I am pleased to announce the release of the latest version of the SANS Institute FOR500 Windows Forensic Analysis course. If you are a SANS alum, you likely know our courses are on a nearly constant update cycle to keep pace with the ever-changing parade of DFIR artifacts. However, this release is special as it included a significant focus to support the new Windows 11 operating system. While only small forensic changes have been discovered thus far in the new operating system, every artifact and tool present in the class has been tested and verified to be compatible with Windows 11. Of course, we expect most enterprises to be running Windows 10 and Windows 11 in parallel for the foreseeable future due to hardware restrictions enforced by Microsoft. Knowing the diverse enterprise landscape, the skills taught in FOR500 are now applicable for performing forensics across every modern version of Windows, from XP to Windows 11, in addition to the corresponding Windows Server versions.
The Fall 2021 and Spring 2022 updates resulted in over 50% of the course being re-written and re-imagined. Major changes to the course were introduced in nearly every section. Triage collection, memory extraction, and encryption detection were updated. The registry and application execution sections were significantly revised with new artifacts and content. Account activity tracking was augmented to provide more information on Microsoft cloud and domain accounts. Investigation of TrustRecords was added to the registry section to assist with tracking malicious document macros. A complete overhaul of the Dropbox and Google Drive cloud storage sections was performed due to major recent changes to those products. New skills and tools were added to automate SQLite database extraction, analyze the Google protobuf format, and parse local OneDrive databases.
Section three of the course was completely rewritten, with state-of-the-art information and analysis techniques for Windows shell items, including LNK files, Jump Lists, and Shellbags. This is one area that has seen increased artifact changes during upgrades to Windows 10 and 11. Information on investigating malicious LNK files was added as these are an attack vector in use by many threat groups. Removable device forensics was completely re-written with a focus on more modern hardware like USB 3/4, USB Attached SCSI, and Thunderbolt devices. HID devices were also added to this section to provide skills in investigating physical device attacks like the introduction of malicious USB devices.
Email forensics was updated to add information to host-based email, webmail, and smartphone email analysis techniques. Forensic analysis of Microsoft's new Your Phone application is now included. New tools and techniques are covered to exploit the massive Windows Search Database, adding capabilities to take advantage of detailed metadata and content stored on hundreds of thousands of files and emails. Browser forensics was brought up to the state-of-the-art with changes and additions to multiple Chromium databases and new information on collecting stored user credentials. Finally, one third of the exercises were expanded and updated to provide more content and support courseware and tool additions.
In summary, the SANS FOR500 Windows Forensics course is buffed, polished, and hyper-focused on the most important and up-to-date Windows artifacts available. We look forward to seeing you in class!
Chad Tilbury has spent over twenty years conducting computer crime investigations ranging from hacking to espionage to multimillion-dollar fraud cases. He is a SANS Institute Fellow and co-author of FOR500 Windows Forensic Analysis and FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics. Find him on Twitter @chadtilbury
