FAT File System Forensics

Explore FAT32 & VFAT file system internals in this hands‑on forensic lab. Learn to parse directory and allocation structures, recover deleted files, and uncover FAT‑specific artifacts. Lab-based training ideal for DFIR professionals.

Static Malware Analysis 102 - Ghidra

This course walk you through the most common techniques used by malware and how to use Ghidra to reverse engineer malware samples and identify their capabilities.

Static Malware Analysis 102 - IDA Pro

This course walk you through the most common techniques used by malware and how to use IDA Pro to reverse engineer malware samples and identify their capabilities.

Introduction to Malware Analysis

This course will introduce you to the basics of malware analysis, how build your environment and how to use malware sandboxing services.

Static Malware Analysis 101

This course will teach you the internals of PE files, what the Win32 API is and the basic of x86 and x64 Assembly language.

Dynamic Malware Analysis 101

This course will teach you the basics of Windows architecture and how to monitor malware behavior and network traffic on the system.

Prepare Your Forensic Environment

This course will help you prepare your DFIR environment and will be continuously updated with new tutorials. The topics will include but not limited to installing Virtual machines, software, etc.

Working with Virtual Hard Disk

In this course, you will learn how to attach, detach, and create a virtual hard disk in Windows OS.

Introduction to Evidence Acquisition

This course covers the basic concepts of digital evidence acquisition.

Evidence Acquisition under Windows

In this course, you will learn how to wipe a disk drive, how to acquire digital evidence, and how to mount forensic images.

Working with FTK Imager

In this course, you will learn how to install and use FTK Imager to acquire, analyze, and mount digital evidence.

Computer Data Representation

In this course, you will learn how data is represented in a computer system and understand the most commonly used numbering systems. Understanding concepts in this course is key to understand the digital evidence you are dealing with.

Introduction to File Systems and Data Carving

This course covers the basics of file system forensic analysis. In addition, it covers the concepts and skills needed to extract files from storage devices and recover deleted files to be used as evidence.

Working with Files

This course covers the required digital forensic skills to work with files and identify the different file types (e.g. txt, exe, jpg, etc). You will also learn how to use a hexadecimal editor to inspect and analyze different files.

Writing Forensics Reports

This course for beginners who want to learn about the Digital Forensics and Investigations track, and how to write the forensics report after completing the investigation

Time Zone Conversions

This course covers the required digital forensic skills to inspect and understand the different timestamps that could be seen during an investigation and learn how to convert between timezones.

Investigating Windows Recycle Bin

Investigate Windows Recycle Bin artifacts in this hands-on course. Learn to parse $R and $I files, decode timestamps, and use tools like RBCmd.exe and Rifiuti2 to recover or analyze permanently deleted items. Ideal for entry-level DFIR learners.

Investigating Windows LNK Files and JumpLists

Investigate Windows LNK and JumpList artifacts in hands‑on labs. Learn to parse .lnk files and JumpLists, trace file usage, determine storage paths, even for deleted files. Essential training in user activity forensic analysis.

Investigating Windows Thumb Caches

Dive into Windows thumbnail cache forensics using hands‑on labs. Learn to analyze Thumbs.db and thumbcache_xxx.db, uncover hidden file previews, and reconstruct user activity. Ideal for DFIR analysts and forensic investigators.

Windows Event Logs

Learn how to extract, analyze, and interpret Windows Event Logs using real-world forensic techniques. Dive into Event Viewer artifacts, log types, policy auditing, and extraction methods through guided virtual labs. Ideal for DFIR and SOC analysts.

Investigating Windows Program Executions

Investigate Windows execution artifacts like Prefetch, AmCache, ShimCache, UserAssist & BAM in hands-on labs. Learn tool-based analysis and forensic significance of each artifact. Ideal for DFIR analysts.

Investigating Windows System Registry Artifacts

Explore key Windows system registry artifacts using hands‑on virtual labs. Learn how to extract SYSTEM hive files from live systems or disk images, analyze AppCompatCache, Autoruns, network and user data, and uncover critical forensic evidence.

Investigating Windows User Registry Artifacts

Dive into Windows user registry forensics. Extract and analyze NTUSER.DAT and USRCLASS.DAT to trace application usage, browsing, search queries, and more, via hands-on labs that help you build accurate user activity timelines.

Investigating Windows Shellbags

Explore Windows Shellbag artifacts to reconstruct folder view history. Learn to parse BagMRU and Bags registry keys, analyze timestamp metadata, and infer accessed directories, even deleted ones, through practical forensic labs.

Investigating USB Thumb Drives

Analyze Windows USB forensic artifacts in hands-on labs. Learn to identify device IDs, connection timestamps, drive letters, and registry entries (e.g. MountPoints and SetupAPI logs). Ideal for DFIR analysts and USB investigations.

Volume Shadow Copies (VSC)

Learn how Windows Volume Shadow Copies (VSS) work and how to use them in forensic investigations. Gain skills to detect, mount, and analyze shadow snapshots to recover previous file versions. Hands-on labs ideal for DFIR analysts.

Investigating Windows Scheduled Tasks

Learn how to parse Windows Scheduled Tasks artifacts using hands-on virtual labs. Understand task formats, registry and XML artifacts, and how to uncover forensic evidence from scheduled jobs. Free foundational training for DFIR investigators.

Disk Forensic Analysis

Learn how to analyze disk structures, identify and recover digital evidence, repair corrupted disks, and interpret metadata, all through hands‑on virtual labs designed for DFIR practitioners.

Investigating File Systems

Understand Windows file systems in detail, including FAT32 and NTFS. Learn to parse, analyze partitions and metadata, recover files, and investigate corrupted disks. Hands-on labs reinforce core forensics skills.

Linux Forensics Distributions

This course will help you to determine which distribution you want to deal with based on your requirement, where this course will give you a brief description of the best digital forensics distributions.

Evidence Acquisition under Linux

This course teaches you how to acquire a disk image from a Linux device. The course will also teach you how to format and mount disks in Linux, how to deal with E01 images, how to use bootable media, and how to perform remote acquisition.

Intro to Linux from a Forensics Perspective - Ubuntu Version

This course covers the basics of how to deal with Linux operating systems. The used Linux distribution is Ubuntu.

Intro to Linux from a Forensics Perspective - Tsurugi Version

This course covers the basics of how to deal with Linux operating systems. The used Linux distribution is Tsurugi.

Launching Attacks from Alternate Data Streams Case #4

This case study presents an in-depth analysis of the use of Alternate Data Streams (ADS) in Windows environments for concealing executable files, a technique commonly employed by sophisticated cyber attackers.