Windows Forensics (W55) - Digital Forensics Course Online


Courses Included

In stock

Get the access to all our courses via Subscription



Product Description

At the end of the training, the participants will be able to reach the level of knowledge to examine devices with Windows operating systems for the purpose of detecting suspicious activity. The course will focus on Windows 10 Operating System, but we know that there are a lot of common things with server operating systems. So Windows Server systems also could be our evidence source. The course’s material will also apply to Windows 11, as there are no changes compared to Windows 10 when looking from a forensics perspective. 

Who is this course for? 

  • Forensic Analysts 
  • Cyber Incident Responders 
  • Cyber Security Analysts 
  • Cyber Threat Hunters

Windows Forensics training can be considered as the basis of the Cyber Incident Response approach. Increasing the level of technical knowledge without delay is a requirement for the analysis of new concepts and attack types. For this reason, it seems to be the right step to acquire the basic knowledge level without wasting time.

Considering the corporate environments, Windows is still known as the most used operating system. This situation causes cyber attackers to target Windows systems. The need for analysts with sufficient knowledge about analysis is increasing day by day. Focused attendees will have high level and easy to use knowledge about Windows forensics topics. 

Course benefits:

FTK Imager, ANJP, EZ Tools, SIFT, Regripper, Windows Event Log Explorer, Volatility, Plaso, DensityScout, SigCheck, etc.

What skills will you gain?

Acquiring system images, creating triage data, analyzing Windows execution artifacts, analyzing Windows Registry records, the ability to create a super-timeline and analyze it, the ability to analyze memory images, etc.

What will you learn about?

In addition to important information such as file system and persistence mechanisms in Windows systems, information about analysis approaches that will be required during cyber incident response will be given. Sample approaches; Least frequency occurrences, Occam’s razors, Locard’s Exchange theory, the ability to select the right questions to get answers about technical problems.

Course general information:

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points.


Course format:

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned


  • All tools will be open source 
  • Midrange computer with Windows 10 Operating System
  • SIFT Workstation


  • Able to use the command prompt on Windows 
  • Fundamental knowledge about Windows operating system 
  • General cybersecurity knowledge


Kaan KAYA - Computer Engineering (BS). Working on DFIR area for more than 3 years.

Main responsibilities are conducting forensics on digital evidences and enterprise incident response projects.


Module 1

Windows System Processes & Live System Analysis

In this module, attendees will learn about Windows system processes and live system analysis techniques. Having knowledge about system processes makes it easier to find abnormal and malicious processes. 

Also live analysis on Windows 10 systems with native Windows tools is important for first touch with evidence. 

  • Windows System Processes: (Windows 10) 
  • Details about system processes; image path, name, number of instances
  • Live System Analysis for computers with Windows 10 operating system with  tools such as Sysinternals, Powershell, WMI
  • Collecting triage data and parsing methods with KAPE


  • System Processes Case:  Attendees try to find malicious processes on the live Windows system 
  • Live Analysis Case: Attendees try to collect evidence about a compromised host using native commands and KAPE

Module 2

Acquiring Evidence & Memory Analysis

In this module, information about the image acquisition process, which is the basis of forensics science, will be given. Thus, the details of the image acquisition process, which are necessary for the examination phase to give the correct result, will be studied. Different image acquisition methods, image acquisition applications, image formats are among the other topics to be mentioned.

  • Windows NTFS File System Details 
  • Image Types 
  • Image File Formats 
  • Verification of Successful Imaging Process 
  • Physical Imaging with FTK Imager 
  • Logical Imaging with FTK Imager 
  • Memory Imaging with FTK Imager, DumpIT, WinPmem 
  • Bitlocker Encryption


  • Acquiring physical image of Windows 10 system 
  • Acquiring logical image of Windows 10 system 
  • Acquiring custom content image of Windows 10 system 
  • Acquiring memory image of Windows 10 system
  • Analyzing acquired memory image sample
  • Analyzing sample compromised memory image
  • Quiz (15 Questions about module) - Correct answers will be given and explained

Module 3

File System Forensics & SuperTimeline

In this module, the file system analysis of a Windows 10 operating system computer with the NTFS file system image will be the subject. During this process, the subjects of obtaining and analyzing MFT, LogFile, UsnJournal files, which are important for forensic experts, will be discussed. After this module, attendees will be able to detect anomalous file operation activities on Windows systems with NTFS File System.

Also SuperTimeline will be the second important subject. Attendees will be able to create and analyse superTimeline created with Plaso.

  • Windows NTFS Timestamps (MACB) 
  • Analyzing Physical Image with FTK imager 
  • Acquisition and Analysis of mft, logfile, journal Files.
  • Creating & Analyzing SuperTimeline (pinfo, psort, log2timeline)


  • Anomaly detection with Windows timestamps values 
  • Analysis of MFT, LogFile, UsnJournal 
  • Forensic Case - detection of malicious file creations 
  • Creating SupertTimeline with Plaso
  • Forensic Case - writing a forensic report analyzing a Windows system image 
  • Quiz (15 Questions about module) - Correct answers will be given and explained

Module 4

Windows 10 Execution Artifacts & Compromised Host Identification

Windows systems contain many residual areas in their content due to their working structure. These areas become evidence of great importance during forensic studies. In this module, the important residue areas that should be obtained during the possible Windows system analysis and how they will be analyzed will be discussed.

Windows 10 - Artifacts:

  • Amcache 
  • Shimcache 
  • Prefetch 
  • Objects.Data 
  • Jumplist 
  • Shortcuts (LNK Files) 
  • Task Bar 
  • RecycleBin 
  • Thumbnails 
  • SRUM 
  • Registry 
  • Event Logs
  • Browser Artifacts (Chrome-Firefox)


The content of this module will include case  studies for all relic areas that participants need to solve. When all these cases are resolved, a general image file will be analyzed regarding the simulated attack.

  • Lateral Movement Detection with EventLogs
  • Anti-Forensics Detection: Event Log Clearing
  • Windows 10 Persistency Point Detection
  • Compromised Host Analysis Case (with all topics covered by this course)

Final Exam

Final exam: 

All the topics will be covered in this exam.  The exam will consist of two parts:

  • HandsOn Lab Questions (practical)
  • Multiple Choice Questions (theoretical)


If you have any questions, please contact us at [email protected].


There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023