Lesson 1Timeline construction: timestamp normalization, correlation across sources, timeline tools (PLASO/Timesketch) and methodologyThis part teaches steady making of forensic time lines in South Sudan. Students normal times, link events over sources, use tools like PLASO and Timesketch to build, ask, show lines that help probe ends.
Getting timed parts safeTime zone handle and normal rulesBuilding super lines with PLASOSeeing and asking in TimesketchLinking events over many sourcesUsing lines to test case ideasLesson 2Windows-specific logs and artifacts: Event Logs (System, Security, Application), Windows Security Audit logs, Prefetch, LNK shortcut files, RecentDocs, UserAssistThis part explores Windows logs and parts showing user and system acts in South Sudan. Learners check Security, System, Application logs, plus Prefetch, LNK, RecentDocs, UserAssist to rebuild program run and file get.
Main Windows Event Log paths and usesSecurity Audit events for logon and getPrefetch check for program runLNK shortcuts and RecentDocs linksUserAssist entries and screen actsCross-check logs with file system dataLesson 3Application and browser artifacts: webmail access traces (cookies, cached pages, saved credentials), browser history, form autofill, extensions, webmail headersThis part focuses on app and browser parts showing online acts in South Sudan. Students check cookies, cache, saved logins, history, autofill, add-ons, webmail heads to trace webmail get and data out risks.
Browser history and visit rebuildCookie and session part checkCached pages and off web contentSaved logins and pass storesForm autofill and input rebuildWebmail heads and get signsLesson 4Network and VPN artifacts: VPN client logs, Windows Networking Logs, routing tables, network captures (if available), DHCP, DNS cacheThis part handles parts showing net and VPN use in South Sudan. Learners review VPN logs, Windows net logs, route data, DHCP, DNS cache, packet gets to find remote get, out paths, command lines.
VPN client logs and session linesWindows firewall and net logsDHCP leases and IP linkDNS cache and name solve historyChecking route tables and tunnelsUsing packet gets if thereLesson 5File system and storage artifacts: NTFS structures (MFT, $LogFile, $UsnJrnl), file slack, alternate data streams, timestamps (MFT, $STANDARD_INFORMATION, $FILE_NAME)This part checks Windows file system parts key to probes in South Sudan. Learners check NTFS builds, MFT, $LogFile, $UsnJrnl, file slack, alt data streams to rebuild file past and hidden acts.
Master File Table build and entries$LogFile and deal rollback check$UsnJrnl for change track over timeReading NTFS time triosFile slack and left data checkAlt Data Streams and hidden contentLesson 6External media and USB usage artifacts: Windows USBSTOR, SetupAPI, registry MountPoints2, PnP entries, artifacts showing device connection timestampsThis part checks Windows parts recording outside media use, focus USB in South Sudan. Students check USBSTOR, SetupAPI, MountPoints2, PnP data to find devices, first last use, data move windows.
USBSTOR keys and device findSetupAPI logs and install linesMountPoints2 and volume label linksPnP device entries and connect historyLinking USB parts with user sessionsFinding odd removable media actsLesson 7Deleted and unallocated space recovery: carving techniques, file slack analysis, undelete tools, recovering deleted email attachmentsThis part focuses getting evidence from deleted and free space in South Sudan. Students use carve ways, check file slack, undelete tools, target get of docs and email adds for out suspects.
Understanding deleted and free spaceFile carve ways and tool pickChecking file slack for left contentUsing undelete tools safe and forensicGetting deleted email addsChecking and noting got dataLesson 8Defining investigative goals and hypotheses: proving exfiltration, establishing timeline, identifying user accounts and intentThis part covers turning case questions to solid forensic goals, making test ideas, map to parts in South Sudan. Learners plan prove out, build lines, check user aim strong.
Turning case questions to forensic aimsLinking ideas to part sourcesPlanning prove or deny data outDesigning ways to set act linesLinking acts to user accounts and devicesNoting assumes, limits, warnings
