Master Windows forensics—You can’t protect the unknown. FOR500 builds comprehensive digital forensics knowledge of Microsoft Windows operating systems that provides the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. This knowledge can be used to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. The course is newly updated to cover all Windows versions through Windows 11! Business Takeaways ▐ Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions ▐ Enable more capable analysts, threat hunters, and incident response team members who can use deep-dive digital forensics to help solve Windows data breach cases, perform damage assessments, and develop indicators of compromise ▐ Understand the wealth of telemetry available in the Windows Enterprise, at the endpoint and in cloud resources like Microsoft 365, Exchange, Unified Audit Logs, cloud storage, and chat clients ▐ Identify forensic artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file tranfers, anti-forensics, and detailed system and user activity ▐ Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation Syllabus Summary SECTION 1: Digital Forensics and Advanced Data Triage SECTION 2: Registry Analysis, Application Execution, and Cloud Storage Forensics SECTION 3: Shell Items and Removable Device Profiling SECTION 4: Email Analysis, Windows Search, SRUM, and Event Logs SECTION 5: Web Browser Forensics SECTION 6: Windows Forensics Challenge FOR500: Windows Forensic Analysis™ CURRICULUM: DFIR & Threat Hunting 6 Day Program 36 CPEs 22+ Labs You Will Be Able To ▐ Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows 7, Windows 8/8.1, Windows 10, Windows 11 and Windows Server products ▐ Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file transfers, anti-forensics, and detailed system and user activity ▐ Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool ▐ Extract critical findings and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation ▐ Establish structured analytical techniques to be successful in any security role Who Should Attend ▐ Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations ▐ Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases, perform damage assessments, and develop indicators of compromise ▐ Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on digital forensics for Windows-based operating systems ▐ Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX) ▐ Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers NICE Framework Work Roles ▐ Cyber Crime Investigator (OPM 221) ▐ Cyber Defense Forensics Analyst (OPM 212) ▐ Law Enforcement/Counter Intelligence Forensics Analyst (OPM211) “ This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.” —Alexander Applegate, Auburn University GCFE Forensic Examiner giac.org/gcfe CyberLive Chad Tilbury Course Author Ovie Carroll Course Author Rob Lee Course Author For detailed course description, visit SANS.ORG/FOR500 WAYS TO TAKE FOR500 Live Online In-Person OnDemand * sans.org/8140 DoD 8140*
