This bundle includes the following courses

  • 01

    Introduction to Windows Forensics

    • Introduction to Windows Forensics

  • 02

    Recycle Bin

    • Recycle Bin

    • Tools Requirements

    • File Formats

    • Check-in Quiz

    • Check-in Quiz (Hands-on)

    • Using Recycle Bin Tools

    • Recovering Permanently Deleted Files

    • Required Files

    • Lab 01 - Recycle Bin

    • Lab 01 - Recycle Bin - Solutions

  • 03

    Thumbnails

    • Thumbnails

  • 04

    LNK Files and Jump Lists

    • LNK Files and Jump Lists

  • 05

    System and User Program Execution

    • Welcome to "Investigating Windows Program Executions"!

    • The Definition of Prefetch

    • Analyze Prefetch

    • PECmd

    • WinPrefetchView

    • Prefetch Lab

    • Prefetch Lab Solutions

    • The Definition of AmCache

    • Analyze AmCache

    • Registry Explorer

    • AmCacheParser

    • AmCache Lab

    • AmCache Lab Solutions

    • The Definition of AppCompatCache (Shimcache)

    • AppCompatCacheParser

    • RegRipper

    • AppCompatCache (Shimcache) Lab

    • AppCompatCache (Shimcache) Lab Solutions

    • The Definition of UserAssist

    • Analyze the UserAssist

    • UserAssist Lab

    • UserAssist Lab Solutions

    • The Definition of Background Activity Moderator (BAM)

    • Analyze BAM

    • Summary

  • 06

    Investigating Windows System Registry Artifacts

    • Welcome to Windows Registry

    • Windows Registry

    • The Structure of Windows Registry

    • Check Your Knowledge

    • Extract Hives through Command Line - Live System

    • Extract Hives through Registry Editor - Live System

    • Extract Hives through FTK Imager - Live System

    • Extract Hives through FTK Imager - Disk Image

    • Registry Explorer

    • RegRipper

    • Using the RegRipper GUI

    • RegRipper Command Line Tool

    • Autoruns

    • Download and Live System Analysis

    • Saved Hive / Offline Analysis

    • Investigating Windows Registry Hives: System Artifacts

    • Basic System Information

    • Basic System Information - Cont..

    • Check Your Knowledge

    • TimeZone

    • Check Your Knowledge

    • User Information

    • Security Identifier (SID)

    • Login Information

    • Internet Network Information

    • Check Your Knowledge

    • AppCompatCache or ShimCache

    • Other System Information

    • Malware

    • Exercises

    • Solutions

    • Summary

  • 07

    Investigating Windows User Registry Artifacts

    • Before We Start

    • Windows Registry User Artifacts Introduction

    • NTUSER.DAT and USRCLASS.DAT File Extraction

    • View Files Through RegEdit – Live System

    • Extract Files Through RegEdit – Live System

    • Extract Files Through FTK Imager – Live System

    • Extract Files Through FTK Imager – Disk Image

    • Last Write Timestamps

    • Check Your Knowledge

    • Application Usage - Part 1

    • Application Usage - Part 2

    • Application Usage - Part 3

    • Application Usage - Part 4

    • Check Your Knowledge

    • Internet Browsing

    • Search Queries

    • Other Artifacts

    • Check Your Knowledge

    • Exercises 1 and 2

    • Exercises 1 and 2 Solutions

  • 08

    Investigating USB Thumb Drives

    • Investigating USB Thumb Drives

  • 09

    Analyzing Shellbags

    • Introduction

    • Forensic Importance of Shellbags

    • ShellBags Explorer - GUI

    • ShellBags Explorer - Command Line

    • ShellBagsView

    • RegRipper

    • Introduction to Decoding Shellbags

    • BAGS

    • Lastwrite Timestamp

    • Lastwrite Timestamps Caveat

    • BAGMRU

    • Conclusion

    • Exercise 1

    • Exercise 2

  • 10

    Volume Shadow Copies & File History

    • Volume Shadow Copies & File History

  • 11

    Windows Events

    • Windows Events

  • 12

    Windows Scheduled Tasks

    • Windows Scheduled Tasks

  • 13

    NTFS Forensic Analysis

    • NTFS Forensic Analysis - Part1

Get started now

Your first steps to Windows forensic analysis

Learning Outcomes

After completing this course, you will learn the following.

  • Understand the concepts of digital forensics and investigation

  • Understand the evidence acquisition and how to acquire evidence under Windows

  • Master FTK Imager usage

  • Learn how data is represented on computers

  • Understand files and headers

  • Become familiar with the basics of file systems and learn how to carve data

  • Master time zones and date analysis

  • Learn how to write forensic reports

Technical Requirements

To complete the hands-on labs of this track

  • Basic knowledge of using a Virtual Machine

  • Windows 10 operating system (recommended)

What is next at Cyber 5W?

Add your email to receive updates on new courses.