This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and leverage Magnet AXIOM, Magnet RAM Capture, and third-party tools to improve their computer investigations.
Magnet AXIOM Advanced Computer Forensics (AX250) will give participants the knowledge and skills they need to track computer access and file usage, utilizing Magnet AXIOM to explore the evidence in greater depth by learning about the newest sign-on technologies — such as pin password, Windows Hello, picture password, fingerprint recognition, and facial recognition.
In this course, a deeper understanding of investigating Windows computers will be provided by searching through artifacts like Windows Notification, Windows System Resource Utilization, Windows Error Reporting (WER) Logs, Event Logs (EVT), Event Tracing Logs (ETL), as well as a breakdown of the taskbar and whether an artifact was system pinned or user pinned to it.
Also, there will be time spent investigating EMDMgmt to dig deep into tracking drives attached to the Windows OS that may leave traces nowhere else. AppCompatFlags and AMCACHE will also be investigated to determine executable files which were previously executed on the system, but no longer exist.
Tracking file and folder location on profiles based on information recovered from Shellbags. Maximizing the data from Prefetch files, Jumplists, and Recent Docs to correlate the data recovered from the previously discovered artifacts. This course also takes a look at collecting RAM images and parsing those images for actionable intelligence in support of the investigation. Participants of this course will be utilizing Passware and the AXIOM Wordlist Generator to crack iTunes backups and Windows passwords from information in the image of the suspect hard disk drive including the most up to date versions of that software. Finally, participants of this course will investigate Google Drive, Modern Apps (Windows Store Apps), UsnJrnl and an in-depth look at File history and the extensible Database files tracking it.
Because AX250 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the mobile part of investigations in AX250. Click here to find out more about AX200
Training Class Schedule
|Classroom Instructor-Led||Anaheim, CA||Dec 4-7|
|Virtual Instructor-Led||Online||Jan 29 – Feb 1|
|Classroom Instructor-Led||Herndon, VA||Feb 12-15|
|Virtual Instructor-Led||Online||Mar 5-8|
|Classroom Instructor-Led||San Diego, CA||March 7-10|
|Classroom Instructor-Led||Nashville, TN (Part of Magnet User Summit)||Mar 29-Apr 1|
|Classroom Instructor-Led||Herndon, VA||April 23-26|
|Virtual Instructor-Led||Online||Apr 30-May 3|
|Classroom Instructor-Led||Princes Risborough, UK||Apr 30-May 3|
|Classroom Instructor-Led||Anaheim, CA||June 11-14|
|Classroom Instructor-Led||Cary, NC||August 27-30|
AXIOM ADVANCED COMPUTER EXAMINATIONS (AX250) MODULES
Module 1: Windows 10 Overview
In addition to an overview of the course scenario, participants will gain an understanding of why Microsoft stated Windows 10 is the last Windows version they will ever release and the impact that is having and will continue to have on the forensic community. This module will also explore the new Windows sign-in technologies, such as pin password, Windows Hello, picture password, fingerprint recognition, and facial recognition and how those technologies affect investigations. We’ll also cover being able to report on the System Resource Utilization database for applications sending and receiving data via the internet — we’ll see how much data was sent and received, which could be paramount to proving (or disproving) an alibi. Also, we’ll be tracking the current Windows build number of the system being examined, which will ensure the examiner is reporting the correct facts, as some facts change based on the Windows build number currently installed.
Module 2: EMDMgmt and Volume Serial numbers
This module will focus on utilizing not so well-known registry locations to track serial numbers of volumes being accessed by the Windows Operating System. What files on those volumes were accessed via our suspect and corroborating this information via event logs. Using the power of AXIOM’s filtering and searching, participants will conduct exercises to reinforce the learning objectives by utilizing all of these artifacts to tell a story on the files accessed by a user on a specific drive, and the fact that the drive was accessed by that computer at a certain date and time.
Module 3: Finding Missing Executables
The Program Compatibility Assistant of the Windows operating system tracks the compatibility of software across different Windows versions. The PCA tracks the usage of executables on the suspect system, regardless of it has since been removed, much like USER ASSIST within the NTUser.DAT. AMCache, a very useful registry location, will be learned by students — including how to garner information detailing the use of executables across the suspect system. Participants will learn how to utilize the PCA and AMCache Data to track the use of executables and their hashes on the computer in question.
Module 4: Investigating Shellbags Beyond the Surface
Participants will get an understanding of what Shellbags are and how they can be used in an investigation to determine if a file or path was accessed by a specific user. As these registry entries are also persistent long after the files or folders have been deleted and overwritten, the information that can be gleaned from them may make or break the case. Using Shellbags to prove or disprove a mounted encrypted volume was accessed may also be the catalyst that launches your case in a new direction.
Module 5: Prefetch Files and Correlating the Data
In this module, participants will examine prefetch files in a much more in-depth view to determine the secrets they may hold, as well as how Windows stores and deletes them to ensure when they testify they are doing so with knowledge and confidence. Maximizing the use of the intelligence gathered from prefetch files will lead examiners to discover new avenues to explore in their forensic cases. Participants will also track the use of an encrypted container as well as a wiping utility, you may or may not know is built into Windows by default.
