4 min

Whichever way you look at it, Microsoft’s software solutions – and of course, Windows in particular – are still widely used all over the world. But that also means that hackers often focus on these applications in order to be able to carry out attacks. Cybersecurity training and research institute SANS Institute, with its ‘FOR500: Windows Forensic Analysis’ course for security specialists, teaches them everything they need to know about the latest Windows vulnerabilities and how they can best investigate this well-known operating system forensically.

Almost everyone who manages, secures or develops applications for an IT environment has to deal with it: the many software solutions from Microsoft. It is therefore not entirely surprising that this tech giant’s products are among the most attacked software solutions in the world. Recent research shows that last year, no less than eight of the ten most attacked software solutions were Microsoft products.

All known Microsoft products are affected, but the most frequently attacked is the Windows operating system. Windows is still the most dominant operating system in the large business world and many other organizations. The rise of Linux or macOS has changed little about this, as Managing Partner of Covert Bit Forensics and Certified SANS Instructor Carlos Cajigas Techzine has told us.

Two important attacks for Windows

According to him, Microsoft’s operating system is nowadays mainly attacked by two malicious attacks. First of all, there is an increasing search for vulnerabilities within web browsers. In addition, attacks on Windows increasingly focus on ransomware.

Deep Windows knowledge important

In order to be able to stop all attacks on Windows, it is wise to learn more about this operating system. This is useful to know why certain attacks are a threat to your company and to find demonstrable clues for them. Security experts really need to know what is going on under the hood and, of course, what clues can be found for these malicious attacks. This last characteristic is also called ‘forensics’.

Only when experts have all these skills can they take the right steps and really protect their organizations against the many Windows malicious acts, according to Cajigas.

SANS Institute course FOR500 Windows Forensic Analysis

In order to train cybersecurity experts in a thorough and forensic knowledge of Windows, SANS Institute offers the FOR500 course: Windows Forensic Analysis.

The course focuses on developing a deep forensic knowledge of various Windows operating systems. The focus is on the versions Windows 7, 8, 10 and Windows Server 2008/2012/2016. According to the cybersecurity training and research institute, these are the Microsoft products that are now the most widely used within companies and organisations. In addition, attention is paid to other widely used Microsoft tools such as Office, Office 365, Cloud Storage, SharePoint, Exchange and Outlook.

More specifically, students learn to identify certain parts and locations within the operating system and other software. By knowing these locations, they are able to better answer critical questions about running applications, access to files and data theft. Other knowledge they gain from this includes the use of external devices, cloud services, geolocation, file downloading and detailed system usage. They will also learn how hackers can frustrate forensic research.

In addition to these technical issues, participants will also learn how best to focus their capabilities on analysis rather than just using a particular tool to solve problems. They will also learn to ask critical questions and develop their own forensic capacity by using the SANS Windows SIFT Workstation tool.

SANS SIFT Workstation tool

The SANS SIFT Workstation tool, in this case the Windows version, is a free downloadable virtual appliance from the cybersecurity training and research institute. The tool has several open source and commercial forensic and incident response tools that security specialists can use to carry out extensive digital forensic investigations.

For whom is this course intended?

Anyone can take part in this course. It is not necessary that students already have experience in the field of forensic research.

What does it yield?

Students are given the opportunity to learn techniques to examine certain files and folders that provide the most answers and in the least amount of time. The methods learned are the same as those used by the instructors themselves in their daily practice. This way, they know that they are actually working with the techniques they have learned. This enables them to put the knowledge they have acquired into practice immediately and with confidence.

In addition, they gain knowledge of what exactly digital forensic evidence can be, how they can quickly learn certain investigation techniques and how they should examine the Windows operating system in this way.

More information

More information about the SANS Institute FOR500: Windows Forensic Analysis course can be found here.