Encrypted Files Case #1

CASE STUDIES

Encrypted Files Case Study #1

In this case study, a series of encrypted files are identified within the sample evidence that investigators are given the task of investigating. This includes reviewing the files to find their origins, retrieve the original contents of these files before they became encrypted, and locate evidence of software that was used to perform these encryption algorithms. This case study will use Windows Prefetch, Jump List, Registry UserAssist, and Volume Shadow Copy artifacts to recover information regarding such encrypted files.

Enroll now for $50

Course Curriculum

01
Overview
- Introduction
- Tool Requirements
  FREE PREVIEW
- Case Study Forensic Image
02
Guided Questions
- Initial Investigation
- Prefetch Files
- Volume Shadow Copies
- Jump Lists
- Conclusion
03
Solutions
- Case Study Solution
- Solution Report
- Finally, before you go...

Course Type: Hands-on

Do-it-Yourself (DIY) Investigation

Get Started Now

Enroll now for $50

Learning Outcomes

During this case you will learn how to investigate a system and locate evidence when the user encrypted some of their interesting files.

Learning how to utilize multiple artifacts together in an investigation.
Learning how to investigate software execution and file access history artifacts.
Learn how to find user activity related to files of interest, even though they are encrypted.

Technical Requirements

For the hands-on labs in this case study

Windows 10 operating system (recommended)
Internet Connection
FTK Imager here
Eric Zimmerman Tools here
ShadowExplorer here

What is next at Cyber 5W?

Add your email to the mailing list to get the latest updates.