SDF: Windows Prefetch Forensics

Learn how an analyze Windows prefetch evidence

4.43 (343 reviews)
Udemy
platform
English
language
Network & Security
category
instructor
1,601
students
1.5 hours
content
Mar 2018
last update
$64.99
regular price

What you will learn

Understand what the Windows Prefetch artifact is

Be able to explain the artifact

Know what types of user behavior affects the artifact

Know how to conduct validation testing

Understand how to properly interpret Prefetch results

Know how to use several freely available Prefetch forensic tools

Description

Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge - all in about one hour.

As with previous SDF classes you will learn by doing. The class begins with Windows prefetch fundamentals and will provide an understanding of how the artifact works. Then students delve into several validation exercises to observe how user driven activity affects Windows prefetch evidence. The last section teaches students how to use several freely available DFIR community built forensic tools to examine prefetch evidence. By the end of the class students will have a solid understanding of how to use the Windows prefetch as evidence, understand the types of user behaviors that affect the prefetch and know how to use Windows prefetch forensic tools.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows prefetch but you will learn a method you can use to answer questions that may come up in the future.

A PC running Windows 8 or Windows 10 is required for this course. The forensic tools we use are all freely available, so beyond your laptop and operating system all you need is the desire to become a better computer forensic examiner.

Content

Introduction

Welcome to Windows Prefetch Forensics
Class outline
Class Tools & Downloads
Operating system for class
Tools for the practical exercises

Understanding Windows Prefetch

What is Windows Prefetch?
Forensic Value
Forensic Breakdown
File Headers
Prefetch Registry Key
Caveats
Prefetch Knowledge Check

Validation Exercises

Overview
First Run Time
Last Run Time
Run from USB
Deleted Executable
DLLs & Other Support Files
Latency Issues
Validation Wrap-up
Prefetch Knowledge Check

Forensic Tools

Overview
Sample prefetch data
FTK Imager
WinPrefetchView
CDQR
RegRipper
Windows Prefetch Parser - Setup on Windows
Windows Prefetch Parser - Usage

Conclusion

Conclusion
Thank you!

Screenshots

SDF: Windows Prefetch Forensics - Screenshot_01SDF: Windows Prefetch Forensics - Screenshot_02SDF: Windows Prefetch Forensics - Screenshot_03SDF: Windows Prefetch Forensics - Screenshot_04

Reviews

Angel
August 16, 2023
It is very nicely explained and uses an up-to-date environment. It is an interesting subject regarding these precise forensic artifacts, although most modern PC's will come with prefetching disabled by default. But the course itself is worth the time.
Edson
May 7, 2021
It was a nightmare trying to replicate the forensic tools exercises due to the compatibility of new versions of the same tools. It would have been much better to download them from here like usual to avoid that issues instead of the official page
John
November 6, 2020
The presenter is very understandable and clear, giving me specific information concerning the topic...
Veronica
August 4, 2020
Thanks for the course! I’ve found it to be extremely useful. It’s perfect for the newbies and the teacher speaks clearly enough event for the foreigner. The material Isley is interesting. What I personally pulled the most is that this course is highly practical and the teacher words not only how to use the tools but also how to use the acquired information.
Marguerite
April 26, 2020
This is my 3rd course with Michael, and what can I tell you? He is a great instructor. Although some of the versions of the programs are outdated, if you are taking this course then it must mean you know a thing or two about computers so it shouldn't be a problem to use the updated tools :) Nothing has changed that would be different anyways!
Fran
August 18, 2019
me hubiese gustado que estuviese en español, aun así, se entiende bien. He conocido nuevas herramientas y su funcionamiento.
Brian
November 30, 2018
I came in knowing about Windows Prefetch but not really having any hands on experience with examining prefetch files. The hands on exercises were really nice to be able to follow along with. I think this course was a really good length and the only improvement I can think of would be to add in some kind of real world case study involving Windows Prefetch.
Bruce
April 28, 2017
It's a good introduction however I would have liked a hex view of a windows 8 or 10 example of a prefetch file, and to be walked through that view, ie: where are the timestamps, format etc.
Eugene
February 17, 2015
Brief, concise, not watered down. This is an excellent online course, which has furthered my understanding of windows prefetch. The course was engaging, providing me with the essentials and enough knowledge to continue to research and validate on my own! I am definitely going to take other Sumuri classes on Udemy.

Charts

Price

SDF: Windows Prefetch Forensics - Price chart

Rating

SDF: Windows Prefetch Forensics - Ratings chart

Enrollment distribution

SDF: Windows Prefetch Forensics - Distribution chart
375628
udemy ID
12/22/2014
course created date
9/6/2020
course indexed date
Bot
course submited by