C5W DIGITAL FORENSIC ANALYSIS

On-Demand Course

On-Demand Course Includes:
Course Material | Labs | Certification Exam

Description

The number of incidents being reported is rapidly increasing every year. Organizations need to respond to these incidents and investigate what, when, why, where, who, and how they happened. This requires special skills and knowledge in systems and how they operate. This is not a simple task that can be handled by an IT professional, but only those trained to acquire and analyze information in a forensically sound manner.

Cyber 5W Digital Forensic Analysis course will guide students on how to conduct digital investigations and write investigative forensic reports. This course uses an experiential learning process for training students, where students learn digital forensics by doing investigative tasks on real-world cases. Students will learn how to perform evidence acquisition and how to deal with disks and file systems, and then explore the forensic artifacts one may encounter when working with the Windows operating system.

Learners who complete the course and pass the exam will earn the C5W Certified Digital Forensic Analyst (CCDFA).

Course & Certificate Fees

Training Delivery Details

On Demand: Material | Certification of Completion | Exam Certification

The course material includes over 55 Hands-on Labs and 50 Videos

Pricing Options

Kindly choose the enrollment pricing option that suits you best. Please note that the fees include the Course Material and Two Exam attempts. If you're enrolling as a group or need a custom plan, please contact us. We're here to help!

