Bootcamp Format

The bootcamp consists of 16 hours delivered over 4 sessions (4 hours per session). This schedule is designed to give students ample time to absorb the content and complete the hands-on labs at a comfortable pace.

  • 4 Live Sessions

  • 4 Hours Per Session

  • 50+ Hands-On Lab Exercises

  • 20 Credit Hours of Virtual Lab Access

  • 1 CCDFA Certification Exam Attempt

  • Access to Session Recordings

Upcoming Live Bootcamps

🎉 This is our new training format, running over 4 weeks and offering live, instructor-led sessions combined with hands-on labs, allowing you to learn real-world digital forensics at your own pace and on your own schedule.

  • Groups for group discounts, registration, or other schedules, please contact us at [email protected].

    • $650.00

      February 2026
      February 3rd, 2026
      February 4th, 2026
      February 6th, 2026
      February 7th, 2026
      Buy Now

    • $650.00

      March 2026
      March 3rd, 2026
      March 4th, 2026
      March 6th, 2026
      March 7th, 2026
      Buy Now

    • $650.00

      March 2026
      March 31st, 2026
      April 1st, 2026
      April 3rd, 2026
      April 4th, 2026
      Buy Now

    • $650.00

      Custom Schedule

      Looking for a custom bootcamp schedule for your team?
      We offer flexible options, including weekend-only bootcamps, to fit your team’s availability.
      Please reach out to us at [email protected] , and we’ll be happy to arrange a schedule that works best for your team.
      Buy Now

    Bootcamp Syllabus

    The bootcamp is split into four modules across four weeks. For a detailed syllabus of what CCDFA includes, please check the CCDFA course webpage.

    Introduction to Digital Forensics

    • Evidence and Evidence Acquisition
    • Hashing and Validation
    • Mounting Your Evidence
    • File Analysis: Hexeditors, Signatures, File Extensions, and Metadata
    • Time Zones and Dates (Timestamps)
    • Writing a Report

    Windows Forensic Analysis - Part 1

    • Users and Groups
    • Recycle Bin
    • Thumbnails
    • LNK Files and Jump Lists
    • System and User Program Activity: Prefetch Files, UserAssist, BAM, SRUM, etc
    • Windows Registry: System Artifacts and User Artifacts
    • Investigating USB Thumb Drives

    Windows Forensic Analysis - Part 2

    • Analyzing Shellbags
    • Volume Shadow Copies & File History
    • Windows Events
    • Windows Scheduled Tasks
    • Working with KAPE

    Working with Disks, Volumes, and File Systems

    • Disk Analysis (MBR & GPT)
    • File Systems: Storage Units (Sectors and Clusters) and Slack Space
    • Analyzing FAT32 File Systems: Volume Structures, Directory Entries, SFN/LFN, and Cluster Chains
    • Analyzing NTFS File Systems: $MFT, Attributes, NTFS Files, Dataruns, Fixup Arrays, Soft/Hard Links, ADS, USN Journals, and Timestamps
    • Data and File Carving: Manual and Automated
    • Detecting Anti-Forensics: Timestomping and Wipers
    Note: Additional topics may be covered as time allows.

    🔍 Case Studies

    Throughout the training, you’ll investigate and analyze real-world inspired scenarios designed to build your skills across diverse forensic challenges and attacker techniques. Some of the case studies include:

    🕵🏻 No Prefetch? No Problem.
    Learn how to trace malware or suspicious program execution even when traditional evidence like Prefetch files is missing. This case study walks you through advanced artifact correlation to build a timeline of attacker activity.

    💣 Hunting Wipers: Uncovering sdelete and Beyond
    Not all deletions are innocent. Dive into a case study where a threat actor uses sdelete to wipe their tracks and how forensic traces in NTFS, registry, and logs still tell the story.

    🗑️ Deleted Doesn't Mean Gone.
    Explore how deleted files, shortcuts, and shellbags can be recovered and interpreted to reconstruct user activity and attacker behavior in a compromised system.

    🧪 Suspicious Installer or Admin Mistake?
    Investigate a case where legitimate software was used as a LOLBin. You'll learn how to differentiate between administrator behavior and post-exploitation tactics.

    📎 Malicious LNK Files: A Shortcut to Trouble
    Learn how attackers use Windows shortcut files (.lnk) to execute malware silently. In this case study, you’ll recover and analyze LNK files to trace back user activity and uncover hidden execution paths.

    👻 GhostTask Investigations: The Scheduled Jobs That Disappear
    Uncover the mystery of Scheduled Tasks that leave minimal forensic traces. You’ll learn how attackers abuse Task Scheduler and how to recover or reconstruct their activity, even when tasks are deleted.

    🔌 Execution from USB Devices: Following the Plug-in Trail
    Explore a scenario where malware was launched from a removable device. You’ll trace USB insertions, mounted paths, and execution history using SetupAPI logs, registry entries, and forensic images.

    🧹 Detecting Anti-Forensics: Timestomping and Log Tampering
    Attackers may alter timestamps and clear logs to evade detection. This case study shows how to detect timestomping and use alternate forensic artifacts like $MFT, $LogFile, and $UsnJrnl to reconstruct the truth.

