In January I was able to attend the SANS FOR408: Computer Forensic Investigations – Windows In-Depth course. When choosing what course to take it would be easy to focus on the fact that this is a “400 level” course and assume it’s a beginner class. What shouldn’t be overlooked is the “Windows In-Depth” part of the course title. SANS absolutely delivers on the “in-depth” part.
The course is six days of wholesome forensic goodness with five days of instruction and a day six “forensic challenge” where you examine an image from a case and compile a report of what happened. The course also comes with a hardware write blocker for every student which you get to keep. That’s one heck of a freebie.
Rather than just spending a few minutes over-viewing what a particular type of Windows artifact does, the 408 course covers each artifact in detail, explains the differences across various Windows platforms and has labs throughout the course where the students get a hands on feel for examining a disk image.
What makes the 408 course really special isn’t just the detail in which the various artifacts and registry values are covered, but the methodology provided.
At the start of the course the students are given a disk image from what appears to be an intellectual property case. You examine the first set of artifacts that you learn about to start assembling a timeline of what activity occurred, when it occurred and what artifact demonstrates that it occurred. Throughout the rest of the week you use each of the artifacts, registry settings etc. that you learn about to add details to your timeline. By the end of the week you have a detailed step by step overview of what happened down to the second. There are usually multiple artifacts which prove that an action occurred and you actually know what they all mean.
The SANS course provides other bonuses throughout the course-ware including checklists of step by step things an examiner could look at when examining a specific category of artifacts.
Overall I was extremely pleased with the course. Not only are the students taught forensic concepts, how to use popular forensic tools (commercial and free) etc. but they’re also given a fantastic methodology and given the knowledge to perform a “deep dive” by digging into the artifacts to truly understand what occurred on a system.