AX250 Axiom Advanced Computer Forensics Microlearning
The AX250 Axiom Advanced Computer Forensics microlearning course offers a comprehensive exploration of Windows operating system artifacts and their forensic relevance.
Description
The AX250 Axiom Advanced Computer Forensics microlearning course offers a comprehensive exploration of Windows operating system artifacts and their forensic relevance. Learners will be introduced to the course structure and objectives, followed by modules covering essential Windows concepts, registry analysis, system installation details, and OS upgrade traces. The course also examines recovery options, Microsoft user and group account investigation, and Internet account artifacts, providing practical skills for identifying and interpreting key evidence during digital forensic examinations.
Course modules
Course introduction: A look at the course structure, objectives, and case scenario that will be used throughout the training.
Windows overview: Discussion around the Windows operating system with a focus on core concepts, terminology, and version differences that directly impact artifact location, interpretation, and investigative analysis.
Windows Registry: An explanation of the Windows Registry, highlighting its structure and the types of system and user information it stores that are relevant to digital forensic examinations.
Windows install: A demonstration of how to identify a Windows system’s installed build number, date, and time, and an explanation of why this information is important for validating operating system versions during forensic examinations.
Inside a Windows OS Upgrade Windows.old Source OS Registry keys: An examination of Windows operating system upgrades by analyzing the Windows.old folder and Source OS registry keys to identify when and how many times a system has been upgraded.
What happens during a Windows Upgrade previous OS Upgrades and SAM Registry: An explanation of how to identify previous Windows operating system upgrades and determine upgrade start and completion times by analyzing archived upgrade artifacts and the SAM registry hive.
Windows recovery: An introduction to Windows recovery options, including system reset and recovery artifacts such as the Windows.old and $SysReset folders, and explains their forensic relevance during investigations.
Microsoft user accounts: An examination of Microsoft user accounts by demonstrating how to identify account details, logon activity, password changes, and failed login attempts using Windows registry artifacts.
(Microsoft User Accounts: user groups)– Access control in identifying and verifying group accounts: An explanation of how to identify and verify Windows group accounts by examining access control mechanisms, group membership artifacts, and related registry values used to manage user permissions.
Microsoft Internet Accounts: An examination of Microsoft Internet Accounts, demonstrating how to identify and verify online account details and authentication artifacts, including InternetUID, InternetSID, InternetProviderGUID and related registry values used for Microsoft account sign‑in.
Windows Hello: An introduction to Windows Hello authentication and explanation of how facial recognition, fingerprint biometrics, and PIN sign‑in artifacts can be identified and analyzed during a forensic examination.
Windows password reset: An explanation of Windows password reset mechanisms, including examining password reset disks and recovery files, and highlighting the forensic artifacts created when local Windows passwords are reset.
Windows BitLocker: An introduction to Windows BitLocker encryption and how BitLocker recovery keys and related artifacts can be identified and used to regain access to protected drives during forensic examinations.
Windows Event Logs: An explanation of Windows Event Logs and how event log artifacts can be analyzed to identify system activity, user actions, and significant events during a forensic investigation.
Windows task bar: A closer look at how Windows task bar settings are stored and analyzed by examining NTUSER.DAT hive to determine user‑pinned applications and taskbar configuration during a forensic investigation.
Windows notifications: An introduction to Windows notification artifacts and how notifications stored in the Windows Notification Center can be analyzed to identify system events, application activity, and user communications during a forensic investigation.
Windows Error Reporting: An explanation of Windows Error Reporting and how error report artifacts can be accessed and analyzed to identify application failures and system issues during a forensic investigation.
Wireless artifacts: An examination of network and Wi‑Fi artifacts with demonstrations of how network connection data, SSIDs, and related wireless activity can be identified and analyzed using Axiom during a forensic investigation.
System Resource Utilization Monitor: An introduction to the System Resource Utilization Monitor (SRUM) and how SRUM artifacts can be analyzed to identify application usage, network activity, and system resource consumption during a forensic investigation.
Introduction to Volume Serial Numbers: A closer look at Volume Serial Numbers (VSNs) and an explanation of how they can be identified, tracked, and correlated across NTFS and FAT32 file systems to support forensic analysis using Magnet Axiom.
LNK files and VSNs: An explanation of where to locate Windows LNK file artifacts and how they can be analyzed alongside Volume Serial Numbers (VSNs) to correlate file access and track user interaction with specific storage volumes during a forensic investigation.
Running exercise: This will be an opportunity to demonstrate how to apply Linked Path filters in Axiom to investigate unknown users and correlate activity using unique VSN values.
Windows Event Logs and VSNs: An explanation of how Windows Event Log artifacts can be analyzed to associate event IDs with Volume Serial Numbers (VSNs) and identify when storage volumes are attached to a Windows system during a forensic investigation.
Running exercise: Access times VSNs of an ACME workstation: A reinforcement of how to confirm access times and correlate Event IDs on an ACME workstation by analyzing forensic artifacts in Magnet Axiom.
VSNs as filters: An overview of how Volume Serial Numbers (VSNs) can be used as filters in Magnet Axiom to eliminate irrelevant volumes and focus analysis on unidentified storage sources.
Accessing Virtual Hard Disk (VHD) files: Coverage of methods used to identify, access, and examine Virtual Hard Disk (VHD/VHDX) files within a forensic case to analyze data stored on virtualized Windows volumes.
Program Compatibility Assistant and Application Compatibility Assistant: An examination of how Windows Program Compatibility Assistant (PCA) and Application Compatibility Assistant artifacts (AppCompatCache/ShimCache) record application execution and file usage during a forensic examination.
Search for evidence of Brave Browser using ShimCache filter: A focused analysis of artifacts associated with the Brave browser using ShimCache filters in Magnet Axiom to identify evidence of application execution.
Running exercise: Search for evidence of Brave Browser using AmCache filter: A guided exercise focusing on identifying and analyzing evidence of the Brave browser by applying AmCache filters in Magnet Axiom to uncover program execution and installation artifacts during a forensic investigation.
Shellbags with running exercise: An exploration of Windows Shellbag artifacts in Magnet Axiom to identify folder access history, previously mounted volumes, and user activity, even when the original files or folders no longer exist.
Windows Prefetch: An explanation of how Windows Prefetch artifacts record application execution history and how these artifacts can be analyzed in Magnet Axiom to track recent program usage during a forensic investigation.
Prefetch registry settings: A review of how Windows Prefetch behavior is controlled through registry settings by examining the PrefetchParameters key and the EnablePrefetcher and EnableSuperfetch values to determine current system configuration during a forensic investigation.
Analysis of Prefetch artifacts: A demonstration of Windows Prefetch artifact analysis in Magnet Axiom to correlate application execution, usage patterns, and related system activity during a forensic investigation.
Validating results: A discussion on validating Windows Prefetch analysis results by corroborating Magnet Axiom findings with external tools and alternative methods to ensure accuracy and forensic reliability.
Windows Jump Lists artifacts: An examination of Windows Jump Lists artifacts and how they can be analyzed in Magnet Axiom to identify recently and frequently accessed files, application usage, and user activity timelines during a forensic investigation.
Most Recently Used (MRU) artifacts: An explanation of how Most Recently Used (MRU) artifacts can be analyzed in Magnet Axiom to identify recently accessed files, folders, and commands, and to reconstruct user activity timelines during a forensic investigation.
Accessing Registry Order and Value Names: An explanation of how to interpret Registry Order and Value Names within the RecentDocs registry key to determine file access recency and reconstruct user activity during a forensic investigation.
Interpreting an MRUListEx value: A breakdown of how MRUListEx values in the Windows Registry are interpreted to determine the order of file access and accurately reconstruct user activity timelines during a forensic investigation.
Microsoft 365 overview: A forensic‑focused look at Microsoft 365, examining its evolution, core applications and services, and how Microsoft 365 artifacts are categorized and analyzed within Magnet Axiom during an investigation.
Windows Recovery (additional registry locations: An examination ofWindows Registry keys and values created by Microsoft 365, including identification of the unique Microsoft account identifier (CID/UID), analysis of the “Pick up where you left off” feature and its inconsistencies, and how Microsoft Word stores user‑specific activity data within the registry.
Microsoft 365 MRU with running exercise: A demonstration of how Microsoft 365 Most Recently Used (MRU) artifacts can be analyzed in Magnet Axiom to identify recently accessed cloud‑based documents, shared files, and user activity through a guided running exercise.
Microsoft Office Backstage: An explanation of how Microsoft Office Backstage artifacts can be analyzed in Magnet Axiom to identify document access, editing, sharing activity, and potential document modification behaviors during a forensic investigation.
Altered PDF files: A demonstration of how altered PDF files can retain hidden historical data and explains how to identify and analyze embedded prior content using Magnet Axiom and hexadecimal analysis during a forensic investigation.
Capturing Active Memory and DumpIt: An explanation of how to capture active system memory from a running Windows computer using DumpIt and introduces the forensic significance of volatile memory acquisition during incident response and investigations.
Processing other memory files: An close look at how to process and analyze additional Windows memory‑related files—such as hiberfil.sys, pagefile.sys, and swapfile.sys—in Magnet Axiom to recover artifacts and identify residual evidence during a forensic investigation.
Introduction to Microsoft Cloud and OneDrive: An overview of Microsoft Cloud technologies with a focus on OneDrive, covering how to identify, analyze, and interpret OneDrive artifacts to determine file synchronization and sharing activity between cloud accounts and local systems during forensic investigations.
Explore OneDrive databases and share files: An exploration of key OneDrive databases and synchronization artifacts, focusing on how to analyze file metadata, deletion records, and sharing activity to reconstruct OneDrive usage and file‑sharing behavior during forensic investigations.
Overview of OneDrive logs and URLs: An overview of OneDrive log files and web access URLs, focusing on interpreting synchronization events, deleted file activity, and cloud access patterns to build accurate forensic timelines of OneDrive usage.
