Even with the expected arrival of a slew of security improvements in Windows 10 such as multi-factor authentication, automatic encryption and a trusted app whitelist; “…users on Windows machines are still the most likely entry point for a cyber-attack and the long tail of operating systems still in widespread use makes Windows forensics skills essential for all investigators and first responders,” says Christian Prickaerts, a highly respected expert Forensic investigator and SANS Instructor with a 15 year career including time working for a large university in the Netherlands and Fox-IT.
“In many cases, the user is completely unaware of the attack which through social engineering or malware starts a chain reaction that can ultimately lead to an incident which in the case of APT style attacks may well remain undetected within an environment for many months,” he adds.
Although newer Microsoft operating systems have made great strides in helping to secure common weaknesses, Prickaerts points to the huge number of systems, including Windows XP that are still used but are effectively out of support when it comes to security updates and patches. “Strong Windows forensic skills are also important for validating security tools, enhancing vulnerability assessments, identifying insider threats, tracking hackers, and improving security policies,” says Prickaerts.
In June, Prickaerts will be teaching an updated version of SANS FOR408: Windows Forensic Analysis with a focus on collecting and analysing data from computer systems to track user-based activity that can be used in internal investigations as well as civil and criminal litigation.
“Proper analysis requires real data for students to examine and as such the course trains digital forensic analysts through a series of hands-on exercises that incorporate evidence found on the latest Microsoft technologies including Windows 8.1, Office365, Skydrive, Sharepoint, Exchange Online as well as older platforms such as XP, Windows 7 and Server 2008/2012,” says Prickaerts.
As part of the course, students learn how to identify artefacts and evidence locations that will answer key questions, including details about program execution, file opening, external device usage, geo-location, file download, anti-forensics, and system usage.
The course will run in Dublin from June 8th-13th at the Hilton Doubletree’s Morrison Hotel alongside the popular SEC401: Security Essentials Bootcamp Style. “Early Bird” Registration is still open and SANS is offering discounts for students that register and pay prior to April 29th and for larger groups. For more information, please visit http://www.sans.org/event/dublin-2015