Somo 1Ujenzi wa ratiba: kurekebisha alama za wakati, kulinganisha kwenye vyanzo, zana za ratiba (PLASO/Timesketch) na mbinuSehemu hii inafundisha ujenzi wa ratiba za uchunguzi kimfumo. Wanafunzi watabadilisha alama za wakati, kulinganisha matukio kwenye vyanzo, na kutumia zana kama PLASO na Timesketch kujenga, kuuliza, na kuwasilisha ratiba zinazosaidia hitimisho za uchunguzi.
Collecting timestamped artifacts safelyTimezone handling and normalization rulesBuilding super timelines with PLASOVisualizing and querying in TimesketchCorrelating events across multiple sourcesUsing timelines to test case hypothesesSomo 2Logi na artifacts maalum za Windows: Logi za Tukio (Mfumo, Usalama, Programu), logi za Ukaguzi wa Usalama wa Windows, Prefetch, faili za mkabala za LNK, RecentDocs, UserAssistSehemu hii inachunguza logi na artifacts za kusaidia za Windows zinazofichua shughuli za mtumiaji na mfumo. Wanafunzi watachanganua logi za Usalama, Mfumo, na Programu, pamoja na Prefetch, LNK, RecentDocs, na UserAssist ili kujenga upya utekelezaji wa programu na upatikanaji wa faili.
Key Windows Event Log channels and usesSecurity Audit events for logon and accessPrefetch analysis for program executionLNK shortcuts and RecentDocs correlationsUserAssist entries and GUI-based activityCross-validating logs with file system dataSomo 3Artifacts za programu na kivinjari: nyayo za upatikanaji wa barua pepe mtandaaji (vidakuzi, kurasa zilizohifadhiwa, siri zilizohifadhiwa), historia ya kivinjari, kujaza fomu moja kwa moja, upanuzi, vichwa vya barua pepe mtandaajiSehemu hii inalenga artifacts za programu na kivinjari zinazofichua tabia ya mtandaaji. Wanafunzi watachanganua vidakuzi, kache, siri zilizohifadhiwa, historia, kujaza moja kwa moja, upanuzi, na vichwa vya barua pepe mtandaaji ili kufuatilia upatikanaji wa barua pepe mtandaaji na uwezekano wa kuhamisha data.
Browser history and visit reconstructionCookie and session artifact analysisCached pages and offline web contentSaved credentials and password storesForm autofill and input reconstructionWebmail headers and access indicatorsSomo 4Artifacts za mtandao na VPN: logi za mteja wa VPN, Logi za Mtandao wa Windows, jedwali la uelekezo, ukamata wa mtandao (ikiwa inapatikana), DHCP, kache ya DNSSehemu hii inashughulikia artifacts zinazofichua matumizi ya mtandao na VPN. Wanafunzi wataangalia logi za mteja wa VPN, logi za Mtandao wa Windows, jedwali la uelekezo, ukamata wa mtandao (ikiwa inapatikana), DHCP, kache ya DNS ili kutambua upatikanaji wa mbali, njia za kuhamisha, na njia za amri.
VPN client logs and session timelinesWindows firewall and networking logsDHCP leases and IP address attributionDNS cache and name resolution historyAnalyzing routing tables and tunnelsUsing packet captures when availableSomo 5Artifacts za mfumo wa faili na kuhifadhi: miundo ya NTFS (MFT, $LogFile, $UsnJrnl), slack ya faili, mikondo ya data mbadala, alama za wakati (MFT, $STANDARD_INFORMATION, $FILE_NAME)Sehemu hii inachunguza artifacts za mfumo wa faili na kuhifadhi muhimu kwa uchunguzi. Wanafunzi watachanganua miundo ya NTFS, ikijumuisha MFT, $LogFile, na $UsnJrnl, pamoja na slack ya faili na mkondo wa data mbadala, ili kujenga upya historia ya faili na shughuli iliyofichwa.
Master File Table structure and entries$LogFile and transaction rollback analysis$UsnJrnl for change tracking over timeInterpreting NTFS timestamp triadsFile slack and residual data inspectionAlternate Data Streams and hidden contentSomo 6Artifacts za matumizi ya media ya nje na USB: Windows USBSTOR, SetupAPI, rejisti MountPoints2, ingizo za PnP, artifacts zinazoonyesha alama za wakati wa kuunganisha kifaaSehemu hii inachunguza artifacts za Windows zinazorekodi matumizi ya media ya nje, ikilenga vifaa vya USB. Wanafunzi watachanganua USBSTOR, SetupAPI, MountPoints2, na data ya PnP ili kutambua vifaa, matumizi ya kwanza na ya mwisho, na madirisha ya uhamisho wa data.
USBSTOR keys and device identificationSetupAPI logs and installation timelinesMountPoints2 and volume label correlationsPnP device entries and connection historyCorrelating USB artifacts with user sessionsDetecting suspicious removable media activitySomo 7Kurejesha nafasi iliyofutwa na isiyotengwa: mbinu za kuchonga, uchambuzi wa slack ya faili, zana za kurejesha, kurejesha viambatanisho vya barua pepe vilivyofutwaSehemu hii inalenga kurejesha ushahidi kutoka nafasi iliyofutwa na isiyotengwa. Wanafunzi watatumia mbinu za kuchonga, kuchanganua slack ya faili, kutumia zana za kurejesha, na kulenga kurejesha viambatanisho vya barua pepe vilivyofutwa vinavyohusiana na kuhamisha data.
Understanding deleted and unallocated spaceFile carving methods and tool selectionAnalyzing file slack for residual contentUsing undelete tools safely and forensicallyRecovering deleted email attachmentsValidating and documenting recovered dataSomo 8Kufafanua malengo ya uchunguzi na dhana: kuthibitisha kuhamisha data, kuweka ratiba, kutambua akaunti za mtumiaji na niaSehemu hii inashughulikia kutafsiri maswali ya kesi kuwa malengo ya uchunguzi thabiti, kuunda dhana zinazoweza kupimwa, na kuzipanga kwenye artifacts maalum. Wanafunzi watapanga jinsi ya kuthibitisha kuhamisha data, kujenga ratiba, na kutathmini nia ya mtumiaji kwa kujitetea.
Turning case questions into forensic objectivesLinking hypotheses to specific artifact sourcesPlanning to prove or refute data exfiltrationDesigning methods to establish activity timelinesAttributing actions to user accounts and devicesDocumenting assumptions, limits, and caveats