Syncing Microsoft Edge, Wi-Fi profiles, and general items: An examination of how Microsoft accounts synchronize Edge browser data, Wi‑Fi profiles, and other general system items across devices, focusing on identifying and interpreting cross‑device synchronization artifacts during forensic investigations.
iOS and Android backups: An introduction to the structure and forensic analysis of iOS and Android backups, including how to identify, interpret, and correlate mobile backup artifacts recovered from Windows systems during digital investigations.
iOS backup encryption: An examination of iOS backup encryption and how encrypted backups can be identified, how encryption impacts available artifacts, and what forensic options exist for accessing protected backup data.
Password cracking methods: A look at common password‑cracking methods and how these techniques are evaluated and applied to recover passwords protecting forensic data during investigations.
Processing an encrypted iOS backup: An explanation of how encrypted iOS backups can be decrypted and processed in Magnet Axiom, including reprocessing techniques used to access protected mobile artifacts within a forensic case.
iOS documents: An examination of iOS documents recovered from backups and how application documents, GUID‑based filenames, and document metadata can be analyzed to reconstruct user document activity.
iOS Keychain: An exploration of the iOS Keychain and how stored credentials, encryption keys, and authentication artifacts can be identified and analyzed to support access to additional evidence during forensic investigations.
Windows password security and storage: An examination of Windows password security and storage, with a look at how authentication credentials, password hashes, and related artifacts are stored within the Windows operating system and how they can be identified and analyzed during forensic investigations.
Windows password recovery: An explanation of Windows password recovery techniques and how recovered credentials and related artifacts can be used to regain access to protected Windows systems and encrypted data during forensic investigations.
BitLocker password recovery: An examination of BitLocker password and recovery key acquisition and how BitLocker‑protected volume artifacts and extracted hashes can be used to regain access to encrypted drives and support forensic analysis of protected data during investigations.
Signal Messenger Desktop decryption: An exploration of Signal Messenger Desktop encryption and how Signal installation artifacts, encryption keys, and database files can be identified and used to decrypt and analyze Signal message data during forensic investigations.
M9T5 - Explore the Signal database: An examination of the decrypted Signal Messenger database and how message records, attachments, metadata, and related tables can be analyzed to reconstruct communication activity during forensic investigations.
Google Drive for Desktop: A closer look at Google Drive for Desktop on Windows and how local synchronization artifacts, cloud storage records, and associated databases can be identified and analyzed to determine Google Drive usage, file activity, and synchronization behavior during forensic investigations.
Database tables (metadata vs. mirror): An explanation of Google Drive for Desktop database tables and how metadata and mirror database artifacts can be identified and analyzed during forensic investigations.
Advanced forensic implications: An examination of advanced forensic implications of Google Drive for Desktop usage and how synchronization behavior, database records, and residual artifacts can be correlated to reconstruct complex user activity, file conflicts, and cloud interaction patterns during forensic investigations.
Microsoft backup solutions for Windows: An exploration of Microsoft backup solutions for Windows and how artifacts from features such as Windows Backup, File History, System Image Backup, and Volume Shadow Copy Service can be identified and analyzed during forensic investigations.
File History default settings and backups user access: A review of Windows File History default settings and user access mechanisms, covering the process of customizing backups, the role of libraries in file history, and explaining how configuration artifacts, backup storage locations, and previous file versions can be identified and analyzed during forensic investigations.
File History internals (Registry Settings, Catalog Files): An explanation of Windows File History internals and how registry settings and catalog files can be identified and analyzed to determine backup configuration, versioning behavior, and file history activity during forensic investigations.
Investigating File History: An overview of Windows File History artifacts within a forensic case and how backup media, catalog data, and preserved file versions can be analyzed to reconstruct file activity and recovery events during forensic investigations.
File History Windows Event Logs and backup contents: An analysis of Windows File History event logs and backup contents, including how event records, catalog data, and backed‑up file versions can be correlated to determine backup activity, errors, and user file behavior during forensic investigations.
Windows apps overview & analysis: An overview of Windows apps, explaining how they differ from traditional installed programs, with a focus on identifying and analyzing Windows app artifacts to determine their relevance during an investigation.
Microsoft Store: An examination of the Microsoft Store as Windows’ primary app marketplace, with a focus on identifying and analyzing Microsoft Store artifacts to determine installed or removed apps and associated user activity during an investigation.
Third-party & other Windows Apps (iTunes, Windows Subsystem for Linux, Photos): An exploration of third‑party and other Windows apps—including iTunes, Windows Subsystem for Linux, and Photos apps—with a focus on identifying and analyzing their artifacts to understand application usage and assess their relevance during an investigation.
NTFS and Object ID: An examination of the NTFS file system with a focus on the Master File Table (MFT) and Object ID ($ObjId) attributes, highlighting how these artifacts can be analyzed to track file creation, movement, and origin during a forensic investigation.
$OBJID, GUIDS, And ENDIANNESS: An explanation of $ObjId values as GUIDs and how GUID structure and mixed endianness can be interpreted to extract meaningful forensic information such as timestamps and system identifiers from NTFS artifacts.
NTFS artifacts $Secure $Usnjrnl $Logfile: A review of key NTFS artifacts—$Secure, $UsnJrnl, and $LogFile—and how these data sources record file system changes, transactions, and security information to support the reconstruction of file and folder activity during a forensic investigation.