Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

OpenText EnCase Windows Artifacts - Advanced Analysis

( Duration: 4 Days )

The OpenText EnCase - Analysis of Windows Artifacts training course is designed for examiners with solid computer skills, seeking to learn advanced concepts in analyzing Windows artifacts. You will be provided instruction that includes parsing and analysis techniques on registry data, volume shadow service, random access memory, zip file structures, prefetch, and SQLite content.

By attending OpenText EnCase - Analysis of Windows Artifacts workshop, delegates will learn:

  • Examination of the Microsoft Windows Registry
  • The use of block-based file hash analysis for file recovery
  • Examination of Volume Shadow Copy (VSC) data maintained by the Windows Volume Shadow Service (VSS)
  • Examination and recovery of Windows event logs
  • Hardware and software RAID technology, acquisition, and examination
  • Understanding SQLite databases and querying their data
  • Recovering deleted SQLite data
  • The purpose and function of prefetch files and how to analyze them
  • Principles of encrypted data recovery
  • Various techniques on the examination RAM
  • Low-level data recovery from Zip files and the latest version of Microsoft Word documents

  • Attend a training on OpenText EnCase - Building an Investigation or equivalent practical experience
The OpenText EnCase - Analysis of Windows Artifacts class is ideal for:
  • Law Enforcement Officers, Computer Forensic Examiners, Corporate & Private Investigators & Network Security Personnel.

COURSE AGENDA

1

Day 1

  • Understanding the purpose and structure of the Windows Registry
  • Identifying, mounting and extracting data from Registry hive files both in OpenText EnCase software and within Windows on a forensic examination machine
  • Recreating the Registry data necessary to run an extracted application on the examiner's forensic workstation
  • Mapping local and domain-level user accounts
  • Examining user-assist Registry data
  • Parsing shell-bag data in conjunction with NTFS USN change-log data
  • Using block-based hash analysis for file recovery
  • Analyzing Windows event logs
2

Day 2

  • Learning VSS operation and how to examine VSS data created by the system as part of system restore operations
  • Understanding RAID configurations and stripe sets
  • Understanding how RAID affects forensic examinations
  • Discussing options for forensic acquisition of RAID devices and their examination in EnCase software
  • Understanding the purpose of the Windows Prefetcher and the structure and content of the prefetch files it maintains
  • Documenting the aspects of SQLite that will be most relevant to the forensic investigator.
  • Using Structured Query Language (SQL) to query SQLite data
3

Day 3

  • Understanding the structure of SQLite database files and how and why deleted data may be recoverable
  • Understanding exactly what encrypted data is and the terminology associated with it
  • Learning the principles behind identification of encryption software, encrypted data and the methodology behind decrypting encrypted data
4

Day 4

  • Learning how to enhance the ability to conduct examinations of RAM
  • Discussing the ZIP file format and how it affects the ability to locate and recover ZIP data
  • Using knowledge of the ZIP file format to recover data from the latest version of Microsoft Word documents

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X