Significance of Windows Network Forensics

The importance of computer forensics as a field of study has been quite well known recently. Due the growing use of technology and personal computers, almost all crimes involve some digital evidence in investigation. Not only criminal cases, but company policy violations and incidence response also require thorough digital investigations. But what is the necessity of focusing on Windows forensic only?

There are few important reasons. First, Windows operating system is the most widely used OS, and therefore is the most commonly found digital evidence. The following figures demonstrate the trend in use of various operating systems over the past 5 years.

The diagrams demonstrate that Windows platform has been used in more than 90% of all computers in use in the United States. Not only Windows is used in personal computers, but Windows network environment is  the most widespread network system in corporate world. 

Secondly, Windows OS is an extremely complex system. Therefore conducting forensic investigation on Windows computer requires adequate knowledge of this OS, as well as specific forensic skills and tools.

The trend of usage of various operating systems demonstrate that a digital forensic investigation will involve a Windows platform in more than 90% of cases for at least another decade. Windows forensic investigation skill and tools will also be helpful for investigating compromised personal computers and data recovery purpose.

Windows Network Forensics Course Information

(Detailed syllabus and other course information)

This course emphasizes the following topics:

·        Collection and analysis of volatile data from Windows platform: A computer’s hard drive is the main source of information for any investigation. But there are some things that can be found only in RAM and not in hard drive. For example, password. Most programs will prompt for a password, and when the dialog box disappears with the password, the only place to recover it is main memory.  There are special techniques of collecting volatile data from the RAM that you will learn here.

·         Windows memoryand registry analysis: As mentioned above, Windows memory (RAM) can hold important evidence that cannot be found in the hard drive. There are special analysis techniques that is required to extract that evidence from RAM. Windows registry is another gold mine of evidence. Registry contains extremley valuable evidence regarding recently accessed files, installed programs and user activties. You will get a deeper understanding of registry and various techniques of extracting evidence from the registry.

·        Windows file analysis: Windows systems maintain a number of files that contain wealth of forensic information. You will learn about such files including log files and techniques of extracting evidence from them. You will also learn file signature analysis , a method for determining whether the file has correct extension based on file’s type.

·        Executable file analysis: You will learn to analyze nature of different types of executable files including malwares. These techniques can be very helpful not only for any criminal investigation, but also for troubleshooting your own computer if it gets infected. (You may already experienced that antivirus software is not always able to detect and analyze natures of newest malwares.)

·        Rootkit detection: A rootkit can be defined as :a set of software tools intended to conceal running processes, files or system data from the operating system.” In other words, rootkit can conceal the presence of an intruder in a computer system.  This is a significant threat particularly to Windows operating system as rootkit was originated in UNIX world and later migrated to Windows and is still largely misunderstood by Windows users. You will gain an understanding of rootkits and will learn techniques for detecting a rootkit.

·        Windows Networks: Winodws network environment is used in most corporate organizations. You will gain an understanding of attacks on a network and the evidence that these attacks leave behind. You will learn extract these evidences and analyze them in a networked setting.

·        Case Studies: Finally, you will study a few cases to have a deeper understanding of forensic investigation as a whole. You will learn how to apply all techniques (that you have learnt) together to solve a single case.

·        Hands-on Activities: The text book “Windows Forensic Analysis” is accompanied with a DVD that contains tools for hands-on-activity on each chapter. The instructor will provide more hands-on-activities.