Digital Forensics is a subfield of cyber security that specializes in the in-depth investigation of computer systems and networks. The Windows operating system is still the predominant operating system for desktop and laptop computers. For this reason, it is to your advantage to have a solid understanding of Windows forensics. The International Association of Computer Investigative Specialists (IACIS) offers an affordable and comprehensive training solution to address this need, the Windows Forensic Examiner. With a strong membership base in federal, state and municipal law enforcement professionals, the course has an emphasis on cyber crime and fraud investigations rather than incident response related forensic investigations.

The course begins with an overview of Virtualization Technologies such as Microsoft Hyper-V, VMware Workstation Pro and Oracle VirtualBox. Aside from digital forensics, virtualization is used in various sectors of the IT industry for a wide range of purposes such as testing and debugging as well as server reduction and application isolation. From a forensic standpoint, virtualization can be used for virtualizing evidence which essentially provides the examiner an opportunity to perform a live examination of the suspect device. On the contrary, criminals and threat actors may use virtualization as a means of hiding incriminating data within several layers of virtualized hard drives. For these reasons having a good basic understanding of the underlying technology, and how you can use it to your benefit is essential for digital forensics examiners.

The second major topic of the course is Partitioning Schemes. Regardless of the type of system being investigated, the forensic examiner will have to deal with a disk layout that organizes the physical areas of the disk into logical areas that can be used to store data. Even if a hard disk is not partitioned, it still requires a partitioning scheme in order to work. Currently, two distinct schemes exist – Master Boot Record (MBR) and GUID Partition Table (GPT).

There are various reasons why a hard drive may be partitioned such as booting into more than one operating system. Another important use case is for data retention purposes whereby the operating system is installed on one partition and all user data and programs are installed on another partition. This enables upgrading or reinstalling the operating system without the risk of losing user data. Perpetrators may also use partitioning to hide illicit data.

The course describes in great detail the structure of both partitioning schemes on a byte level and provides students with a good understanding of how to dissect their layout in hexadecimal notation.

Forensic examiners spend a wealth of time looking at File Systems as nearly every piece of evidence is in some way connected to a file system. The Windows Forensic Examiner course focuses on the following four file systems.

As with partitioning schemes, the course dives deep into structural intricacies, especially regarding the New Technology File System (NTFS). Students will learn about the Master File Table ($MFT) which stores a file record of every file on the volume, the various attributes that make up a file record, and the concept of runlists. The main differences between the abovementioned file systems will be discussed as well.

The key takeaway for students is that file systems play an incredibly important role in digital forensics.

The Windows operating system is a highly sophisticated piece of software that has various built-in components and features through which it functions and is able to track changes. These capabilities were not developed by software engineers for the purpose of providing forensic value to investigators. Rather, their forensic significance is a byproduct of improving the overall user experience.

You will learn to derive forensic evidence from the following Windows artifacts:

The Windows Registry has an astounding amount of useful information that can be used for showing culpability or responsibility for certain actions. Moreover, it can provide evidence of a suspect’s interaction with specific files or folders. Despite this, it is important to note that the mere existence of a specific file is often not enough to convict a suspect. Your responsibility as a forensic examiner is to prove beyond a reasonable doubt that the accused interacted with the file and was aware of its existence. The registry is in essence a central hierarchical database that configures a system for one or more users, software applications and hardware devices. As such it is responsible for registering and presenting artifacts related to the hardware, software and user accounts as each of these has to be registered.

It is imperative for a forensic examiner to be well-acquainted with the Windows Registry and understand its structure, purpose and functionality. Although modern forensic tools are able to do much of the heavy lifting, you as a forensic examiner should have enough knowledge to be able to validate the results that your tools are providing. The course arms students with the skills and knowledge needed to do just that.

Shell Links are a means for Windows to track files and resources in other locations. For this reason, they are of great importance during an investigation as they help in determining recent activity by users and their knowledge of a file’s existence or location. Shell links function as shortcuts and enable the user to place them in a location of their choosing while at the same time the operating system is able to maintain its organized folder structure. Shell links are an excellent example of operating system functionality that was never intended for forensic use, and yet provides a wealth of forensically relevant information.

Jump List were introduced in Windows 7 and are application specific menus that opens up when a user right clicks an application icon on the taskbar. They provide a list of recent items and shortcuts related to the application as well as application specific functionality. As with shell links, jump lists were designed to enhance user experience. From a forensic perspective, jump lists can be used to demonstrate file activity as well as a suspect’s knowledge of a particular application, and more specifically, a particular file associated with the application.

Despite their quirky name, Shellbags are in fact a collection of registry key-value pairs that contain configuration settings for shell folders that have been browsed by a user in the Windows Graphical User Interace (GUI). The purpose of shellbags is to provide the user with a consistent user experience. The data may include information about the layout and window positions of folders. The forensic application for this data is again to show that a suspect visited or was aware of specific folder locations.

Thumbcaches provide significant evidentiary value as they may be the only relevant artifact available to an investigator in a case involving unlawful images. Especially with solid state drives there may be various processes running which write to unallocated clusters, and thus potential evidence data can get overwritten. As a result, thumbcaches have secured their spot as a vital piece of evidence.

In addition to the aforementioned Windows system artifacts, you will be introduced to a number of vital Windows software artifact. 

The first and perhaps most important Windows Software Artifact is Microsoft Edge. When the Edge browser was first introduced in Windows 10, the idea was that it will use a different set of backend cache databases to store information compared to Internet Explorer. However, the problem with the original Edge browser was that it was slow and did not have sufficient security features built into it. As the open source Chromium browser became increasingly popular, Microsoft adopted it as the base for its new Edge browser. The course explains the differences between the old and new Edge browsers as well as the forensically significant Extensible Storage Engine and SQLite databases.

Windows Mail is the default mail client bundled with the Windows operating system. It is targeted more towards consumers rather than professionals. Unlike Microsoft Outlook which is an application, Windows Mail is a service that runs in the background and does not have to be restarted by the user after it has been initialized. Thus, it is capable of collecting more data about the user and can be crucial in finding evidence about registered email accounts, contact details and calendar appointments.

As a tightly integrated part of the operating system, Windows Notification Center is a software component that alerts users to a plethora of different types of events such as incoming instant messages and emails, calendar appointments, system recommendations and warnings. The data is stored in a SQLite database and presented in XML format. Notifications can provide vital clues and leads to forensic investigators who are trying to piece together the entire puzzle.

The Windows Timeline database contains a massive amount of useful forensic information about the suspect’s interactions with the computer, the duration of each interaction as well as whether the suspect was using a local account or a Microsoft account. Additionally, the Windows Timeline tracks WiFi activity. The course will give you an in-depth understanding of how to find relevant data from the Windows Timeline database file and where the relevant data is located within the database.

Microsoft OneDrive is a personal cloud storage service that enables users to access their files and folders from any connected device by synchronizing the data. Cloud synchronization is similar to the old File Transfer Protocol (FTP) through which data can be sent to and received from a remote location. The difference is that cloud synchronization automates and manages how data is uploaded and downloaded. The use of OneDrive can significantly hinder a forensic investigation as the relevant data may no longer be available on the computing device. Nevertheless, the Master File Table ($MFT) will retain a record entry for the file. A wealth of valuable information is presented to the students on the inner workings of OneDrive, where forensically significant data is stored, and how to deobfuscate strange file names in the log file using an obfuscation map.

Cortana, Microsoft’s digital assistant, used to be a gold mine of forensic information. However, due to the General Data Protection Regulation (GDPR) legislation and other data privacy policies, Microsoft has greatly reduced the amount of personal user information stored on their servers. Cortana still collects information when user activity is detected on human interface devices (HID) such as trackpads or keyboards. Thus one of the key pieces of evidence that Cortana can provide, is whether a user was physically in the proximity of the computer when an incident took place. The instructor sheds light on how much modern computing devices actually intrude into users’ lives, and how this information can benefit the forensic examiner.

Many forensic investigations may involve Universal Serial Bus (USB) devices that have been used either as a vehicle to bring something neferious into a computing device or as a means of exfiltrating data out of it. There are many examples, such as the notorious Rubber Ducky by Hak5 which “to a human is a flash drive, but to a computer is a keyboard typing at superhuman speeds”.

The Windows Forensic Examiner course gives students the knowledge of the kinds of artifacts a forensic examiner needs during an investigation and where to find them. Armed with this information, you will be able to determine when was an external device inserted and ejected from the computing device as well as who was signed in during the time of the activity.

Windows performs automated backups of critical system files and folders. Although these features are important from the perspective of resilience, many users are unaware of them. In earlier Windows versions, the operating system created System Restore Points which provided the user a way to revert to a previous state. Newer versions of Windows have a similar feature known as Volume Shadow Copies which provide a broader range of backup capabilities. As with most Windows artifacts, these were not developed for the benefit of the forensic investigator. However, the nature of their functionality is one that provides great forensic value.

The lead instructor for the Windows Forensic Examiner course is Rob Attoe, CEO of Spyder Forensics. With nearly two decades of experience in the field, Mr. Attoe brings a wealth and depth of knowledge to the table. Additionally, he shares helpful insights that provide great value to students. Although not associated with IACIS, please feel free to take a look at the wide range of other digital forensics courses that Spyder Forensics offers.

The Certified Advanced Windows Forensic Examiner (CAWFE) certification exam is similar to SANS certification exams in that it consists of a theoretical assessment and a practical demonstration of knowledge. Unlike SANS certification exams however, IACIS has split the exam into two separate and independent examination phases. Phase 1 is a four stage theoretical assessment containing various types of multiple choice questions. The maximum score is 100 points and students are required to attain the passing score of 80 points in order to be eligible to attempt the practical examination. Successful candidates are presented with a disk image, a memory dump and an answer sheet that has a long list of questions. IACIS provides an ample amount of time to complete the practical examination. As with the theoretical assessment, the passing score is 80 points.

The exam has been designed to be challenging, and to test students’ ability to research and find answers. Thus, it is not surprising that IACIS has chosen an open-Internet exam format as opposed to open book. As appealing as this may sound for the candidate, it greatly increases the difficulty of the exam. The questions are no longer restricted to subject matters covered in the study materials. Instead, the questions can address any type of scenario as long as it is connected to Windows forensics. The very fact that the exam is highly challenging makes it an excellent learning opportunity! Especially the practical examination forces you to research, investigate and think for yourself. You may well end up learning more during the exam than during the entire course. It is an invaluable experience!

The Windows Forensic Examiner course is for you, if you are looking for an affordable digital forensics training resource that is specifically focused on the Windows operating system. As you can see, the course covers a broad range of topics that are essential for a forensic examiner. The certification exam is tough and requires a lot of dedication, especially if you are new to the field. Nevertheless, it is an excellent learning opportunity that will force you to push yourself further and further.

To find out more and register, please visit the official IACIS website.