C5W-200 WINDOWS FORENSICS

C5W-200
WINDOWS FORENSICS

C5W-200 WINDOWS FORENSICS

This pathway will prepare you to investigate Windows operating systems. You will learn how to locate artifacts on a Windows System, how to track user, system activity, and many many more.

Get Started Now

Enroll Now $350

This pathway includes the following courses

1. Windows Basics
1. Recycle Bin
2. Tools Requirements
3. File Formats
4. Check-in Quiz
5. Check-in Quiz (Hands-on)
6. Using Recycle Bin Tools
7. Recovering Permanently Deleted Files
8. Required Files
9. Lab 01 - Recycle Bin
10. Lab 01 - Recycle Bin - Solutions
1. Thumbnail Caches - Intro
2. Lab 01 - Thumbnails
3. Required Files
4. Lab 01 - Thumbnails Lab Solution
5. Lab 02 - Thumbnails
6. Lab 02 - Thumbnails Lab Solution
7. Lab 03 - Thumbnails (self-study)
8. Lab 03 - Thumbnails Lab Solution
1. Introduction
2. Required Files
3. Lab 01 - LNK Files
4. Lab 01 - LNK Files Lab Solution
5. Lab 02 - LNK Files
6. Lab 02 - LNK Files Lab Solution
7. Lab 03 - LNK Files
8. Lab 03 - LNK Files Lab Solution
9. LNK Files, Zone Identifiers, and New Findings
10. Jump Lists
11. Lab 01 - Jump Lists
12. Lab 01 - Jump Lists Lab Solution
13. Required Files
14. Extra Reading
1. Welcome to "Investigating Windows Program Executions"!
2. The Definition of Prefetch
3. Analyze Prefetch
4. PECmd
5. WinPrefetchView
6. Prefetch Lab
7. Prefetch Lab Solutions
8. The Definition of AmCache
9. Analyze AmCache
10. Registry Explorer
11. AmCacheParser
12. AmCache Lab
13. AmCache Lab Solutions
14. The Definition of AppCompatCache (Shimcache)
15. AppCompatCacheParser
16. RegRipper
17. AppCompatCache (Shimcache) Lab
18. AppCompatCache (Shimcache) Lab Solutions
19. The Definition of UserAssist
20. Analyze the UserAssist
21. UserAssist Lab
22. UserAssist Lab Solutions
23. The Definition of Background Activity Moderator (BAM)
24. Analyze BAM
25. Summary
26. Required Files
1. Required Files
2. Welcome to Windows Registry
3. Windows Registry
4. The Structure of Windows Registry
5. Check Your Knowledge
6. Extract Hives through Command Line - Live System
7. Extract Hives through Registry Editor - Live System
8. Extract Hives through FTK Imager - Live System
9. Extract Hives through FTK Imager - Disk Image
10. Registry Explorer
11. RegRipper
12. Using the RegRipper GUI
13. RegRipper Command Line Tool
14. Autoruns
15. Download and Live System Analysis
16. Saved Hive / Offline Analysis
17. Investigating Windows Registry Hives: System Artifacts
18. Basic System Information
19. Basic System Information - Cont..
20. Check Your Knowledge
21. TimeZone
22. Check Your Knowledge
23. User Information
24. Security Identifier (SID)
25. Login Information
26. Internet Network Information
27. Check Your Knowledge
28. AppCompatCache or ShimCache
29. Other System Information
30. Malware
31. Exercises
32. Solutions
33. Summary
1. Required Files
2. Before We Start
3. Windows Registry User Artifacts Introduction
4. NTUSER.DAT and USRCLASS.DAT File Extraction
5. View Files Through RegEdit – Live System
6. Extract Files Through RegEdit – Live System
7. Extract Files Through FTK Imager – Live System
8. Extract Files Through FTK Imager – Disk Image
9. Last Write Timestamps
10. Check Your Knowledge
11. Application Usage - Part 1
12. Application Usage - Part 2
13. Application Usage - Part 3
14. Application Usage - Part 4
15. Check Your Knowledge
16. Internet Browsing
17. Search Queries
18. Other Artifacts
19. Check Your Knowledge
20. Exercises 1 and 2
21. Exercises 1 and 2 Solutions
1. Required Files
2. Introduction to USB Forensics
3. How USBS Work
4. USB Registry Artifacts
5. USB Basic Information
6. Mounted Devices
7. MountPoints
8. Volume Serial Number
9. USB Timestamps
