Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

T9: Windows Digital Forensics and Incident Response

Tuesday, 4 December 2012
08:30 - 12:00


Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches in the last year has shown that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of very technical areas including file system implementation, operating system design, and knowledge of possible network and host attack vectors.

During this training, students will learn the theory around digital forensics and incident response as well as see how it is applied on the same types of evidence used in real-world investigations. Upon completion of the training, students will be able to effectively preserve and analyze a large number of digital evidence sources, including both on-disk and in-memory data. These skills will be immediately usable in a number of investigative scenarios, and will greatly enhance even experienced investigators' skillset.

Prerequisites. No previous knowledge on digital forensics. Some scripting or Windows systems knowledge would be beneficial, but not mandatory.


  1. Introduction and overview (15 mins)
  2. Forensic Process (30 mins)

Discussion of forensically sound acquisition of evidence. "Live" vs "dead" acquisition

  1. File system theory (30 mins)


  1. Sleuthkit (35 mins)

Overview and Usage of Tools. File recovery. Metadata.

  1. File Carving (30 mins)

Explanation. Methods and Tools. Creating custom signatures.

  1. Files of Interest (80 mins)

Registry Files. Recycle Bin. Browser Files. LNK Files. Prefetch/Superfetch Files. Print Files. Pictures. Logs. Restore Points and Volume Shadow Service.

  1. Memory (RAM) Forensics (95 mins)

Acquisition. Raw dump. Hibernation files. Crash dump. Firewire. Address spaces. Memory structures. Volatility. Overview of plugins. Plugin writing.

  1. Timelining (45 mins)

Putting it all together. Analysis Scenario.

About the Instructor:

Ms. Jamie Levy is a senior researcher and developer at Terremark Worldwide, A Verizon Company. Prior to joining Terremark, she worked on various R&D projects and forensic cases at Guidance Software, Inc. Jamie has taught classes in Computer Forensics and Computer Science at Queens College (CUNY) and John Jay College (CUNY). She has an MS in Forensic Computing from John Jay College and is an avid contributor to the open source Computer Forensics community. She is an active developer on the Volatility (Memory Forensics) Framework. Jamie has authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC) on the topics of memory, network, and malware forensics analysis. Additional technical articles and blog posts by Jamie can be found at


Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC