I took the "Investigating Windows Endpoints" course by 13Cubed, was it worth it?
Recently I took the “Investigating Windows Endpoints” course by 13Cubed.
I was looking for a course that could help me to consolidate my knowledge on Windows forensics artifacts and so I started looking at what were the options available on the market.
I am an avid consumer of 13Cubed YouTube videos so I knew that he had launched the “Investigating Windows Endpoints” course.
I looked at the syllabus and it complemented quite well what I wanted to cover and I was missing after having taken the SANS 508 course and earned the GCFA certification.
The course also include a final exam so that it is possible to test the knowledge gained.
So I pulled the plug and bought it.
How is the course structured?
The course is an on-demand course, composed at this time by 40 sections with a 365-day access
Following a TLDR of the major topics covered by Investigating Windows Endpoints by Cube13 and a comparison with the SANS FOR508 course.
| Investigating Windows Endpoints - Cube13 | FOR508 - SANS | |
|---|---|---|
| Anti Forensics techniques | x | |
| Evidence of execution | x | x |
| Incident Response | x | |
| Log Files and Journal Log | x | x |
| Master File Table ($MFT) | x | x |
| Memory Analysis | x | |
| Registry Analysis | x | x |
| Shell Items | x | x |
| Threat Hunting at scale | x | |
| Timelining | x | x |
| Web Browser Forensics | x | |
| Windows Activity Timeline | x | |
| Windows Event Logs | x | x |
| Windows Search Index | x |
Here the complete syllabus for each course:
- https://training.13cubed.com/investigating-windows-endpoints
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
How long is “Investigating Windows Endpoints” course? As stated by the author itself:
Approximately 11 hours for the video content; however, there are three (3) included disk images.
The total time required to complete all modules/lessons and perform image analysis is estimated at 20-40 hours.
For each section Richard first explain the theory behind the artifact then goes through live practical examples.
Lectures are delivered via video, supplemented by external resources if necessary. There are no slides, you need to take your own notes, nevertheless, during the course are also shared links to cheat sheets created by 13Cubed that can be found also here, Windows Forensics section:
In my home lab, to practice what I was learning, I created a virtual machines where I replicated the TTPs and checked the findings. I highly recommend to do same if you are going through this course so to gain hands-on experience with the windows artifacts of each section.
This is a non comprehensive list of tools used during the course
- Windows Sandbox
- Windows Subsystem for Linux (WSL)
- Windows Terminal
- Sysinternals Suite
- Microsoft PowerToys
- FTK Imager
- Arsenal Image Mounter
- Eric Zimmerman’s Tools
- KAPE
- NirSoft BrowsingHistoryView
- RegRipper
- TestDisk / PhotoRec
- Thumbcache Viewer
- Thumbs Viewer
At the end of the course are then provided two disk images and you are tasked to investigate a security scenario using what you have learned. These disk images offered the right amount of challenge, they helped me understand if I got the topics before diving into the final exam.
Once I felt ready, I took the “Knowledge Assessment”. The assessment is composed of 80 questions; 60 theoretical question based on the course content and 20 questions based on the disk image for the assessment, for a total of 3 disk image provided during the course that can be used to practice.
Successful completion of the assessment results in the awarding of a badge. I passed on the first attempt so I received a gold digital certificate:
https://credsverse.com/credentials/a187d8df-7a7b-489d-9a64-7ff80a38424c?preview=1
What did I learn and was It worth it?
Thanks the course, I was able to review windows artifacts I already knew and learn about new ones. The forensics artifacts taught are used throughout the DFIR community and are directly applicable to day-to-day investigations. After taking the course I am now more confident in investigating these artifacts on my own.
So yes, it was worth it
Alternatives and other resources
In the first section I talked about alternatives; in the past I also had a look to the “Practical Windows Forensics” course provided by Markus Schober on TCM Security now also on https://bluecapesecurity.com/
From SANS there is the FOR500: Windows Forensic Analysis course
Practice is king when it comes to making new knowledge stick.
That is why during the years I have also been using platform like tryhackme.com, thedfirreport.com labs, cyberdefenders.org, each of them have they pros and cons and cover different needs, generally speaking I can recommend all of them.
Should you have any suggestions, comments or questions about the “Investigating Windows Endpoints” course by 13Cubed, this blog post or any other resources mentioned, please feel free to contact me.