Find evidence of past and present executables on Windows systems and uncover malicious tools.
Shimcache evidence can be crucial for Incident Response investigations, data spoliation inquiries and File Use and Knowledge exams. As with previous SDF classes you will learn by doing. The class begins with a brief overview of the Windows Shimcache and an understanding of how it works. Then we will get into a number of validation exercises to see how user activity affects Windows Shimcache data. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Shimcache but you will learn a method you can use to answer questions that may come up in the future.