Reviewed by Scar de Courcier, Forensic Focus
From the 1st to the 3rd of November 2016, AccessData ran a live online training course to help forensic investigators understand the specific challenges presented by Windows 10, and how they can be overcome.
The course was aimed at people who already had a level of familiarity with both forensic investigation generally and with AccessData’s products, and took participants through all aspects of investigating a Windows 10 system.Course Structure
The course was run in EST and was run using the WebEx Training Center and LogMeIn. Both of these are standard use among digital forensics trainers and will be familiar to those who have been on training courses before.
Once everyone had logged in, the course leader encouraged trainees to introduce themselves, and gave an overview of what the course would entail. This was helpful as it laid out expectations early on and meant that attendees knew what to expect from the three days.
The manuals were sent out before the course via email, along with the lab / evidence files. Personally I would have preferred having a physical copy of the manual, as I find it easier to flip through the pages whilst also keeping an eye on the on-screen training, but this is a small matter and didn’t ultimately affect the standard of the training. The PDF is protected by LockLizard, with which I had a few technical issues that meant getting set up was less easy than I had hoped, however once these had been overcome everything proceeded smoothly.
Before we began the main part of the training, our instructor took us through all the tools we were using to familiarise us with what they were called and where they could be found. This was a nice touch and meant that we weren’t scrabbling to find things on the Desktop of the remote machine – something which can happen in forensics training!
The course kicked off with a discussion of the Windows registry and how it can be forensically analysed using Regedit. As mentioned previously, the course was primarily for people who were already familiar with digital forensic investigative techniques, however each section did begin with an overview of the tools and concepts we would be exploring in the training. This was helpful as it meant that trainees could easily take the concepts they had already learned in the course of their work and understand how to apply them specifically to Windows 10 forensics with AccessData tools.
Once the registry had been discussed, we moved on to a consideration of Windows 10 itself and how it differs from other Windows versions. This covered such diverse aspects as UX and file structure, and how traditional Windows artifacts have evolved in Windows 10.
Microsoft Edge is one of the most significant changes we have seen in this version of Windows, and it was helpful to have a full section of the training devoted to it. I had actually not worked with Edge forensics before the training and had therefore assumed it would be closer to Internet Explorer than it actually was. The combination of IE and Edge artifacts was also useful, particularly for cases in which someone may be running both browsers on the same machine.
Cortana and OneDrive were covered in great detail, including the various privacy settings Windows 10 has in place to address some of the concerns that sprang up around Cortana’s original release. Time was devoted to the relationship between Edge and Cortana – both from a user experience viewpoint and a forensic investigation one – which was again helpful in understanding how Windows 10 works.
The following sections were devoted to artifacts, storage and applications – these being some of the main sources of evidence in forensic investigations. The instructor did a good job of going over the Encrypting File System, the Recycle Bin, and the usefulness of Prefetch files in forensic examinations.
One of the main modifications in recent Windows versions has been the creeping introduction of applications and a more ‘smartphone-like’ visual setup. The Live Online Training touched briefly on some of the most commonly used applications in Windows 10. Although it would be impossible to go through them all, having an idea of how some of the main applications work and the data that can be gleaned from them was certainly helpful.
The course concluded with a discussion of Windows 10’s Microsoft Mail system, including how this interacts with other applications (such as People) and where to find artifacts related to Microsoft Mail.
On the whole, I found the Windows 10 Live Online Training useful. It was an area I had not spent a lot of time on previously, and so I feel I learned a lot from it. The instructor was friendly and approachable, and the course ran on time with reasonable breaks.
Live Online Training is something I personally find very helpful, as it makes it easy to join in with forensics training sessions from the comfort of one’s own office or living room. While it may be argued that something is lost by not being physically present in a classroom along with the other trainees, I have generally found that it has not had a negative impact on my learning, and in some ways can make it easier to manage the learning environment.
Overall, therefore, I would recommend AccessData’s Live Online Training to anyone who feels they could use a forensic “top-up” when it comes to Windows 10.
About Windows 10 Live Online Training
AccessData's Windows 10 Live Online Training course, delivered by Syntricate, aims to teach students everything they need to know about the forensic analysis of Windows 10. The course focuses on how to properly collect, process, review and report case data toward successful case resolution. Find out more here.