AccessData Forensic Vista

This advanced AccessData workshop provides the knowledge and skills necessary to analyze Microsoft® Windows Vista™ operating system artifacts and file system mechanics using Forensic Toolkit (FTK), FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer.

During this three-day workshop, participants will review the following:

  • GUID Partition Tables. (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme.
  • File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure.
  • BitLocker-Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive.
Windows Vista Artifacts such as:
  • Vista EFS -- Updated EFS Algorithms
  • Recycle Bin -- Updated File Recovery Mechanics
  • Thumbcache -- Enhanced Thumbs.db Functionality
  • Activity History -- Local Machine and Browser Indices
  • Link and Spool Files -- Structure and Content Changes
  • Windows Event Logs -- Enhanced XML Output and Viewing
  • Volume Shadow Copy -- Previous File Version Recovery (SVI)
  • Windows Vista Registry
  • NTUser.DAT Changes -- MRU and UserAssist Changes
  • SAM Hive User Changes -- Domain and User Value Additions
  • System USBStor Information -- Device Identification and Protection
  • Auto Complete & Search Terms -- Updated for Vista & Internet Explorer 7
The workshop includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

Prerequisites:
To obtain the maximum benefit from this workshop, attendees should be familiar with:
  • Windows XP forensic analysis
  • Windows NT file system (NTFS) mechanics
  • FTK, FTK Imager and Registry Viewer

Course Materials and Software:
Attendees will receive reference documentation and workshop files.