    Learning Objectives

    After completing this course, you are expected to:

    • Understand the fundamentals of digital forensic investigations

    • Demonstrate correct methods of evidence gathering

    • Learn how to extract file metadata and analyze files using a hex-editor

    • Summarize the analysis results and write investigative reports

    • Ability to investigate Windows System Artifacts

    • Investigating Windows Program Execution Artifacts

    • Investigating Windows Registry and Windows Shellbags

    • Ability to analyze Windows Events Logs, and Scheduled Tasks

    • Ability to analyze Windows file systems, plus recover and carve files from raw data

    What You’ll Get

    Buying this bootcamp will grant you all of the following:

    • Access to a private student lab environment

    • Live instruction from DFIR practitioners

    • Practical investigative scenarios

    • A CCDFA exam attempt

    • Support from instructors during and after the course

    Prerequisites

    This course assumes no prior experience in digital forensics or incident response. However, a foundational understanding of computer science, operating systems, file systems, or a related field is highly recommended.

    Important: Learners should have experience installing software and working with virtual machines using a hypervisor. Please ensure you are comfortable setting up and managing virtual environments independently before starting the course.

    The Value of the Training

    Unlock the skills needed to identify, investigate, and understand digital incidents in a hands-on, guided environment. This training bridges the gap between theory and practice by walking you through real-world case scenarios, forensic imaging, artifact analysis, timeline reconstruction, and report writing.

    Whether you're pursuing a career in digital forensics, incident response, or security operations, this course provides the core foundation and investigative techniques required to uncover evidence, trace attacker activity, and respond effectively in today's evolving threat landscape.

    Who is this Certificate For?

    This training is ideal for cybersecurity professionals, digital forensics analysts, SOC analysts, blue teamers, and anyone looking to build or strengthen their digital investigation skills.

    Whether you're just entering the DFIR field or you're an experienced analyst looking to refine your techniques, this course offers a structured, hands-on approach to evidence acquisition, artifact analysis, and incident response, preparing you to investigate and respond to real-world security incidents with confidence.

    System Requirements

    What you need for the course

    To ensure an optimal learning experience, you will have access to our hosted virtual lab environment with 24 credit hours of lab access. Learners can purchase more credit hours if they need. This eliminates the need to configure local virtual machines and allows you to seamlessly follow along with all hands-on exercises in a secure, controlled environment.

    Refund Policy

    Refund requests for In-person and Online Virtual Training are accepted before the refund deadline and as long as the online course has not been accessed. To initiate a refund, please submit your request to [email protected]. The registration fee will be refunded, minus a $50 refund processing fee, to the original payment method. Please be advised that CYBER 5W OnDemand Courses are non-refundable and non-transferable once payment has been completed and course material has been accessed.

    Frequently asked questions

    • How do I purchase a course?

      You can enroll in any course directly through our platform using secure online payment via Stripe.

    • How do I access my course after enrollment?

      Once payment is complete, you will be redirected to the course and receive a confirmation email. You may also log in at any time to access your content via the My Dashboard section.

    • How long will I have access to the course material?

      Lifetime access while the course remains available, with a guaranteed minimum of 1 year, even if it is updated or retired.

    • What are the general technical requirements?

      Our platform is accessible from any device with internet access. For hands-on labs, we recommend:

      • A modern operating system capable of running virtual machines
      • 8 GB RAM (minimum)
      • 500 GB disk space
      • Hypervisor software: Virtualbox, VMWare, HyperV, etc


      Alternatively, we offer fully hosted Virtual Labs that allow you to complete technical exercises via the cloud. Please check our labs at: labs.cyber5w.com.


    • Can I ask for help if I don't understand something?

      Of course! Reach out by email anytime.

    • What is the expected time commitment for each course?

      Each course is self-paced and designed to accommodate different learning speeds. The time you'll need depends on your current knowledge, experience, and how deeply you choose to engage with the materials and hands-on labs.

    • Do you offer student discounts?

      Yes, we offer a 25% discount to verified university or college students (must register with a valid academic email). Please contact us at [email protected] after registering and before purchasing.

    • Do you offer law enforcement and military professionals discounts?

      Yes, we offer a 25% discount to active law enforcement and military professionals (official verification required). Please contact us at [email protected] after registering and before purchasing.

    • Do you offer corporate training or customized training solutions?

      Absolutely. We provide customized training solutions for teams, security operations centers, and government entities, including on-site workshops, simulations, and private lab access. Please contact us at [email protected] for arrangement.

    • Do your courses include Certificate of Completion?

      All of our courses include a Certificate of Completion, awarded upon successful completion of lessons, labs, or a final exam (where applicable). These certificates are designed to support your professional development in the DFIR and cybersecurity fields.

    Still have questions?

    Can't find the answer you're looking for? Please chat to our friendly team.

    Get in touch

    Stay ahead in DFIR!

    Sign up for the latest findings, field advancements, and updates on upcoming webinars, conferences, seminars, and free courses.

    Get updates!

    Thank You