Description

The number of incidents being reported is rapidly increasing every year. Organizations need to respond to these incidents and investigate what, when, why, where, who, and how they happened. This requires special skills and knowledge in systems and how they operate. This is not a simple task that can be handled by an IT professional, but only those trained to acquire and analyze information in a forensically sound manner.

Cyber 5W Digital Forensic Analyst training will guide students on how to conduct digital investigations and write investigative forensic reports. This training uses an experiential learning process for training students, where students learn digital forensics by doing investigative tasks on real-world cases. Students will learn how to perform evidence acquisition and how to deal with disks and file systems, and then explore the forensic artifacts one may encounter when working with the Windows operating system. By completing this training, students are prepared to take the exam that leads to the Cyber 5W Certified Digital Forensic Analyst (CCDFA) certificate.

The full course contents has been published and new extra content is being added.

Training Delivery Details

Live Training: Instructor (40 hour) | Materials | Certification Exam

The course material includes over 55+ Hands-on Labs and 50+ Videos

All sessions starts from 9 AM to 1 PM (Eastern Time) or upon a mutual agreement

Pricing Options

🎉 Early Bird Discount: Special pricing available for early registrants each training!
Use the discount codes below and receive 40% off while seats last.

  • C5W DIGITAL FORENSIC ANALYST - VIRTUAL LIVE TRAINING

  • September 1st, 2025

  • 40% Off If You Register Before August 1st! Use code earlyccdfa0925 at checkout to claim your discount.

    • $2,250.00

    Buy Now

  • C5W DIGITAL FORENSIC ANALYST - VIRTUAL LIVE TRAINING

  • November 3rd, 2025

  • 40% Off If You Register Before October 1st! Use code earlyccdfa1125 at checkout to claim your discount.

    • $2,250.00

    Buy Now

  • C5W DIGITAL FORENSIC ANALYST - VIRTUAL LIVE TRAINING

  • January 19th, 2026

  • 40% Off If You Register Before December 1st! Use code earlyccdfa0126 at checkout to claim your discount.

    • $2,250.00

    Buy Now

Syllabus

After completing this course, students will be able to demonstrate how to acquire forensically sound evidence, check evidence integrity, analyze and fix corrupted drives, analyze FAT32 and NTFS file systems, analyze different Windows artifacts, and finally write a report about their analysis.

Introduction to Digital Forensics

  • Evidence and Evidence Acquisition
  • Hashing and Validation
  • Mounting Your Evidence
  • File Analysis
    • Hexeditors
    • Signatures
    • Extension
    • Metadata
    • and Others
  • Time Zones and Dates (Timestamps)
  • Autopsy and other Tools
  • Writing a Report

Windows Forensic Analysis

  • Windows Basics
    • Users and Groups
    • Parsing SID Manually
    • Recycle Bin
    • Thumbnails
  • LNK Files and Jump Lists
  • System and User Program Activity
    • Prefetch Files
    • UserAssist
    • Background Activity Moderator (BAM)
    • System Resource Usage Monitor (SRUM)
    • and Other Subjects
  • Windows Registry
    • Structure of Windows Registry
    • System Artifacts
    • User Artifacts
  • Investigating USB Thumb Drives
  • Analyzing Shellbags
  • Volume Shadow Copies & File History
  • Windows Events
  • Windows Scheduled Tasks
  • Windows Search
  • Working with KAPE

Working with Disks, Volumes, and File Systems

  • Disk Analysis (MBR & GPT)
  • Fixing Corrupted Disks
  • File Systems
    • Storage Units: Sectors and Clusters
    • Slack Space
    • and Other Subjects
  • Analyzing FAT32 File Systems
    • Volume Data Structures
    • Parsing Directory Entries
    • Parsing SFN and LFN Structures
    • Parsing Cluster Chains Manually
    • FAT32 Timestamps
  • Analyzing NTFS File Systems
    • Understanding the MFT File & Main NTFS Files
    • Parsing MFT Entries
    • Parsing Different Attribute Data Structures
    • Parsing Cluster Dataruns Manually
    • Fixup Arrays
    • Alternate Data Streams (ADS)
    • Soft Links, Hard Links, and Junctions
    • Working with USN Journals
    • NTFS Timestamps
  • Data and File Carving: Manual and Automated
Note: Additional topics may be covered as time allows.

🔍 Case Studies

Throughout the training, you’ll investigate and analyze real-world inspired scenarios designed to build your skills across diverse forensic challenges and attacker techniques. