This course covers the identification and extraction of artifacts associated with the Microsoft Windows operating system. Topics include the change journal, BitLocker, and a detailed examination of the various artifacts found in each of the Registry hive files. Students also examine Event Logs, Volume Shadow Copies, link files, and jump lists. This course uses a mixture of lecture, discussion, demonstration, and hands-on exercises.
Key concepts covered in this course include:
• The registry
• Shellbags
• Mounted devices
• Change journal
• Prefetch
Excel Office 365 recommended, versions 2010 and newer will be functional.