Reviewed by Scar de Courcier, Forensic Focus
From the 6th-8th of December 2016, AccessData ran a Windows course in a training centre overlooking Trafalgar Square in London, UK. The aim of the course was to familiarise forensic investigators with the Windows operating system and give an in-depth understanding of its potential for analysis in digital forensic investigations.
The course was open to all levels, from those who had never conducted an investigation to those who were more familiar with digital forensic techniques. Some level of familiarity with AccessData’s products was assumed, although everything was explained in great detail throughout the course, making it accessible for those who were just starting out as well.Course Structure
Despite a small mix-up at the beginning, where it became obvious that I had neither received the course materials nor been added to the list of attendees, the course got off to a good start. The trainer was friendly and kept things quite light-hearted all the way through, and my fellow trainees were a good bunch of people who were open to discussion throughout the week.
Following the usual introductions to each other and installations of the various bits of software we would be using, the trainer took us through a brief overview of the Windows operating system generally, and then some of the most relevant differences between the various versions, particularly Windows 8, 8.1 and 10, which are increasingly cropping up in investigations.
The second module looked at Windows artifacts and how they differ across versions. Bitlocker was covered in some detail, which was useful as it tends to come up a lot! Other topics covered included Thumbcache, Jumplists and the Recycle Bin. We then looked at virtual hard drives and USB tracing, before moving on to Windows disk and directory structures. Often this is quite a dry subject, but the trainer’s lighthearted and often quite amusing way of teaching the class made it easy to follow.
A more in-depth look at Bitlocker was covered in its own section a bit later on, after which we looked at NTFS artifacts in great detail, including breaking down the Master File Table and giving a basic understanding to new investigators of how NTFS uses the $MFT to track individual files.
One particularly good touch was that the trainer would often ask us to set up a case for processing and would then take us through an unrelated but important topic, leaving the case to process in the background. This overcame a challenge I have noticed on training courses in the past, where trainees can spend a lot of time watching a progress bar creeping gradually towards 100% when time could be used more efficiently. I appreciated that this did not happen on the Windows OS AccessData training.
Another refreshing change from many courses was that the training was not just a thinly-disguised sales pitch for AccessData’s products. The trainer would occasionally recommend other tools that may do the same job, or may be effective at certain tasks we were going through. This was a nice addition and actually made me more likely to consider AccessData’s products for future investigations of my own – sales pitches often do little more than put people off, in my experience!
We then looked at date and timestamps on Windows systems and how anomalies can arise. This was followed by a more in-depth look at the Recycle Bin and the differences between Windows versions, with a particular focus on XP, Vista, 7, 8, 8.1 and 10.
The trainer used a lot of real-life examples throughout the week, which I found particularly helpful. He was also happy to discuss (and admit to) things that had not gone so well and how he had learned from them, which was very helpful. Often in training there seems to be an implicit expectation that things will go smoothly as soon as an investigator has learned how to use a tool, which of course is not always the case. The use of real-life examples meant that trainees could understand exactly how the training we were undertaking could be used in day-to-day work.
The course concluded with a discussion of thumbnails and event logs, along with a couple of practical labs that helped trainees to apply what they had learned.
The pace was good – the trainer didn’t rush ahead or go too fast, but nor did he treat the trainees like children. When asked to re-explain something, he did so clearly and patiently, but on the whole he expected us to keep up with the pace of the days.
Everything was described in great depth – sometimes, I felt, a little more depth than was needed! – but this was better than not explaining enough. Again, it made the course more accessible for people who were perhaps newer to the field and less familiar with the range of products we were using.
Throughout the three days there were a lot of practical exercises which the trainer walked us through, so that we could see how the things we were learning could be applied to our work. Personally, I would have preferred some of these to have been independently managed rather than walked through – i.e. with the trainees required to take what they had learned in the previous section of the course and essentially do a test run themselves. I feel this would be a good way to ensure that people were following along and to iron out any initial challenges. However, the way the trainer conducted the practical exercises is the way these things are normally done, and he was clear and detailed in everything he spoke about, which was helpful.
The venue was good, and towards the end of the third day we were treated to some live music from a particularly persistent busker outside! Trafalgar Square is easily accessible from most London stations and the building was clean, well-kept and had good access for wheelchair users.
On the whole, I would recommend the three-day Windows OS training from AccessData for anyone who is fairly new to digital forensics and wants an overview that goes into quite a lot of detail about the specific products they need to use and how to use them.
About Windows OS Training
AccessData's Windows OS Training course, delivered by Syntricate, aims to teach students everything they need to know about the forensic analysis of Windows operating systems. The course focuses on how to properly collect, and process data from Windows machines. Find out more here.