Lesson 1Timeline construction: timestamp normalization, correlation across sources, timeline tools (PLASO/Timesketch) an' methodologyDis section teach systematic construction a' forensic timelines. Students will normalize timestamps, correlate events across sources, an' use tools like PLASO an' Timesketch to build, query, an' present timelines dat support investigative conclusions.
Collectin' timestamped artifacts safelyTimezone handlin' an' normalization rulesBuildin' super timelines wid PLASOVisualizin' an' queryin' in TimesketchCorrelatin' events across multiple sourcesUsin' timelines to test case hypothesesLesson 2Windows-specific logs an' artifacts: Event Logs (System, Security, Application), Windows Security Audit logs, Prefetch, LNK shortcut files, RecentDocs, UserAssistDis section explore Windows logs an' supportin' artifacts dat reveal user an' system activity. Learners will analyze Security, System, an' Application logs, plus Prefetch, LNK, RecentDocs, an' UserAssist to reconstruct program execution an' file access.
Key Windows Event Log channels an' usesSecurity Audit events fi logon an' accessPrefetch analysis fi program executionLNK shortcuts an' RecentDocs correlationsUserAssist entries an' GUI-based activityCross-validatin' logs wid file system dataLesson 3Application an' browser artifacts: webmail access traces (cookies, cached pages, saved credentials), browser history, form autofill, extensions, webmail headersDis section focus on application an' browser artifacts dat reveal online behavior. Students will analyze cookies, cache, saved credentials, history, autofill, extensions, an' webmail headers to trace webmail access an' potential data exfiltration.
Browser history an' visit reconstructionCookie an' session artifact analysisCached pages an' offline web contentSaved credentials an' password storesForm autofill an' input reconstructionWebmail headers an' access indicatorsLesson 4Network an' VPN artifacts: VPN client logs, Windows Networkin' Logs, routin' tables, network captures (if available), DHCP, DNS cacheDis section address artifacts dat reveal network an' VPN usage. Learners will review VPN client logs, Windows networkin' logs, routin' data, DHCP, DNS cache, an' packet captures to identify remote access, exfiltration paths, an' command channels.
VPN client logs an' session timelinesWindows firewall an' networkin' logsDHCP leases an' IP address attributionDNS cache an' name resolution historyAnalyzin' routin' tables an' tunnelsUsin' packet captures when availableLesson 5File system an' storage artifacts: NTFS structures (MFT, $LogFile, $UsnJrnl), file slack, alternate data streams, timestamps (MFT, $STANDARD_INFORMATION, $FILE_NAME)Dis section examine Windows file system artifacts critical to investigations. Learners will analyze NTFS structures, includin' MFT, $LogFile, an' $UsnJrnl, plus file slack an' alternate data streams, to reconstruct file history an' hidden activity.
Master File Table structure an' entries$LogFile an' transaction rollback analysis$UsnJrnl fi change trackin' over timeInterpretin' NTFS timestamp triadsFile slack an' residual data inspectionAlternate Data Streams an' hidden contentLesson 6External media an' USB usage artifacts: Windows USBSTOR, SetupAPI, registry MountPoints2, PnP entries, artifacts showin' device connection timestampsDis section examine Windows artifacts dat record external media usage, focusin' on USB devices. Students will analyze USBSTOR, SetupAPI, MountPoints2, an' PnP data to identify devices, first an' last use, an' potential data transfer windows.
USBSTOR keys an' device identificationSetupAPI logs an' installation timelinesMountPoints2 an' volume label correlationsPnP device entries an' connection historyCorrelatin' USB artifacts wid user sessionsDetectin' suspicious removable media activityLesson 7Deleted an' unallocated space recovery: carvin' techniques, file slack analysis, undelete tools, recoverin' deleted email attachmentsDis section focus on recoverin' evidence from deleted an' unallocated space. Students will apply carvin' techniques, analyze file slack, use undelete tools, an' target recovery a' documents an' email attachments relevant to suspected exfiltration.
Understandin' deleted an' unallocated spaceFile carvin' methods an' tool selectionAnalyzin' file slack fi residual contentUsin' undelete tools safely an' forensicallyRecoverin' deleted email attachmentsValidatin' an' documentin' recovered dataLesson 8Definin' investigative goals an' hypotheses: provin' exfiltration, establishin' timeline, identifyin' user accounts an' intentDis section cover translatin' case questions into concrete forensic goals, formin' testable hypotheses, an' mappin' dem to specific artifacts. Learners will plan how to prove exfiltration, build timelines, an' assess user intent defensibly.
Turnin' case questions into forensic objectivesLinkin' hypotheses to specific artifact sourcesPlannin' to prove or refute data exfiltrationDesignin' methods to establish activity timelinesAttributin' actions to user accounts an' devicesDocumentin' assumptions, limits, an' caveats