10. Check Your Knowledge
11. RegRipper USB Plugin
12. Use Case: USB Artifacts in Windows Registry
13. Introduction to USB Artifacts in Shellbags
14. Use Case: USB Artifacts in Windows Shellbags
15. USB Windows Event Viewer Artifacts
16. Using Windows Event Viewer
17. Extracting Logs from a Disk Image
18. USB Artifacts in the Setupapi.dev.log File
19. Parsing the Setupapi Log
20. Other USB Analysis Tools
21. Installing & Using USB Detective
22. NirSoft USBDeview
23. USB Artifacts Cheat Sheet
24. Check Your Knowledge
25. USB Forensics Hands-On
26. USB Forensics Hands-On Solution
1. Introduction
2. Forensic Importance of Shellbags
3. ShellBags Explorer - GUI
4. ShellBags Explorer - Command Line
5. ShellBagsView
6. RegRipper
7. Introduction to Decoding Shellbags
8. BAGS
9. Lastwrite Timestamp
10. Lastwrite Timestamps Caveat
11. BAGMRU
12. Conclusion
13. Exercise 1
14. Exercise 2
1. Volume Shadow Copies
2. Introduction
3. How VSS Works
4. Forensic Importance
5. Managing Volume Shadow Copies
6. Volume Shadow Copy Registry Management
7. VssAdmin
8. Knowledge Check
9. Accessing Live Volume Shadow Copies
10. Shadow Explorer
11. Extracting Files From A Volume Shadow Copy
12. Extracting Files From A Volume Shadow Copy - Exercise
13. Investigating VSC Registries
14. Accessing Forensic Image Volume Shadow Copies
15. Arsenal Image Mounter
16. VSCMount
17. VSC Binary Format
18. Catalog
19. Store
20. Knowledge Check
21. Conclusion
22. References
1. Windows Event Viewer Forensics
2. Navigating Windows Event Viewer
3. Searching For Events
4. Types of Events
5. Enabling Logs & Changing Log Settings
6. Enable Auditing Through Group Policy
7. Enable Logging through Event Viewer
8. Event Log Settings
9. Extracting and Importing Event Logs
10. Extracting an Event Log from a Disk Image
11. Importing an Event Log File
12. Check Your Knowledge
13. Event Logs Artifacts
14. System Log
15. Security Log #1
16. Security Log #2
17. Security Logs #3
18. Security Logs #4
19. Security Logs #5
20. Security Logs #6
21. Security Logs #7
22. Check your Knowledge
23. Application Log
24. Applications & Services Log #1
25. Applications & Services Log #2
26. Other Tools: Event Log Parser
27. Investigation Lab
28. Investigation Lab - Solutions
29. Conclusion
30. References
1. Introduction to Scheduled Task
2. File Format
3. Scheduled Task Tools
4. Required Files
5. Lab 01 - Scheduled Tasks
6. Lab 01 - Scheduled Tasks Solutions
7. Extra Reading Resources
1. Fixing Windows.edb
2. Loading a Dirty vs Clean Windows.edb
3. Extra Reading Resources

About this course

$300.00
215 lessons
0.5 hours of video content

Course Type: Theory & Hands-on

Get Started Now

Your first steps to Windows Forensic Analysis

Enroll Now $350

Pricing Options

Kindly choose the enrollment pricing option that suits you best. If you're enrolling as a group or need a custom plan, please contact us. We're here to help!

C5W-200 WINDOWS FORENSICS

Includes 40 hours of virtual lab access

$350.00
Buy Now
C5W-200 WINDOWS FORENSICS

No virtual lab access

$300.00
Buy Now

Learning Outcomes

After completing this course, you will learn the following.

Ability to investigate Windows Basic Artifacts
Understand Timestamps & Timezone Conversions
Investigating Windows Program Execution Artifacts
Investigating Windows Registry and Windows Shellbags
Investigating USB Thumb Drives
Volume Shadow Copies & File History
Working with Windows Events Logs
Investigating Windows Scheduled Tasks

Technical Requirements

To complete the hands-on labs of this track

Basic knowledge of using a Virtual Machine
Basic Knowledge in Digital Forensic
Windows 10 operating system (recommended)

What is next at Cyber 5W?

Add your email to receive updates on new courses.