Somo 1Ujenzi wa ratiba: kusawazisha alama za wakati, kulinganisha katika vyanzo, zana za ratiba (PLASO/Timesketch) na mbinuSehemu hii inafundisha ujenzi wa ratiba za uchunguzi kimfumo. Wanafunzi wataweka alama za wakati sawa, kulinganisha matukio katika vyanzo, na kutumia zana kama PLASO na Timesketch kujenga, kuuliza, na kuwasilisha ratiba zinazosaidia hitimisho za uchunguzi.
Collecting timestamped artifacts safelyTimezone handling and normalization rulesBuilding super timelines with PLASOVisualizing and querying in TimesketchCorrelating events across multiple sourcesUsing timelines to test case hypothesesSomo 2Rekodi na mabaki maalum ya Windows: Rekodi za Tukio (Mfumo, Usalama, Programu), rekodi za Ukaguzi wa Usalama wa Windows, Prefetch, faili za mkato LNK, RecentDocs, UserAssistSehemu hii inachunguza rekodi na mabaki ya Windows yanayofichua shughuli za mtumiaji na mfumo. Wanafunzi wataangalia rekodi za Usalama, Mfumo, na Programu, pamoja na Prefetch, LNK, RecentDocs, na UserAssist ili kujenga upya utekelezaji wa programu na upatikanaji wa faili.
Key Windows Event Log channels and usesSecurity Audit events for logon and accessPrefetch analysis for program executionLNK shortcuts and RecentDocs correlationsUserAssist entries and GUI-based activityCross-validating logs with file system dataSomo 3Mabaki ya programu na kivinjari: nyayo za upatikanaji wa webmail (vidakuzi, kurasa zilizohifadhiwa, siri zilizohifadhiwa), historia ya kivinjari, kujaza fomu moja kwa moja, upanuzi, vichwa vya webmailSehemu hii inalenga mabaki ya programu na kivinjari yanayofichua tabia ya mtandaaji. Wanafunzi wataangalia vidakuzi, kache, siri zilizohifadhiwa, historia, kujaza moja kwa moja, upanuzi, na vichwa vya webmail ili kufuatilia upatikanaji wa webmail na uwezekano wa kuhamisha data.
Browser history and visit reconstructionCookie and session artifact analysisCached pages and offline web contentSaved credentials and password storesForm autofill and input reconstructionWebmail headers and access indicatorsSomo 4Mabaki ya mtandao na VPN: rekodi za mteja wa VPN, Rekodi za Mtandao wa Windows, meza za uelekezo, kunasa mtandao (ikiwa inapatikana), DHCP, kache ya DNSSehemu hii inashughulikia mabaki yanayofichua matumizi ya mtandao na VPN. Wanafunzi wataangalia rekodi za mteja wa VPN, rekodi za mtandao wa Windows, data ya uelekezo, DHCP, kache ya DNS, na kunasa pakiti ili kutambua upatikanaji wa mbali, njia za kuhamisha, na njia za amri.
VPN client logs and session timelinesWindows firewall and networking logsDHCP leases and IP address attributionDNS cache and name resolution historyAnalyzing routing tables and tunnelsUsing packet captures when availableSomo 5Mabaki ya mfumo wa faili na kuhifadhi: miundo ya NTFS (MFT, $LogFile, $UsnJrnl), slack ya faili, mikondo ya data mbadala, alama za wakati (MFT, $STANDARD_INFORMATION, $FILE_NAME)Sehemu hii inachunguza mabaki ya mfumo wa faili na kuhifadhi muhimu kwa uchunguzi. Wanafunzi wataangalia miundo ya NTFS, ikijumuisha MFT, $LogFile, na $UsnJrnl, pamoja na slack ya faili na mkondo wa data mbadala, ili kujenga upya historia ya faili na shughuli iliyofichwa.
Master File Table structure and entries$LogFile and transaction rollback analysis$UsnJrnl for change tracking over timeInterpreting NTFS timestamp triadsFile slack and residual data inspectionAlternate Data Streams and hidden contentSomo 6Mabaki ya matumizi ya media ya nje na USB: Windows USBSTOR, SetupAPI, rejisti MountPoints2, ingizo za PnP, mabaki yanayoonyesha alama za wakati za kuunganisha kifaaSehemu hii inachunguza mabaki ya Windows yanayorekodi matumizi ya media ya nje, ikilenga vifaa vya USB. Wanafunzi wataangalia USBSTOR, SetupAPI, MountPoints2, na data ya PnP ili kutambua vifaa, matumizi ya kwanza na ya mwisho, na madirisha ya uhamisho wa data.
USBSTOR keys and device identificationSetupAPI logs and installation timelinesMountPoints2 and volume label correlationsPnP device entries and connection historyCorrelating USB artifacts with user sessionsDetecting suspicious removable media activitySomo 7Kurejesha nafasi iliyofutwa na isiyotengwa: mbinu za kuchonga, uchambuzi wa slack ya faili, zana za kurejesha, kurejesha viambatanisho vya barua pepe vilivyofutwaSehemu hii inalenga kurejesha ushahidi kutoka nafasi iliyofutwa na isiyotengwa. Wanafunzi wataweka mbinu za kuchonga, kuchambua slack ya faili, kutumia zana za kurejesha, na kulenga kurejesha viambatanisho vya barua pepe vilivyofutwa vinavyohusiana na kuhamisha data.
Understanding deleted and unallocated spaceFile carving methods and tool selectionAnalyzing file slack for residual contentUsing undelete tools safely and forensicallyRecovering deleted email attachmentsValidating and documenting recovered dataSomo 8Kufafanua malengo ya uchunguzi na dhana: kuthibitisha kuhamisha, kuweka ratiba, kutambua akaunti za mtumiaji na niaSehemu hii inashughulikia kutafsiri masuala ya kesi kuwa malengo thabiti ya uchunguzi, kuunda dhana zinazoweza kujaribiwa, na kuzipanga kwenye mabaki maalum. Wanafunzi watapanga jinsi ya kuthibitisha kuhamisha, kujenga ratiba, na kutathmini nia ya mtumiaji kwa kujitetea.
Turning case questions into forensic objectivesLinking hypotheses to specific artifact sourcesPlanning to prove or refute data exfiltrationDesigning methods to establish activity timelinesAttributing actions to user accounts and devicesDocumenting assumptions, limits, and caveats
