Windows Privilege Escalation for Beginners
Learn how to escalate privileges on Windows machines with absolutely no filler.
Linux Privilege Escalation for Beginners
Learn how to escalate privileges on Linux machines with absolutely no filler.
Open-Source Intelligence (OSINT) Fundamentals
Learn the ins and outs of Open Source Intelligence and step up your investigative game.
External Pentest Playbook
Learn to conduct an external network penetration test from start to finish
Practical Malware Analysis & Triage
Arm yourself with knowledge and bring the fight to the bad guys. Learn the state of the art of malware analysis and reverse engineering.
Python 201 For Hackers
Move beyond the basics and learn how to actively use Python as a Windows hacking tool
Practical Web Application Security and Testing
An entry-level course on web application technologies, security considerations for web application development, and the web application penetration testing process.
The Definitive GRC Analyst Master Class
Everything you need to know to dive into the cybersecurity GRC pool
Frequently Asked Questions
Can I get a refund if I'm unhappy with my purchase?
Yes. All courses come with a 3-day money-back guarantee.
Will I receive a certificate of completion when I finish a course?
Yes. All courses come with a certificate of completion.
Do the courses count as Continuing Education Units (CEUs)?
Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.
Do course purchases come with lifetime access?
Yes. You only pay once for our courses!
Can I migrate Udemy courses?
Unfortunately, we cannot migrate users from Udemy to the Academy. Udemy does not provide us with student enrollment information. The Udemy courses do receive quality of life updates and are still supported by our team. We apologize for any inconvenience.
What's the difference between purchasing a course and the All-Access Pass?
When a student purchases a course, either individually or with a bundle, they receive lifetime access to the course and its materials. When a student purchases the All-Access pass subscription, they receive access to all of our courses and content, but the access is removed once the monthly subscription ends.