C5W-200 WINDOWS FORENSICS

C5W-200
WINDOWS FORENSICS

C5W-200 WINDOWS FORENSICS

This pathway will prepare you to investigate Windows operating systems. You will learn how to locate artifacts on a Windows System, how to track user, system activity, and many many more.

Get Started Now

Enroll Now $350

This pathway includes the following courses

01
Introduction to Windows Forensics
- Windows Basics
02
Recycle Bin
- Recycle Bin
- Tools Requirements
- File Formats
- Check-in Quiz
- Check-in Quiz (Hands-on)
- Using Recycle Bin Tools
- Recovering Permanently Deleted Files
- Required Files
- Lab 01 - Recycle Bin
- Lab 01 - Recycle Bin - Solutions
03
Thumbnails
- Thumbnail Caches - Intro
- Lab 01 - Thumbnails
- Required Files
- Lab 01 - Thumbnails Lab Solution
- Lab 02 - Thumbnails
- Lab 02 - Thumbnails Lab Solution
- Lab 03 - Thumbnails (self-study)
- Lab 03 - Thumbnails Lab Solution
04
LNK Files and Jump Lists
- Introduction
- Required Files
- Lab 01 - LNK Files
- Lab 01 - LNK Files Lab Solution
- Lab 02 - LNK Files
- Lab 02 - LNK Files Lab Solution
- Lab 03 - LNK Files
- Lab 03 - LNK Files Lab Solution
- LNK Files, Zone Identifiers, and New Findings
- Jump Lists
- Lab 01 - Jump Lists
- Lab 01 - Jump Lists Lab Solution
- Required Files
- Extra Reading
05
System and User Program Execution
- Welcome to "Investigating Windows Program Executions"!
- The Definition of Prefetch
- Analyze Prefetch
- PECmd
- WinPrefetchView
- Prefetch Lab
- Prefetch Lab Solutions
- The Definition of AmCache
- Analyze AmCache
- Registry Explorer
- AmCacheParser
- AmCache Lab
- AmCache Lab Solutions
- The Definition of AppCompatCache (Shimcache)
- AppCompatCacheParser
- RegRipper
- AppCompatCache (Shimcache) Lab
- AppCompatCache (Shimcache) Lab Solutions
- The Definition of UserAssist
- Analyze the UserAssist
- UserAssist Lab
- UserAssist Lab Solutions
- The Definition of Background Activity Moderator (BAM)
- Analyze BAM
- Summary
- Required Files
06
Investigating Windows System Registry Artifacts
- Required Files
- Welcome to Windows Registry
- Windows Registry
- The Structure of Windows Registry
- Check Your Knowledge
- Extract Hives through Command Line - Live System
- Extract Hives through Registry Editor - Live System
- Extract Hives through FTK Imager - Live System
- Extract Hives through FTK Imager - Disk Image
- Registry Explorer
- RegRipper
- Using the RegRipper GUI
- RegRipper Command Line Tool
- Autoruns
- Download and Live System Analysis
- Saved Hive / Offline Analysis
- Investigating Windows Registry Hives: System Artifacts
- Basic System Information
- Basic System Information - Cont..
- Check Your Knowledge
- TimeZone
- Check Your Knowledge
- User Information
- Security Identifier (SID)
- Login Information
- Internet Network Information
- Check Your Knowledge
- AppCompatCache or ShimCache
- Other System Information
- Malware
- Exercises
- Solutions
- Summary
07
Investigating Windows User Registry Artifacts
- Required Files
- Before We Start
- Windows Registry User Artifacts Introduction
- NTUSER.DAT and USRCLASS.DAT File Extraction
- View Files Through RegEdit – Live System
- Extract Files Through RegEdit – Live System
- Extract Files Through FTK Imager – Live System
- Extract Files Through FTK Imager – Disk Image
- Last Write Timestamps
- Check Your Knowledge
- Application Usage - Part 1
- Application Usage - Part 2
- Application Usage - Part 3
- Application Usage - Part 4
- Check Your Knowledge
- Internet Browsing
- Search Queries
- Other Artifacts
- Check Your Knowledge
- Exercises 1 and 2
- Exercises 1 and 2 Solutions
08
Investigating USB Thumb Drives
- Required Files
- Introduction to USB Forensics
- How USBS Work
- USB Registry Artifacts
- USB Basic Information
