Bootcamp Format

The bootcamp consists of 20 hours delivered over 4 sessions (5 hours per session). This schedule is designed to give students ample time to absorb the content and complete the hands-on labs at a comfortable pace.

  • 4 Live Sessions

  • 5 Hours Per Session

  • 50+ Hands-On Lab Exercises

  • 24 Credit Hours of Virtual Lab Access

  • 1 CCDFA Certification Exam Attempt

  • Access to Session Recordings

Upcoming Live Bootcamps

🎉 This is our new training format, running over 4 weeks and offering live, instructor-led sessions combined with hands-on labs, allowing you to learn real-world digital forensics at your own pace and on your own schedule.

  • $100 off if you register before August 1st! Use code ccdfabootcamp at checkout to claim your discount.

    • C5W DIGITAL FORENSIC ANALYST - BOOTCAMP

    • August Bootcamp

    • August 9th, 2025
    • August 16th, 2025
    • August 23th, 2025
    • August 30th, 2025

      • $650.00

      Buy Now

    • C5W DIGITAL FORENSIC ANALYST - BOOTCAMP

    • October Bootcamp

    • October 4th, 2025
    • October 11th, 2025
    • October 18th, 2025
    • October 25th, 2025

      • $650.00

      Buy Now

    Why CCDFA?

    The Certified Cyber 5W Digital Forensics Analyst (CCDFA) is a scenario-driven certification focused on practical, real-world analysis. Instead of memorizing definitions or command syntax, you’ll learn how to approach digital investigations with confidence and solve complex forensic challenges using industry-standard tools and methodologies.

    Bootcamp Syllabus

    The bootcamp is split into four modules across four weeks. For a detailed syllabus of what CCDFA includes, please check the CCDFA course webpage.

    Introduction to Digital Forensics

    • Evidence and Evidence Acquisition
    • Hashing and Validation
    • Mounting Your Evidence
    • File Analysis: Hexeditors, Signatures, File Extensions, and Metadata
    • Time Zones and Dates (Timestamps)
    • Writing a Report

    Windows Forensic Analysis - Part 1

    • Users and Groups
    • Recycle Bin
    • Thumbnails
    • LNK Files and Jump Lists
    • System and User Program Activity: Prefetch Files, UserAssist, BAM, SRUM, etc
    • Windows Registry: System Artifacts and User Artifacts
    • Investigating USB Thumb Drives

    Windows Forensic Analysis - Part 2

    • Analyzing Shellbags
    • Volume Shadow Copies & File History
    • Windows Events
    • Windows Scheduled Tasks
    • Working with KAPE

    Working with Disks, Volumes, and File Systems

    • Disk Analysis (MBR & GPT)
    • File Systems: Storage Units (Sectors and Clusters) and Slack Space
    • Analyzing FAT32 File Systems: Volume Structures, Directory Entries, SFN/LFN, and Cluster Chains
    • Analyzing NTFS File Systems: $MFT, Attributes, NTFS Files, Dataruns, Fixup Arrays, Soft/Hard Links, ADS, USN Journals, and Timestamps
    • Data and File Carving: Manual and Automated
    • Detecting Anti-Forensics: Timestomping and Wipers
    Note: Additional topics may be covered as time allows.

    🔍 Case Studies

    Throughout the training, you’ll investigate and analyze real-world inspired scenarios designed to build your skills across diverse forensic challenges and attacker techniques. Some of the case studies include:

    🕵🏻 No Prefetch? No Problem.
    Learn how to trace malware or suspicious program execution even when traditional evidence like Prefetch files is missing. This case study walks you through advanced artifact correlation to build a timeline of attacker activity.

    💣 Hunting Wipers: Uncovering sdelete and Beyond
    Not all deletions are innocent. Dive into a case study where a threat actor uses sdelete to wipe their tracks and how forensic traces in NTFS, registry, and logs still tell the story.

    🗑️ Deleted Doesn't Mean Gone.
    Explore how deleted files, shortcuts, and shellbags can be recovered and interpreted to reconstruct user activity and attacker behavior in a compromised system.