C5W DIGITAL FORENSIC ANALYSIS - On-Demand Course

Course Material + 40 hours of virtual lab access

$650.00
Buy Now
C5W DIGITAL FORENSIC ANALYSIS - On-Demand Course

Course Material - No virtual lab access

$600.00
Buy Now

Course curriculum

1. Welcome & Lab Access
2. Before You Start (Beginning of the Course)
3. Downloads
4. Release Notes
5. Want to Build Your Own Environment?
1. What is Digital Forensics
2. Digital Forensics Investigation
3. Check Your Knowledge #1
4. What is the Digital Evidence
5. Digital Devices
6. Legal Aspects
7. Types of Digital Forensic Investigation
8. Challenges of Digital Forensics
9. Alternative Windows VM for Labs
10. Lab #1 - Importing VMWare Virtual Machine
11. Importing Virtual Machine to VMWare
12. Configuring VMWare and VMTools
13. Configuring a Shared Directory between the Host and VM
14. Coping and Mounting CCDFA VHD Tools Drive
15. Adding Extra Drive to VM
16. Lab #2 - Importing VirtualBox Virtual Machine
17. Working with Virtual Hard Disk
1. Evidence Acquisition - Slides
2. Data Acquisition Concepts
3. Data Validation
4. Acquisition Methods
5. Forensic Image File formats
6. Check Your Knowledge #1
7. Why Evidence Acquisition Is Important?
8. Must-Know First Response actions
9. Sanitization
10. Hardwipe Tool
11. Cygwin Tools (dd command in Windows)
12. Check Your Knowledge #2
13. Required Files
14. Lab #1 - Sanitizing the Target Media
15. Lab #1 - Sanitizing the Target Media (Solution)
16. Evidence Data Acquisition
17. Memory Dump
18. Memory Dump using WinPmem
19. Tools for Memory Dump
20. Disk Drive Imaging
21. Other Forensic Tools
22. Required Files
23. Lab #2 - Creating Forensic Images
24. Lab #2 - Creating Forensic Images (Solution)
25. Examples of Hardware Acquisition Tools
26. Using UltraDock Write-Blocker
27. Resources
1. Introduction to Image Mounting
2. Arsenal Image Mounter
3. OSFMount
4. Other Forensic Image Mounting Tools
5. Check Your Knowledge #1
6. Required Files
7. Lab #1 - Mounting using AIM
8. Lab #1 - Mounting using AIM (Solution)
9. Resources
1. Working with FTK Imager - Slides
2. Forensic Toolkit Imager
3. Required Files
4. Install FTK Locally
5. Install FTK on a Portable Device (USB)
6. Required Files
7. Digital Evidence Acquisition
8. Memory Acquisition
9. Disk Acquisition
10. Check Your Knowledge #1
11. Lab #1 - Creating an E01 Image
12. Lab #1 - Creating an E01 Image (Solutions)
13. Lab #2 - Image Format
14. Lab #2 - Image Format (Solutions)
15. Lab #3 - Logical & Physical Image
16. Lab #3 - Logical & Physical Image (Solutions)
17. Required Files
18. Add Evidence Item to FTK Imager
19. Create and verify a multi-part disk images
20. Loading a multi-part disk image
21. Check Your Knowledge #2
22. Required Files
23. Evidence Analysis
24. Exporting Data using FTK Imager
25. Detect EFS Encryption
26. Lab #4 - Exporting Evidence
27. Lab #4 - Exporting Evidence (Solutions)
28. Acquiring Protected Registry Files
29. Copying Registry Files
30. Required Files
31. Interpreter
32. Lab #5 - Interpreting Evidence
33. Lab #5 - Interpreting Evidence (Solutions)
34. Required Files
35. Custom Content Images
36. AD Encryption
37. Lab #6 - Creating Custom Images
38. Lab #6 - Creating Custom Images (Solutions)
39. Required Files
40. Image Mounting
41. Steps of Image Mounting
42. Mount Multi-Part Raw Disk Image with FTK
1. Data Representation
2. Introduction to Numbering System
3. Decimal Number System (Base 10)
4. Binary System (Base 2)
5. Hexadecimal (Base 16)
6. Octal (Base 8)
7. Byte Ordering
8. Introduction to Text Code
9. ASCII Code
10. Unicode
11. Lab #1 - Numbering System
12. Lab #1 - Numbering System (Solutions)
13. Introduction to File Identification
14. Installation of HxD Editor
15. Working with HxD Editor
16. Installation of 010 Editor
17. Working with 010 Editor
18. 010 Editor Course
19. Introduction to File Signature
20. Required Files
21. Text Files
22. Microsoft Word Files
23. PDF Files
24. TAR Files
25. Zip Files
26. PNG Files
27. JPEG Files
28. EXE Files
29. MP3 Files
30. MP4 Files
31. System Metadata
32. Embedded Metadata
33. Required Files
34. Lab #1 - Metadata & Hex-Editor Case 1
35. Lab #2 - Metadata & Hex-Editor Case 2
36. Lab #3 - Metadata & Hex-Editor Case 3
37. Lab - Metadata & Hex-Editor (Solutions)
38. Resources
39. Required Files
40. File Metadata Lab
41. File Metadata Lab solutions
1. Time Zones Conversion - Slides
2. Timezone and Timezone Conversion
3. Introduction
4. Converting Times
5. Converting Dates
6. Lab #1 - Timezone Conversion
7. Lab #1 - Timezone Conversion (Solutions)
8. Check Your Knowledge
9. Resources
1. What is the Forensics Report ?
2. Preparing For Forensics Report
3. The Importance of the Forensics Report
4. Why Documenting is Important?
5. Forensics Report Sections
6. Reporting Standards And Guidelines
7. Report Template
8. Before Writing the Forensics Report
1. Hard Disk
2. Required Files (Disk Analysis)
3. Disks Layout - MBR - Slides
4. Lab #1 - Working with MBR Partitions
5. Lab #1 - Working with MBR Partitions (Solution using 010 Editor)
6. Lab #1 - Working with MBR Partitions (Solution using WinHex)
7. Disks Layout - GPT - Slides
8. Lab #2 - Working with GPT Partitions
9. Lab #2 - Working with GPT Partitions (Solution)
10. Disks Layout - Extended MBR - Slides
11. Lab #3 - Working with Extended Disk Partitions
12. Required Files (Fixing Corrupted Disks)
13. Attaching VHDs to Your System
14. Lab #4 - Fixing Corrupted Disks (MBR Disk)
15. Lab #4 - Fixing Corrupted Disks (MBR Disk Solution)
16. Lab #5 - Fixing Corrupted Disks (GPT Disk)
17. Lab #5 - Fixing Corrupted Disks (GPT Disk Solution)
18. Lab #6 - Fixing GPT Disk Drives
19. Lab #6a - Fixing Corrupted GPT Drive - Case #1
  FREE PREVIEW
20. Lab #6b - Fixing Corrupted GPT Drive - Case #2
  FREE PREVIEW
21. Lab #6c - Fixing Corrupted GPT Drive - Case #3
  FREE PREVIEW
22. Lab #7 - Fixing MBR Disk Drives
23. Lab #7a - Fixing Corrupted MBR Drive - Case #1
  FREE PREVIEW
24. Resources - Extra Reading
1. What is File System
2. Required Files (FAT Analysis)
3. FAT File System - Basics - Slides
4. Intro to FAT File System
5. Lab #1 - Analyzing FAT Structure
6. FAT File System - Directory Entry - Slides
7. FAT File System - Timestamps - Slides
8. Lab #2 - Analyzing FAT File System
9. Lab #2 - Analyzing FAT File System (Solution)
10. Lab #3 - Analyzing FAT File System
11. Lab #3 - Analyzing FAT File System (Solution using 010 Editor)
12. Lab #3 - Analyzing FAT File System (Solution using WinHex)
13. NTFS
14. Required Files (NTFS Analysis)
15. NTFS Basics - Slides
16. NTFS MFT - Slides
17. Lab #6 - Analyzing the MFT File
18. Lab #6 - Analyzing the MFT File (Solution)
19. Lab #7 - Analyzing the MFT File
20. Lab #8 - Working with Data Attributes
21. Lab #8 - Working with Data Attributes (Solution)
22. MFT Slack Space
23. NTFS Dataruns and Fragmented Files
24. NTFS Fixups - Slides
25. Lab #9 - Working with Links
26. Lab #9 - Working with Links using MFT Browser (Solution)
27. Lab #9 - Working with Links using MFTECmd (Solution)
28. NTFS Journaling - Slides
29. Lab #10 - Working with UsnJrnl
30. NTFS INDX Buffers - Slides
31. Lab #11 - Working with Journals and Indexes
32. Lab #12 - NTFS Challenge
33. Lab #12 - NTFS Challenge (Solution A)
34. Lab #12 - NTFS Challenge (Solution B)
35. Ext4
36. NTFS vs EXT4
37. Timestamps and File Operations
38. Required Files
39. Lab #13 - Inspecting Timestamps
40. Quick Intro to .ad1 Files
41. Howto Load .ad1 Images using FTK Imager
42. Lab #13 - Inspecting Timestamps (Solution)
43. Extra Reading Resources
1. Required Files
2. Introduction to File Carving - Slides
3. Introduction to Data Carving
4. Manual Data Carving - Using Hex Editor
5. Manual Data Carving - Carving an Image from a Doc File
6. Automatic Data Carving - Photorec
7. Automatic Data Carving - Foremost
8. Required Files
9. Lab #1 - Manual File Carving
10. Lab #1 - Manual File Carving (Solution)
11. Lab #2 - File Carving using PhotoRec
12. Lab #2 - File Carving using PhotoRec (Solution)
13. Lab #3 - File Carving using Foremost
14. Lab #3 - File Carving using Foremost (Solution)
15. Extra Reading Resources
1. Windows Basics - Slides
2. Windows Basics
3. Recycle Bin
4. Tools Requirements
5. File Formats
6. Check Your Knowledge #1
7. Lab #1 - Hands-on
8. Lab #1 - Hands-on (Solution)
9. Using Recycle Bin Tools
10. Recovering Permanently Deleted Files
11. Required Files
12. Lab #2 - Recycle Bin
13. Lab #2 - Recycle Bin (Solution)
14. Lab #2 - Parsing Recycle Bin Artifacts using RBCmd (Solution)
15. Thumbnail Caches - Slides
16. Thumbnail Caches - Intro
17. Howto Fix the Windows.edb Database
18. Required Files
19. Lab #3 - Thumbnails
20. Lab #3 - Thumbnails (Solution)
21. Lab #4 - Thumbnails
22. Lab #4 - Thumbnails (Solution)
23. Lab #5 - Thumbnails Case Study (self-study)
24. Lab #5 - Thumbnails Case Study (Solution)
25. Lab #5 - Thumbnails Case Study (Solution)
1. LNK Files - Slides
2. LNK Files - Intro
3. Required Files
4. Lab #1 - LNK Files
5. Lab #1 - LNK Files (Solution)
6. Lab #2 - LNK Files
7. Lab #2 - LNK Files (Solution)
8. Lab #3 - LNK Files
9. Lab #3 - LNK Files (Solution)
10. LNK Files, Zone Identifiers, and New Findings
11. JumpList - Slides
12. Jump Lists
13. Required Files
14. Lab #4 - Jump Lists
15. Lab #4 - Jump Lists (Solution)
16. Extra Reading
1. Welcome to "Investigating Windows Program Executions"!
2. Prefetch - Slides
3. Intro. to Prefetch Files
4. Analyzing Prefetch Files
5. PECmd
6. WinPrefetchView
7. Lab #1 - Prefetch
8. Lab #1 - Prefetch (Solution)
9. Intro. to AmCache
10. Analyzing AmCache
11. Analyzing with Registry Explorer
12. Analyzing with AmCacheParser
13. Lab #2 - AmCache
14. Lab #2 - AmCache (Solution)
15. Intro. to AppCompatCache (Shimcache)
16. Analyzing with AppCompatCacheParser
17. Analyzing using RegRipper
18. Lab #3 - AppCompatCache (Shimcache)
19. Lab #3 - AppCompatCache (Solution)
20. Intro. to UserAssist
21. Analyzing UserAssist
22. Lab #4 - UserAssist
23. Lab #4 - UserAssist (Solution)
24. Intro. to Background Activity Moderator (BAM)
25. Analyzing BAM
26. Analyzing SRUM using Chainsaw
27. Extra Reading
28. Required Files
1. Welcome to Windows Registry
2. Windows Registry - Slides 1
3. Windows Registry - Slides 2
4. The Structure of Windows Registry
5. Check Your Knowledge #1
6. Extract Hives through Command Line - Live System
7. Extract Hives through Registry Editor - Live System
8. Extract Hives through FTK Imager - Live System
9. Extract Hives through FTK Imager - Disk Image
10. Registry Explorer
11. RegRipper
12. Using the RegRipper GUI
13. RegRipper Command Line Tool
14. Autoruns
15. Download and Live System Analysis
16. Saved Hive / Offline Analysis
17. Investigating Windows Registry Hives: System Artifacts
18. Basic System Information
19. Basic System Information - Cont..
20. Check Your Knowledge #2
21. TimeZone
22. Check Your Knowledge #3
23. User Information
24. Security Identifier (SID)
25. Login Information
26. Internet Network Information
27. Check Your Knowledge #4
28. AppCompatCache or ShimCache
29. Other System Information
30. Malware
31. Lab #1 - Windows Registry
32. Lab #1 - Windows Registry (Solution)
33. Windows Registry User Artifacts Introduction
34. NTUSER.DAT and USRCLASS.DAT File Extraction
35. View Files Through RegEdit – Live System
36. Extract Files Through RegEdit – Live System
37. Extract Files Through FTK Imager – Live System
38. Extract Files Through FTK Imager – Disk Image
39. Last Write Timestamps
40. Check Your Knowledge #5
41. Application Usage - Part 1
42. Application Usage - Part 2
43. Application Usage - Part 3
44. Application Usage - Part 4
45. Check Your Knowledge #6
46. Internet Browsing
47. Search Queries
48. Other Artifacts
49. Check Your Knowledge #7
50. Check Your Knowledge #8
51. Lab #2 - Windows Registry
52. Lab #2 - Windows Registry (Solutions)
53. Parsing Windows Registry Run Keys using RegRipper
