مهدی حاتمی

علیرضا کلانترزاده

• پیشرفته
• مسیر آبی
• ۹ درس

دربارۀ این دوره

مخاطبان

• کارشناسان ارشد مراکز عملیات امنیت
• کارشناسان جرم‌شناسی
• کارشناسان شکار تهدید‌ات

پیش‌نیازها

• سابقۀ یک سال فعالیت در امنیت دفاعی
• آشنایی با ساختار سیستم‌عامل ویندوز

• Windows Internals Overview
• Digital Forensics and Advanced Data Triage
  • Windows Operating System Components
  • Core Forensic Principles
  • Live Response and Triage-Based Acquisition Techniques
• Registry Analysis, Application Execution, and Cloud Storage Forensics
  • Hives, Keys, and Values
  • Registry Last Write Time
  • MRU Lists
  • Deleted Registry Key Recovery
  • Identify Dirty Registry Hives and Recover Missing Data
  • Rapidly Search and Timeline Multiple Registry Hives
  • Discover Usernames and Relevant Security Identifiers
  • Last Login
  • Last Failed Login
  • Login Count
  • Password Policy
  • Local versus Domain Account Profiling
  • Identify the Current Control Set
  • System Name and Version
  • Document the System Time Zone
  • Audit Installed Applications
  • Wireless, Wired, VPN, and Broadband Network Auditing
  • Perform Device Geolocation via Network Profiling
  • Identify System Updates and Last Shutdown Time
  • Registry-Based Malware Persistence Mechanisms
  • Identify Webcam and Microphone Usage by Illicit Applications
  • Evidence of File Downloads
  • Office and Microsoft 365 File History Analysis
  • Windows 7, Windows 8/8.1, Windows 10/11 Search History
  • Typed Paths and Directories
  • Recent Documents
  • Search for Documents with Malicious Macros Enabled
  • Open Save/Run Dialog Evidence
  • Application Execution History via UserAssist, Prefetch, System Resource Usage Monitor (SRUM), FeatureUsage, and BAM/DAM
  • Universal Windows Platform (UWP) and MSIX registry hives
  • Microsoft OneDrive
  • OneDrive Files on Demand
  • Microsoft OneDrive for Business
  • OneDrive Unified Audit Logs
  • Google Drive for Desktop
  • Google Workspace (G Suite) Logging
  • Google Protobuf Data Format
  • Dropbox
  • Dropbox Decryption
  • Dropbox Logging
  • iCloud
  • Synchronization and Timestamps
  • Forensic Acquisition Challenges
  • User Activity Enumeration
  • Automating SQLite Database Parsing
• Shell Items and Removable Device Profiling
  • Shell Item Forensics
  • Shortcut Files (LNK) - Evidence of File Opening
  • Windows 7-10 Jump Lists - Evidence of File Opening and Program Execution
  • ShellBag Analysis - Evidence of Folder Access
  • USB and BYOD Forensic Examinations
  • Vendor/Make/Version
  • Unique Serial Number
  • Last Drive Letter
  • MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
  • Volume Name and Serial Number
  • Username that Used the USB Device
  • Time of First USB Device Connection
  • Time of Last USB Device Connection
  • Time of Last USB Device Removal
  • Drive Capacity
  • Auditing BYOD Devices at Scale
  • Identify Malicious HID USB Devices
• Email Forensic
• Web Browser Forensics
• Windows Forensic Challenge
• Memory Forensics
  • Memory Acquisition
    • Acquisition of System Memory
    • Hibernation and Pagefile Memory Extraction and Conversion
    • Virtual Machine Memory Acquisition
    • Memory changes in Windows 10 and 11
  • Memory Forensics Analysis Process for Response and Hunting
    • Understanding Common Windows Services and Processes
    • Identify Rogue Processes
    • Analyze Process Objects
    • Review Network Artifacts
    • Look for Evidence of Code Injection
    • Audit Drivers and Rootkit Detection
    • Dump Suspicious Processes and Drivers
  • Memory Forensics Examinations
    • Live Memory Forensics
    • Memory Analysis with Volatility
    • Webshell Detection Via Process Tree Analysis
    • Code Injection, Malware, and Rootkit Hunting in Memory
    • Advanced Memory Forensics with MemProcFS
    • WMI and PowerShell Process Anomalies
    • Extract Memory-Resident Adversary Command Lines
    • Investigate Windows Services
    • Hunting Malware Using Comparison Baseline Systems
    • Find and Dump Cached Files from RAM
  • Memory Analysis Tools
    • Velociraptor
    • Volatility
    • MemProcFS
• Advance Forensic and Anti -Forensic Detection
  • Volume Shadow Copy Analysis
    • Volume Shadow Copy Service
    • Options for Accessing Historical Data in Volume Snapshots
    • Accessing Shadow Copies with vshadowmount
    • Volume Shadow Copy Timelining
  • Advanced NTFS Filesystem Tactics
    • NTFS Filesystem Analysis
    • Master File Table (MFT) Critical Areas
    • NTFS System Files
    • NTFS Metadata Attributes
    • Rules of Windows Timestamps for $StdInfo and $Filename
    • Detecting Timestamp Manipulation
    • Resident versus Nonresident Files
    • Alternate Data Streams
    • NTFS Directory Attributes
    • B-Tree Index Overview and Balancing
    • Finding Wiped/Deleted Files using the $I30 indexes
    • Filesystem Flight Recorders: $Logfile and $UsnJrnl
    • Common Activity Patterns in the Journals
    • Useful Filters and Searches in the Journals
    • What Happens When Data Is Deleted from an NTFS Filesystem?
  • Advanced Evidence Recovery
    • Markers of Common Wipers and Privacy Cleaners
    • Deleted Registry Keys
    • Detecting "Fileless" Malware in the Registry
    • File Carving
    • Volume Shadow Carving
    • Carving for NTFS artifacts and Event Log Records
    • Effective String Searching
    • NTFS Configuration Changes to Combat Anti-Forensics

گواهینامه‌ی دوره