Somo 1Ujenzi wa ratiba: urekebishaji wa timestamp, kulinganisha katika vyanzo, zana za ratiba (PLASO/Timesketch) na mbinuSehemu hii inafundisha ujenzi wa ratiba za uchunguzi za kimfumo. Wanafunzi watarekebisha timestamps, kulinganisha matukio katika vyanzo, na kutumia zana kama PLASO na Timesketch kujenga, kuuliza, na kuwasilisha ratiba zinazosaidia hitimisho za uchunguzi.
Collecting timestamped artifacts safelyTimezone handling and normalization rulesBuilding super timelines with PLASOVisualizing and querying in TimesketchCorrelating events across multiple sourcesUsing timelines to test case hypothesesSomo 2Magunia na artifacts maalum za Windows: Magunia ya Tukio (Mfumo, Usalama, Programu), magunia ya Ukaguzi wa Usalama wa Windows, Prefetch, faili za LNK shortcut, RecentDocs, UserAssistSehemu hii inachunguza magunia na artifacts za Windows zinazoonyesha shughuli za mtumiaji na mfumo. Wanafunzi wata chunguza magunia ya Usalama, Mfumo, na Programu, pamoja na Prefetch, LNK, RecentDocs, na UserAssist ili kujenga upya utekelezaji wa programu na upatikanaji wa faili.
Key Windows Event Log channels and usesSecurity Audit events for logon and accessPrefetch analysis for program executionLNK shortcuts and RecentDocs correlationsUserAssist entries and GUI-based activityCross-validating logs with file system dataSomo 3Artifacts za programu na kivinjari: nyayo za upatikanaji wa webmail (vidakuzi, kurasa zilizohifadhiwa, siri zilizohifadhiwa), historia ya kivinjari, autofill ya fomu, upanuzi, kichwa cha webmailSehemu hii inalenga artifacts za programu na kivinjari zinazoonyesha tabia ya mtandaaji. Wanafunzi wata chunguza vidakuzi, cache, siri zilizohifadhiwa, historia, autofill, upanuzi, na kichwa cha webmail ili kufuatilia upatikanaji wa webmail na uwezekano wa kuhamisha data.
Browser history and visit reconstructionCookie and session artifact analysisCached pages and offline web contentSaved credentials and password storesForm autofill and input reconstructionWebmail headers and access indicatorsSomo 4Artifacts za mtandao na VPN: magunia ya mteja wa VPN, Magunia ya Mtandao wa Windows, meza za uelekezo, kunasa mtandao (ikiwa inapatikana), DHCP, cache ya DNSSehemu hii inashughulikia artifacts zinazoonyesha matumizi ya mtandao na VPN. Wanafunzi wataangalia magunia ya mteja wa VPN, magunia ya Mtandao wa Windows, meza za uelekezo, kunasa mtandao (ikiwa inapatikana), DHCP, cache ya DNS ili kutambua upatikanaji wa mbali, njia za kuhamisha, na njia za amri.
VPN client logs and session timelinesWindows firewall and networking logsDHCP leases and IP address attributionDNS cache and name resolution historyAnalyzing routing tables and tunnelsUsing packet captures when availableSomo 5Artifacts za mfumo wa faili na kuhifadhi: miundo ya NTFS (MFT, $LogFile, $UsnJrnl), slack ya faili, mkondo wa data mbadala, timestamps (MFT, $STANDARD_INFORMATION, $FILE_NAME)Sehemu hii inachunguza artifacts za mfumo wa faili na kuhifadhi muhimu kwa uchunguzi. Wanafunzi wata chunguza miundo ya NTFS, ikijumuisha MFT, $LogFile, na $UsnJrnl, pamoja na slack ya faili na mkondo wa data mbadala, ili kujenga upya historia ya faili na shughuli iliyofichwa.
Master File Table structure and entries$LogFile and transaction rollback analysis$UsnJrnl for change tracking over timeInterpreting NTFS timestamp triadsFile slack and residual data inspectionAlternate Data Streams and hidden contentSomo 6Artifacts za matumizi ya media ya nje na USB: Windows USBSTOR, SetupAPI, rejisti MountPoints2, ingizo za PnP, artifacts zinazoonyesha timestamps za kuunganisha kifaaSehemu hii inachunguza artifacts za Windows zinazorekodi matumizi ya media ya nje, ikilenga vifaa vya USB. Wanafunzi wata chunguza USBSTOR, SetupAPI, MountPoints2, na data ya PnP ili kutambua vifaa, matumizi ya kwanza na ya mwisho, na madirisha ya uhamisho wa data.
USBSTOR keys and device identificationSetupAPI logs and installation timelinesMountPoints2 and volume label correlationsPnP device entries and connection historyCorrelating USB artifacts with user sessionsDetecting suspicious removable media activitySomo 7Kurejesha nafasi iliyofutwa na isiyotengwa: mbinu za kuchonga, uchambuzi wa slack ya faili, zana za kurejesha, kurejesha viambatanisho vya barua pepe vilivyofutwaSehemu hii inalenga kurejesha ushahidi kutoka nafasi iliyofutwa na isiyotengwa. Wanafunzi wata tumia mbinu za kuchonga, kuchunguza slack ya faili, kutumia zana za kurejesha, na kulenga kurejesha viambatanisho vya barua pepe vilivyofutwa vinavyohusiana na kuhamisha data.
Understanding deleted and unallocated spaceFile carving methods and tool selectionAnalyzing file slack for residual contentUsing undelete tools safely and forensicallyRecovering deleted email attachmentsValidating and documenting recovered dataSomo 8Kufafanua malengo ya uchunguzi na dhana: kuthibitisha kuhamisha data, kuweka ratiba, kutambua akaunti za mtumiaji na niaSehemu hii inashughulikia kutafsiri maswali ya kesi kuwa malengo ya uchunguzi ya kweli, kuunda dhana zinazoweza kupimwa, na kuzipanga kwenye artifacts maalum. Wanafunzi wata panga jinsi ya kuthibitisha kuhamisha data, kujenga ratiba, na kutathmini nia ya mtumiaji kwa utetezi.
Turning case questions into forensic objectivesLinking hypotheses to specific artifact sourcesPlanning to prove or refute data exfiltrationDesigning methods to establish activity timelinesAttributing actions to user accounts and devicesDocumenting assumptions, limits, and caveats