Module 6: Jumplists, what are They and what do They Tell Us
Understanding Jumplists is just the beginning. being able to utilize the data provided to correlate information about previously existing drives and the files located on them which are no longer part of the system, is what this lesson is all about.
Module 7: Recent Docs
Making use of the information found in recent docs and reporting on the information is important. What is more important is the ability to correlate that data with the data from the previous lessons to continuously track key pieces of information across the system and see how and possibly when and where that data was accessed is even more important.
Module 8: Collecting RAM and Parsing RAM Images
Collection of RAM in running computers is paramount. Examiners would not leave a 16 GB or 32 GB thumb drive laying at the collection scene and surely, they are not going to leave RAM uncollected. This lesson will discuss the collection of RAM and where and why it is important. Besides collecting, this lesson also goes into the basics of RAM examination in volatility as well as AXIOM for carving artifacts. Once you open this Pandora’s box, watch out, as you will have a desire to investigate RAM at every opportunity knowing what it can hold.
Module 9: Sharing Files and Folders and Settings Across Devices
Microsoft makes is easy to share between devices, using OneDrive for file sharing, and a Microsoft email account for other settings. Determine when the first time and last time data was shared with other devices via Sync technology. Settings of one Windows system can be shared with other Windows systems including Wi-Fi profiles and deleted profiles. In this module, students will use the acquired RAM from the previous module and Passware to gain access to the Truecrypt container and its contents.
Module 10: Using Passware to Break iTunes Backup Passwords
In this module, students will receive a refresher on IOS backups and use the AXIOM Wordlist Generator (AWG) and Passware to gain entry to the IOS backup and obtain the password. The password will then be used to gain access to the keychain data to see passwords utilized by the suspect for WiFi devices joined as well as any iOS Keychain passwords. Of course, we can’t just unlock the contents of the backup without looking at them and utilizing the data within to help us solve the case we are working. During this module, the participants will also be introduced to AXIOM Cloud functionality where a complete collection of the suspects’ Gmail account has taken place and entered into an AXIOM case to examine and correlate further data.
Module 11: Cracking Windows 10 Passwords
Microsoft recently introduced a large anniversary update for Windows 10. The standard login workflow of Windows 10 has been slightly changed and due to these slight, yet significant changes, most hacker tools for pulling password hashes out of Windows will not work anymore. These changes may have been motivated by Microsoft's desire to discontinue support for legacy and vulnerable cryptographic algorithms. Students will use AXIOM, the AXIOM Wordlist Generator and a combination of software to extract the Windows 10 password from the SAM hive using the algorithm stored in the System hive. A discussion will then take place about the booting of the suspect device for court purposes as well as the necessity to gather as many passwords as possible as we are all creatures of habit.
Module 12: Investigating Google Drive Back to the Local System
Google Drive is a powerful tool which has proliferated across businesses and individuals alike. Google Drive uses a program aptly named Backup and Sync and it leaves behind quite a few forensic artifacts which participants will investigate to recover forensic artifacts about the uploading and downloading of files to a specific computer system.
Module 13: Windows File History and What It Could Mean
Not to be confused with Volume Shadow Service, File History is a Windows 10 program which regularly backs up versions of your files in the Documents, Music, Pictures, Videos, and Desktop folders and the OneDrive files available offline on your PC. If the originals are lost, damaged, or deleted, you can restore them. Users can also browse and restore different versions of their files by browsing through a timeline, selecting the version, and restoring it. At the conclusion of this module, participants will be able to determine File History.
Module 14: Investigating Modern Apps (Windows Store Apps) overview
Modern Apps (originally known as Metro Apps, Windows 8 Apps, or Windows Store Apps) were designed to be immersive. There is a focus on the touchscreen, but they also work on the standard desktop with no problems. By investigating Modern Apps, participants will gain an understanding that internet history and cache for Modern Apps are not stored in the usual locations where an examiner would expect. Mail App, Photo App, Facebook App, as well as apps from the Windows App Store will all be examined to determine who installed the App, the usage of the App, as well as forensic artifacts left behind for examiners to recover.
Module 15: Maximizing Use of the USNJrnl in Your Investigations
The USN journal is a log of changes to files on an NTFS volume. Such changes can for instance be the creation, deletion or modification of files or directories. It is optional to have it on and can be configured with fsutil.exe on Windows. However, it was not turned on by default until Vista and later. Being able to track files through the USNJrnl could be the only reference to the file if it had been previously deleted form the Hard Drive. Participants will learn how to investigate the USNJrnl to retrieve forensic artifacts in support of their examination.
Module 16: Cumulative Review Exercises
Throughout the four-day training event, instructor-led and student practical exercises are used to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize Magnet AXIOM in their investigative workflow. To further reinforce the instructional goals of the course, students are presented with a final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the individual modules.