For5003 Core Windows Forensics Part Ii Usb Devices And Shell Items For5004 Core Windows Forensics Part Iii Email Key Additional Artifacts And Event Logs For500c0101 Sans Institute by Sans Institute instant download after payment.

FOR500.3: Core Windows Forensics Part II: USB Devices and Shell Items
Overview
Being able to show the first and last time a file or folder was opened is a critical analysis skill. Utilizing shortcut (LNK), jump list, and Shellbag databases through the examination of SHELL ITEMS, we can quickly pinpoint which file or folder was opened and when. The knowledge obtained by examining SHELL ITEMS is crucial in tracking user activity in intellectual property theft cases internally or in tracking hackers.
Removable storage device investigations are often an essential part of performing digital forensics. We will show you how to perform in-depth USB device examinations on Windows 7, 8/8.1, and 10. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs
Overview
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have an email that exists locally on their workstation, on their company email server, in a private cloud, and in multiple webmail accounts.
Additional artifacts such as Windows Prefetch are paramount to proving evidence of execution. The exciting Windows 10 Timeline database shows great promise in recording detailed user activity. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine several important user actions, including network usage by cloud storage and backdoors, even after execution of counter-forensic programs.
Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.