Windows 10 Live Online Training From AccessData

Reviewed by Scar de Courcier, Forensic Focus

From the 1st to the 3rd of November 2016, AccessData ran a live online training course to help forensic investigators understand the specific challenges presented by Windows 10, and how they can be overcome.

The course was aimed at people who already had a level of familiarity with both forensic investigation generally and with AccessData’s products, and took participants through all aspects of investigating a Windows 10 system.Course Structure

The course was run in EST and was run using the WebEx Training Center and LogMeIn. Both of these are standard use among digital forensics trainers and will be familiar to those who have been on training courses before.

Once everyone had logged in, the course leader encouraged trainees to introduce themselves, and gave an overview of what the course would entail. This was helpful as it laid out expectations early on and meant that attendees knew what to expect from the three days.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The manuals were sent out before the course via email, along with the lab / evidence files. Personally I would have preferred having a physical copy of the manual, as I find it easier to flip through the pages whilst also keeping an eye on the on-screen training, but this is a small matter and didn’t ultimately affect the standard of the training. The PDF is protected by LockLizard, with which I had a few technical issues that meant getting set up was less easy than I had hoped, however once these had been overcome everything proceeded smoothly.

Before we began the main part of the training, our instructor took us through all the tools we were using to familiarise us with what they were called and where they could be found. This was a nice touch and meant that we weren’t scrabbling to find things on the Desktop of the remote machine – something which can happen in forensics training!

The course kicked off with a discussion of the Windows registry and how it can be forensically analysed using Regedit. As mentioned previously, the course was primarily for people who were already familiar with digital forensic investigative techniques, however each section did begin with an overview of the tools and concepts we would be exploring in the training. This was helpful as it meant that trainees could easily take the concepts they had already learned in the course of their work and understand how to apply them specifically to Windows 10 forensics with AccessData tools.

Once the registry had been discussed, we moved on to a consideration of Windows 10 itself and how it differs from other Windows versions. This covered such diverse aspects as UX and file structure, and how traditional Windows artifacts have evolved in Windows 10.

Microsoft Edge is one of the most significant changes we have seen in this version of Windows, and it was helpful to have a full section of the training devoted to it. I had actually not worked with Edge forensics before the training and had therefore assumed it would be closer to Internet Explorer than it actually was. The combination of IE and Edge artifacts was also useful, particularly for cases in which someone may be running both browsers on the same machine.

Cortana and OneDrive were covered in great detail, including the various privacy settings Windows 10 has in place to address some of the concerns that sprang up around Cortana’s original release. Time was devoted to the relationship between Edge and Cortana – both from a user experience viewpoint and a forensic investigation one – which was again helpful in understanding how Windows 10 works.

The following sections were devoted to artifacts, storage and applications – these being some of the main sources of evidence in forensic investigations. The instructor did a good job of going over the Encrypting File System, the Recycle Bin, and the usefulness of Prefetch files in forensic examinations.

One of the main modifications in recent Windows versions has been the creeping introduction of applications and a more ‘smartphone-like’ visual setup. The Live Online Training touched briefly on some of the most commonly used applications in Windows 10. Although it would be impossible to go through them all, having an idea of how some of the main applications work and the data that can be gleaned from them was certainly helpful.

The course concluded with a discussion of Windows 10’s Microsoft Mail system, including how this interacts with other applications (such as People) and where to find artifacts related to Microsoft Mail.

Evaluation

On the whole, I found the Windows 10 Live Online Training useful. It was an area I had not spent a lot of time on previously, and so I feel I learned a lot from it. The instructor was friendly and approachable, and the course ran on time with reasonable breaks.

Live Online Training is something I personally find very helpful, as it makes it easy to join in with forensics training sessions from the comfort of one’s own office or living room. While it may be argued that something is lost by not being physically present in a classroom along with the other trainees, I have generally found that it has not had a negative impact on my learning, and in some ways can make it easier to manage the learning environment.

Overall, therefore, I would recommend AccessData’s Live Online Training to anyone who feels they could use a forensic “top-up” when it comes to Windows 10.

About Windows 10 Live Online Training

AccessData's Windows 10 Live Online Training course, delivered by Syntricate, aims to teach students everything they need to know about the forensic analysis of Windows 10. The course focuses on how to properly collect, process, review and report case data toward successful case resolution. Find out more here.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...