ICAC-WinArt Class List
ICAC-Cybercop 315 - Windows Artifacts
This course is funded through OJJDP. To register for this class, you must be affiliated with an ICAC Task Force. Furthermore, you must agree to comply with the Best Practices and Standards established by ICAC. If you have any questions about the ICAC Best Practices and Standards, please contact your ICAC commander.
This 5 day course begins with an introduction to the NT file system and the basic building blocks of the NT file system. Topical areas include metadata files, file attributes, dates and times, and the processes of saving and deleting files as well as recovering them. The students are then introduced to the identification and extraction of artifacts associated with Windows operating systems (XP through Windows 8) and the NT file system. Topical areas include named data streams, reparse points, encrypted objects, and a detailed examination of various registry artifacts to include mounted devices, the user assist key, security components and user specific information. Students will also examine event logs, volume shadow copy service, and thumbnails. The artifacts will be covered in a classroom and interactive setting which includes accessing suspect images in a virtual environment.
PREREQUISITES: This course requires the student have previous training in Cybercop 101 - BDRA and Cybercop 201 - IDRA, or the equivalent and experience drawn from the application of the techniques utilized in these classes.
There are currently no scheduled classes for this course. If you are interested in knowing when the next class might be offered
or would like more information in general please see the training contact information on this page.
Back to Course List