SANS Digital Forensics and Incident Response Blog: Daily Archives: Feb 01, 2010

Which SANS Digital Forensic Course Should You Take?

Computer Forensic Course Assessments

Over the past year, we have been asked many questions about what the SANS Digital Forensic courses offer and which course would be appropriate for you.

FOR 408 - Computer Forensic Essentials - Teaches Traditional Crime Forensics -FOCUS -> Windows Forensics In-Depth and Investigation Analysis

FOR508 - Computer Forensic Investigations and Incident Response - Teaches how to respond to technically savvy criminals and challenging intrusion cases - FOCUS ->


It's the little things (Part One)

For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor "tidbits". These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a "scrubbed PC."

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

XP stores the .lnk files for the Word 2007 Document Brains.docx in: