Participants are also introduced to AccessDataTM decryption technology software. The course outlines how Password
Recovery ToolkitTM (PRTK) and Distributed Network AttackTM (DNA) recover passwords from common applications, including
the types of attacks that may be employed. It also reviews PRTK and DNA features and functions, including how to start attack
sessions, how to import dictionaries, how to create attack profiles, and how to report Session/Job properties information.
Also key to this course is AccessData Decryption Methodology. Students review tactics like generating dictionaries based on
suspect intelligence or exporting a word list from FTK, then importing the word list in PRTK or DNA to build an attack profile.
After setting up the framework of decryption tools and strategies, this course focuses on how to attack specific encryption
PGP: Participants review digital signatures and certificates, with a specific discussion about the PGP Web of Trust—
including how the Web of Trust can be implemented, methods a third-party may use to infiltrate the group, and man-in-the-
Encrypted Containers: Participants first learn how a virtual container file is viewed with a forensic tool when it is not
mounted with the native application. This is followed by a discussion of how to recover passwords for encrypted containers
so that you can natively mount the volume. Participants also discuss best-practice procedures to acquire a forensic image of
the mounted virtual container using FTK Imager.
EFS: Participants gain an understanding of how the Encrypting File System (EFS) works and how EFS file data can be
recovered. Participants learn where Windows stores the encryption and decryption keys and how to exploit weaknesses
within the Windows operating system to obtain these keys and decrypt the data. They are also given detailed instruction on
the steps required for FTK to decrypt EFS file data on Windows 2000 and Windows XP SP1 systems.
Protected Storage in Internet Explorer Versions 7-9: Participants discuss the definition, function, and forensic importance
of protected storage artifacts associated with the Microsoft Internet Explorer Browser.
Data Within Data: Participants are introduced to steganography—the concept of data concealed within data—and how to
forensically process such files.
- System BitLocker and BitLocker To Go: Participants review some of the core functions related to acquiring BitLocker-
encrypted evidence. Participants first learn how to identify an encrypted volume. The course then presents different ways to
decrypt and forensically acquire data from a BitLocker-protected drive.
This course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK,
FTK Imager, Registry Viewer, and PRTK.