What you'll learn:
- Understand the Shimcache artifact
- Be able to explain Shimcache evidence
- Learn the user behaviors that affect the artifact
- Know how to validate Shimcache evidence
- Learn how to interpret artifact results
- Learn how to use freely available tools to extract in parse the artifact
Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Shimcachedata to prove file use and knowledge - all in about one hour.
As with previous SDF classes you will learn by doing. The class begins withWindows Shimcachefundamentals and will providean understanding of how the artifactworks. Then students delve into severalvalidation exercises to observehow user drivenactivity affects Windows Shimcacheevidence. The last section teaches students how to usefreely availableDFIR community built forensic tools to examine Shimcacheevidence. By the end of the class students will have a solid understanding of how to use theWindows Shimcacheasevidence, understand thetypes of user behaviors that affect the Shimcacheand know how to use Windows Shimcacheforensic tools.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Shimcachebut you will learn a method you can use to answer questions that may come up in the future.
A PC running Windows 8or Windows 10is required for this course. The forensic tools we use are all freely available, so beyond your laptop andoperating system all you need is the desire to become a better computer forensic examiner.