    🧪 Suspicious Installer or Admin Mistake?
    Investigate a case where legitimate software was used as a LOLBin. You'll learn how to differentiate between administrator behavior and post-exploitation tactics.

    📎 Malicious LNK Files: A Shortcut to Trouble
    Learn how attackers use Windows shortcut files (.lnk) to execute malware silently. In this case study, you’ll recover and analyze LNK files to trace back user activity and uncover hidden execution paths.

    👻 GhostTask Investigations: The Scheduled Jobs That Disappear
    Uncover the mystery of Scheduled Tasks that leave minimal forensic traces. You’ll learn how attackers abuse Task Scheduler and how to recover or reconstruct their activity, even when tasks are deleted.

    🔌 Execution from USB Devices: Following the Plug-in Trail
    Explore a scenario where malware was launched from a removable device. You’ll trace USB insertions, mounted paths, and execution history using SetupAPI logs, registry entries, and forensic images.

    🧹 Detecting Anti-Forensics: Timestomping and Log Tampering
    Attackers may alter timestamps and clear logs to evade detection. This case study shows how to detect timestomping and use alternate forensic artifacts like $MFT, $LogFile, and $UsnJrnl to reconstruct the truth.

    Learning Objectives

    After completing this course, you are expected to:

    • Understand the fundamentals of digital forensic investigations

    • Demonstrate correct methods of evidence gathering

    • Learn how to extract file metadata and analyze files using a hex-editor

    • Summarize the analysis results and write investigative reports

    • Ability to investigate Windows System Artifacts

    • Investigating Windows Program Execution Artifacts

    • Investigating Windows Registry and Windows Shellbags

    • Ability to analyze Windows Events Logs, and Scheduled Tasks

    • Ability to analyze Windows file systems, plus recover and carve files from raw data

    What You’ll Get

    Include a list of items to support the central theme of your page. Bulleted lists are a great way to parse information into digestible pieces.

    • Access to a private student lab environment

    • Live instruction from DFIR practitioners

    • Practical investigative scenarios

    • A CCDFA exam attempt

    • Support from instructors during and after the course

    Prerequisites

    This course assumes no prior experience in digital forensics or incident response. However, a foundational understanding of computer science, operating systems, file systems, or a related field is highly recommended.

    Important: Learners should have experience installing software and working with virtual machines using a hypervisor. Please ensure you are comfortable setting up and managing virtual environments independently before starting the course.

    The Value of the Training

    Unlock the skills needed to identify, investigate, and understand digital incidents in a hands-on, guided environment. This training bridges the gap between theory and practice by walking you through real-world case scenarios, forensic imaging, artifact analysis, timeline reconstruction, and report writing.

    Whether you're pursuing a career in digital forensics, incident response, or security operations, this course provides the core foundation and investigative techniques required to uncover evidence, trace attacker activity, and respond effectively in today's evolving threat landscape.

    Who is this Certificate For?

    This training is ideal for cybersecurity professionals, digital forensics analysts, SOC analysts, blue teamers, and anyone looking to build or strengthen their digital investigation skills.

    Whether you're just entering the DFIR field or you're an experienced analyst looking to refine your techniques, this course offers a structured, hands-on approach to evidence acquisition, artifact analysis, and incident response, preparing you to investigate and respond to real-world security incidents with confidence.

    System Requirements:

    what you need to for the course

    To ensure an optimal learning experience, you will have access to our hosted virtual lab environment with 24 credit hours of lab access. Learners can purchase more credit hours if they need. This eliminates the need to configure local virtual machines and allows you to seamlessly follow along with all hands-on exercises in a secure, controlled environment.

    Refund Policy:

    Refund requests for In-person and Online Virtual Training are accepted before the refund deadline and as long as the online course has not been accessed. To initiate a refund, please submit your request to [email protected]. The registration fee will be refunded, minus a $50 refund processing fee, to the original payment method. Please be advised that CYBER 5W OnDemand Courses are non-refundable and non-transferable once payment has been completed and course material has been accessed.

    Instructor

    Dr. Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research. More details could be found here or contact him directly through twitter here.