Computer forensics is a challenging, ever evolving field that involves many years of specialized training and experience before many examiners begin to feel confident and competent in this role. Many new examiners, in their first few years of work, are not aware of many crucial artifacts that are available to them, or simply do not know how to analyze them. In either case, new examiners may be so focused on simply finding the "smoking gun" evidence, that they miss or misinterpret the vast amount of other critical, key evidence in their digital forensic investigations. This presentation will introduce attendees to simple, basic ways to acquire and analyze Memory Images (a.k.a. RAM dumps), $USN Journals, extended NTFS time stamps, Volume Shadow Copies, ESE and SQLite databases, Virtual Machines and more. Attendees will also learn simple ways to perform tasks such as rebuilding RAID arrays, extracting passwords, manually carving files, and creating a Timeline of User Activity. If you are new(er) to computer forensics and/or have had limited training and experience in this field, come see what you may be missing! This workshop will only be recorded and available On-Demand from August 10, 2020 until December 31, 2020.
Learning Objectives:
...improve their knowledge of forensic artifacts available to them in most investigations involving computer evidence.
...recover advanced forensic artifacts from computer evidence in their investigations.
...create a timeline of all user activity which they can include in their final reports.
...create a virtual machine from a forensic image in order to obtain additional relevant artifacts to your investigation.
...perform basic analyis of artifacts such as $USN Journal, Volume Shadow Copies, Memory, and understand NTFS timestamping issues.