- Mounted Devices
- MountPoints
- Volume Serial Number
- USB Timestamps
- Check Your Knowledge
- RegRipper USB Plugin
- Use Case: USB Artifacts in Windows Registry
- Introduction to USB Artifacts in Shellbags
- Use Case: USB Artifacts in Windows Shellbags
- USB Windows Event Viewer Artifacts
- Using Windows Event Viewer
- Extracting Logs from a Disk Image
- USB Artifacts in the Setupapi.dev.log File
- Parsing the Setupapi Log
- Other USB Analysis Tools
- Installing & Using USB Detective
- NirSoft USBDeview
- USB Artifacts Cheat Sheet
- Check Your Knowledge
- USB Forensics Hands-On
- USB Forensics Hands-On Solution
09
Analyzing Shellbags
- Introduction
- Forensic Importance of Shellbags
- ShellBags Explorer - GUI
- ShellBags Explorer - Command Line
- ShellBagsView
- RegRipper
- Introduction to Decoding Shellbags
- BAGS
- Lastwrite Timestamp
- Lastwrite Timestamps Caveat
- BAGMRU
- Conclusion
- Exercise 1
- Exercise 2
10
Volume Shadow Copies
- Volume Shadow Copies
- Introduction
- How VSS Works
- Forensic Importance
- Managing Volume Shadow Copies
- Volume Shadow Copy Registry Management
- VssAdmin
- Knowledge Check
- Accessing Live Volume Shadow Copies
- Shadow Explorer
- Extracting Files From A Volume Shadow Copy
- Extracting Files From A Volume Shadow Copy - Exercise
- Investigating VSC Registries
- Accessing Forensic Image Volume Shadow Copies
- Arsenal Image Mounter
- VSCMount
- VSC Binary Format
- Catalog
- Store
- Knowledge Check
- Conclusion
- References
11
Windows Events
- Windows Event Viewer Forensics
- Navigating Windows Event Viewer
- Searching For Events
- Types of Events
- Enabling Logs & Changing Log Settings
- Enable Auditing Through Group Policy
- Enable Logging through Event Viewer
- Event Log Settings
- Extracting and Importing Event Logs
- Extracting an Event Log from a Disk Image
- Importing an Event Log File
- Check Your Knowledge
- Event Logs Artifacts
- System Log
- Security Log #1
- Security Log #2
- Security Logs #3
- Security Logs #4
- Security Logs #5
- Security Logs #6
- Security Logs #7
- Check your Knowledge
- Application Log
- Applications & Services Log #1
- Applications & Services Log #2
- Other Tools: Event Log Parser
- Investigation Lab
- Investigation Lab - Solutions
- Conclusion
- References
12
Windows Scheduled Tasks
- Introduction to Scheduled Task
- File Format
- Scheduled Task Tools
- Required Files
- Lab 01 - Scheduled Tasks
- Lab 01 - Scheduled Tasks Solutions
- Extra Reading Resources
13
Windows Search
- Fixing Windows.edb
- Loading a Dirty vs Clean Windows.edb
- Extra Reading Resources

Course Type: Theory & Hands-on

Get Started Now

Your first steps to Windows Forensic Analysis

Enroll Now $350

Pricing Options

Kindly choose the enrollment pricing option that suits you best. If you're enrolling as a group or need a custom plan, please contact us. We're here to help!

C5W-200 WINDOWS FORENSICS

Includes 40 hours of virtual lab access

$350.00
Buy Now
C5W-200 WINDOWS FORENSICS

No virtual lab access

$300.00
Buy Now

Learning Outcomes

After completing this course, you will learn the following.

Ability to investigate Windows Basic Artifacts
Understand Timestamps & Timezone Conversions
Investigating Windows Program Execution Artifacts
Investigating Windows Registry and Windows Shellbags
Investigating USB Thumb Drives
Volume Shadow Copies & File History
Working with Windows Events Logs
Investigating Windows Scheduled Tasks

Technical Requirements

To complete the hands-on labs of this track

Basic knowledge of using a Virtual Machine
Basic Knowledge in Digital Forensic
Windows 10 operating system (recommended)

What is next at Cyber 5W?

Add your email to receive updates on new courses.