e-headers */(function () { var touchTest = "ontouchstart" in window || navigator.msMaxTouchPoints; if (!touchTest) { with (document.documentElement) { className = className.replace(new RegExp("touch-styles"), "") } } })()

Embracing DFIR w/ SANS FOR408

FOR408: Windows Forensic Analysis

Continuing education and furthering one's toolset in their profession is a critical part of anyone's life. An information security (infosec) consultant many times has to be agile in more than one vertical of one's industry, hence why I am embracing Digital Forensics. I took the whole digital forensics course in school, but as my undergrads out there I am sure echo that a single college course does NOT prepare for work. In college, it is about principles, comprehension, and understanding of a concept and not in depth "actions on" with the tools, procedures, and industry best practices. Another inevitability of an infosec consultant is certifications. When you marry the two together, I guarantee you run into the word SANS somewhere in that conversation. This reason is why the Windows Forensic Analysis is just right for me to take. It is their introductory course to Digital Forensic & Incident Response arm of their institute. This post is by no means a commercial for SANS because SANS is not paying me a dollar, just talking about my experience of the course and general information about the course.

What To Expect

Currently, the Windows Forensic Analysis is a 6-Day course covering the windows operating system spanning from Windows XP to the most recent Windows 10. The course gives you a view of the operating system that most won't see. It educates you on what's happening behind the scenes along with the tools, tactics, and procedures veterans in the field are using to accomplish a task.

Day 1: Windows Digital Forensics and Advanced Data Triage
Day 2: Windows Registry Forensics and Analysis
Day 3: USB Devices, Shell Items, & Key Word Searching
Day 4: Email, Key Additional Artifacts, and Event Logs
Day 5: Browser Forensics: Firefox, Internet Explorer & Chrome
Day 6: Windows Forensic Challenge

FOR408 Day1

How The Course Begins

The first day you cover the basics of forensics in the aspect of capturing images. The unique aspect of day one that they cover is the concept of utilizing the triage. If you know anything about forensics and how it is usually done you take a full disk image of the box. When time is of the essence, you can make a triage image grabbing specific pieces of the entire machine to do the analysis to answer questions that need answering quickly. Afterward, for due diligence, do the full disk image. "It is a method."

How The Course Ends

This ends when you put it all in action. There is a  challenge that is a great reinforcer of the material throughout the course. You team up with your peers in the class and work a forensics case. You receive an image, a situation, and you FORENSICATE. At the end of the time allotted, you present your findings of the evidence you discovered to your peers and they vote on the best presentation of the facts.

What I liked MOST About The Course

There are exercises throughout the courses that reiterate what was explained and taught in a section. I enjoyed that you learn the manual workings of analyzing artifacts, where their location is, and the relevant areas to them. After doing that then they would reveal the tool that does a lot of the heavy lifting for you. There are so many organizations, courses, and workshops that just tell you to run the tool, and the magic happens, and you do not know what it is doing. When you operate that way, you really can't explain to an audience what happened and how the data comes to be.

What To Keep In Mind When Taking This Course

There is much information to acquire and only five days to do it in. Day 6, while you have assistance, you are basically, performing. There were many people in the course that you can tell were at that saturation point when their brain was about to explode of forensic artifacts that fly by section after section. The other perpendicular aspect to watch for is to make sure you are clear from distractions during the course. If you lose focus on the material, you might miss an incredibly important piece that could set you back about 30 minutes to an hour on an issue that you could have solved by just one click in an interface.


Digital Forensics and Incident Response is a critical piece that organizations should prepare for and at Rendition InfoSec it is a cornerstone of what we do. Excellent course to take and it can prepare you for the next week going out and applying the procedures to real forensic and incident response cases. Before you know it you will be among the other DFIR professionals in the community contributing back to others that want to learn about forensics in the future. Just remember there is more than one way to get to a conclusion and this course might not be right for everyone, but there are many shadow copies out there that you can get something out of. ;-)

If you decide that you are interested in taking this course more information can be found here.