54. The Windows Registry Run Key Mystery
55. Extra Reading
1. USB Artifacts - Slides
2. Introduction to USB Forensics
3. How USBS Work
4. USB Registry Artifacts
5. USB Basic Information
6. Mounted Devices
7. MountPoints
8. Volume Serial Number
9. USB Timestamps
10. Check Your Knowledge #1
11. RegRipper USB Plugin
12. Use Case: USB Artifacts in Windows Registry
13. Introduction to USB Artifacts in Shellbags
14. Use Case: USB Artifacts in Windows Shellbags
15. USB Windows Event Viewer Artifacts
16. Using Windows Event Viewer
17. Extracting Logs from a Disk Image
18. USB Artifacts in the Setupapi.dev.log File
19. Parsing the Setupapi Log
20. Other USB Analysis Tools
21. Installing & Using USB Detective
22. NirSoft USBDeview
23. USB Artifacts Cheat Sheet
24. Check Your Knowledge #2
25. Lab #1 - USB Forensics
26. Lab #1 - USB Forensics (Solution)
27. Extra Reading
1. ShellBags - Slides
2. Introduction to Shellbags
3. Forensic Importance of Shellbags
4. Check your Knowledge #1
5. Shellbags Explorer - GUI
6. Shellbags Explorer – Command-line
7. ShellBagsView
8. RegRipper
9. Decoding Shellbag Artifacts
10. BagMRU
11. Bags
12. LastWrite Timestamp
13. LastWrite Timestamps Caveat
14. Required Files
15. Check Your Knowledge #2
16. Lab #1 - Windows Shellbags
17. Lab #1 - Windows Shellbags (Solutions)
18. Conclusion
1. Volume Shadow Copy - Slides
2. Volume Shadow Copies
3. Introduction
4. How VSS Works
5. Forensic Importance
6. Managing Volume Shadow Copies
7. Volume Shadow Copy Registry Management
8. VssAdmin
9. Check your Knowledge #1
10. Accessing Live Volume Shadow Copies
11. Shadow Explorer
12. Extracting Files From A Volume Shadow Copy
13. Extracting Files From A Volume Shadow Copy - Exercise
14. Investigating VSC Registries
15. Accessing Forensic Image Volume Shadow Copies
16. Arsenal Image Mounter
17. VSCMount
18. VSC Binary Format
19. Catalog
20. Store
21. Check your Knowledge #2
22. Conclusion
23. Required Files
24. Lab #1 - Investigating Volume Shadow Copies
25. Lab #2 - More Volume Shadow Copy
26. Using VSC Toolset with RegRipper
27. References
1. Windows Event Logs - Slides
2. Windows Event Viewer Forensics
3. Navigating Windows Event Viewer
4. Searching For Events
5. Types of Events
6. Enabling Logs & Changing Log Settings
7. Enable Auditing Through Group Policy
8. Enable Logging through Event Viewer
9. Event Log Settings
10. Extracting and Importing Event Logs
11. Extracting an Event Log from a Disk Image
12. Importing an Event Log File
13. Check Your Knowledge #1
14. Event Logs Artifacts
15. System Log
16. Security Log #1
17. Security Log #2
18. Security Logs #3
19. Security Logs #4
20. Security Logs #5
21. Security Logs #6
22. Security Logs #7
23. Check your Knowledge #2
24. Application Log
25. Applications & Services Log #1
26. Applications & Services Log #2
27. Other Tools: Event Log Parser
28. Required Files
29. Lab #1 - Investigating Windows Events
30. Lab #1 - Investigating Windows Events (Solution)
31. Lab #2
32. Lab #2 - Solutions
33. Lab #3
34. Lab #3 - Solutions
35. Conclusion
36. References
37. Extra Reading Resources
1. Scheduled Tasks - Slides
2. Introduction to Scheduled Task
3. File Format
4. Scheduled Task Tools
5. Required Files
6. Lab #1 - Scheduled Tasks
7. Lab #1 - Scheduled Tasks (Solution)
8. Extra Reading Resources
1. Search Artifacts - Slides
2. Fixing Windows.edb
3. Loading a Dirty vs Clean Windows.edb
4. Extra Reading Resources
1. Required Files
2. Lab #1 - Working with Autopsy
3. Lab #1 - Working with Autopsy (Solution)
4. Extra Reading Resources
1. Required Files
2. The Joker
1. Kroll Artifact Parser and Extractor or KAPE
2. Intro to KAPE
3. Where to use KAPE?
4. KAPE Targets
5. KAPE Targets (Acquiring Evidence)
6. KAPE Modules
7. KAPE Modules (Processing Acquired Evidence)
1. CCDFA Exam
2. Required Skills
3. Howto Start the Exam?
4. FAQ
1. Before You Go (End of the Course)
1. Books, Papers, and other Resources

