SANS Digital Forensics & Incident Response Workshop

  • Tuesday, 21 July, 2015 | 09.00 – 17.00 hrs | Sands Level 4 | Room: Peony 4401

View all Sessions

Note: There’s an additional fee of S$850 + 7% GST to attend the SANS Workshop. Attendance is only open to those registered for RSA Conference Asia Pacific & Japan 2015.

Ever wanted to take a SANS Forensics course but couldn’t? Want to know the most effective places to look for evidence of information theft? Now you can join us for this special one-day workshop hosted at RSA Asia Pacific & Japan 2015 where SANS Certified Instructor and experienced computer forensic investigator Nick Klein will take you through highlights from the SANS DFIR curriculum and provide insights from his own experiences, covering a range of Windows artifacts including link files, jump lists, shellbags, Recycle bin, Internet history, prefetch, document metadata, geolocation techniques, USB key analysis and more. You’ll learn where the evidence is located, how to correctly analyze it and how you can use it effectively in real life investigations.

The purpose of this workshop is to teach you practical computer forensic skills and tools that will help you to investigate one of the most common incidents that occurs in many organizations - the theft of confidential information. This workshop is based on material from the full SANS Windows Forensic Analysis (FOR408) course.

Below are the areas of analysis that we’ll be covering during the workshop. They’ve been selected to cover a broad range of artefacts and provide an interesting and valuable learning experience for both novice and technically skilled forensic investigators.

  • Recycle Bin
  • Shortcut / Link Files
  • Jump Lists
  • Internet History
  • Shellbags
  • USB Devices
  • Document Metadata
  • Network Connections
  • Email Geolocation
  • Thumbnail Forensics
  • Deleted Registry Keys
  • Prefetch

Due to the compact format of the workshop, there will not be designated times for practice exercises during the day. However with the forensic tools provided on your USB, you can follow along with the demonstrations throughout the day. Should you wish to do so, you will need to bring your own laptop computer with the following recommended minimum requirements:

  • Any 32 or 64 bit version of Microsoft Windows. If using an Apple Mac, you need Windows to be accessible either through Boot Camp or a virtual machine using VMware Fusion or Parallels.
  • USB 2.0 or higher and at least 5 GB of free local hard drive space to copy and run the sample evidence and tools on your local computer.
  • You must have access to a Windows account with Local Administrator privileges, so you can install the forensic programs on the USB key.
  • Microsoft Office (any version) with Excel or OpenOffice with Calc installed on your computer.

  • If you have additional questions about the laptop specifications, please contact


This document was retrieved from on Mon, 22 Jul 2019 05:50:36 -0400.