About this course

$650.00
504 lessons
7 hours of video content

🔍 Case Studies

Throughout the training, you’ll investigate and analyze real-world inspired scenarios designed to build your skills across diverse forensic challenges and attacker techniques. Some of the case studies include:

🕵🏻 No Prefetch? No Problem.
Learn how to trace malware or suspicious program execution even when traditional evidence like Prefetch files is missing. This case study walks you through advanced artifact correlation to build a timeline of attacker activity.

💣 Hunting Wipers: Uncovering sdelete and Beyond
Not all deletions are innocent. Dive into a case study where a threat actor uses sdelete to wipe their tracks and how forensic traces in NTFS, registry, and logs still tell the story.

🗑️ Deleted Doesn't Mean Gone.
Explore how deleted files, shortcuts, and shellbags can be recovered and interpreted to reconstruct user activity and attacker behavior in a compromised system.

🧪 Suspicious Installer or Admin Mistake?
Investigate a case where legitimate software was used as a LOLBin. You'll learn how to differentiate between administrator behavior and post-exploitation tactics.

📎 Malicious LNK Files: A Shortcut to Trouble
Learn how attackers use Windows shortcut files (.lnk) to execute malware silently. In this case study, you’ll recover and analyze LNK files to trace back user activity and uncover hidden execution paths.

👻 GhostTask Investigations: The Scheduled Jobs That Disappear
Uncover the mystery of Scheduled Tasks that leave minimal forensic traces. You’ll learn how attackers abuse Task Scheduler and how to recover or reconstruct their activity, even when tasks are deleted.

🔌 Execution from USB Devices: Following the Plug-in Trail
Explore a scenario where malware was launched from a removable device. You’ll trace USB insertions, mounted paths, and execution history using SetupAPI logs, registry entries, and forensic images.

🧹 Detecting Anti-Forensics: Timestomping and Log Tampering
Attackers may alter timestamps and clear logs to evade detection. This case study shows how to detect timestomping and use alternate forensic artifacts like $MFT, $LogFile, and $UsnJrnl to reconstruct the truth.

Instructor

Dr. Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research. More details could be found here or contact him directly through twitter here.

CCDFA Certificate

Why you should get the CCDFA certificate?

Professional Certificate

CCDFA is the only certification that will truly assess your skills in multiple domains, all using a single certification-process.
Experiential Learning

CCDFA includes more than 35 hands-on labs that cover skills related to the basic of digital forensic, disks, file systems, and Windows.
Evaluated by Experts

CCDFA requires students to take a practical assessment and submit a report for the expert committee to evaluate.

Learning Objectives

After completing this course, you are expected to:

Understand the fundamentals of digital forensic investigations
Demonstrate correct methods of evidence gathering
Learn how to extract file metadata and analyze files using a hex-editor
Summarize the analysis results and write investigative reports
Ability to analyze and fix corrupted disks
Ability to analyze FAT32 and NTFS file systems, plus recover and carve files from raw data
Ability to investigate Windows System Artifacts
Investigating Windows Program Execution Artifacts
Investigating Windows Registry and Windows Shellbags
Ability to analyze Windows Events Logs, Scheduled Tasks, and different Windows Applications (e.g. Skype, One Drive, etc)

Testimonials

“Breadcrumbs and Footprints... Affirmative .LNKs (pun intended) and Trace Evidence ... A ton of information, intelligence, and investigative leads are packed into Prefetch, Jumplist, LNK, and Thumbnail files.
"To a great mind nothing is little" -- S. Holmes.
Solid applicable Windows Forensics foundation from Dr. Ali Hadi and the Cyber5W Team. Here ”

“This was a great day one! Really dived into it and wasn’t just a broad overview. Already working in VM’s and it is very hands on. Ali takes the time to answer all questions thoroughly. Here ”

Prerequisites

This course assumes no prior experience in digital forensics or incident response. However, a foundational understanding of computer science, operating systems, file systems, or a related field is highly recommended.

Important: Learners should have experience installing software and working with virtual machines using a hypervisor. Please ensure you are comfortable setting up and managing virtual environments independently before starting the course.

The Value of the Training

Unlock the skills needed to identify, investigate, and understand digital incidents in a hands-on, guided environment. This training bridges the gap between theory and practice by walking you through real-world case scenarios, forensic imaging, artifact analysis, timeline reconstruction, and report writing.

Whether you're pursuing a career in digital forensics, incident response, or security operations, this course provides the core foundation and investigative techniques required to uncover evidence, trace attacker activity, and respond effectively in today's evolving threat landscape.

Who is this Certificate For?

This training is ideal for cybersecurity professionals, digital forensics analysts, SOC analysts, blue teamers, and anyone looking to build or strengthen their digital investigation skills.

Whether you're just entering the DFIR field or you're an experienced analyst looking to refine your techniques, this course offers a structured, hands-on approach to evidence acquisition, artifact analysis, and incident response, preparing you to investigate and respond to real-world security incidents with confidence.

System Requirements:

what you need to for the course

To ensure an optimal learning experience, participants should have access to a computer capable of running virtualization software such as VMware Workstation or VirtualBox, with at least 8 GB of RAM and 40 GB of free disk space.

We highly recommend using our hosted virtual lab environment, provided as part of the course. This eliminates the need to configure local virtual machines and allows you to seamlessly follow along with all hands-on exercises in a secure, controlled environment.

Refund Policy:

Refund requests for In-person and Online Virtual Training are accepted before the refund deadline and as long as the online course has not been accessed. To initiate a refund, please submit your request to [email protected]. The registration fee will be refunded, minus a $50 refund processing fee, to the original payment method. Please be advised that CYBER 5W OnDemand Courses are non-refundable and non-transferable once payment has been completed and course material has been accessed.

C5W DIGITAL FORENSIC ANALYSIS - On-Demand Course

Course Material + 40 hours of virtual lab access

C5W DIGITAL FORENSIC ANALYSIS - On-Demand Course

Course Material - No virtual lab access

Welcome & Lab Access

Introduction to Digital Forensics

Evidence and Evidence Acquisition

Mounting Your Evidence

Working with FTK Imager

Data Representation and File Analysis

Time Zones and Dates (Timestamps)

Writing a Report

Disk Analysis (MBR & GPT)

Analyzing File Systems

File and Data Carving

Windows Forensics Basics

LNK Files and Jump Lists

Prefetch Files and User Execution

Windows Registry

Investigating USB Thumb Drives

Analyzing Shellbags

Investigating Volume Shadow Copies & File History

Windows Events

Windows Scheduled Tasks

Windows Search

Autopsy

Case Study - Challenge

Working with KAPE

Getting Certified

Before You Go (End of the Course)

Extra Reading

About this course

Professional Certificate

Experiential Learning

Evaluated by Experts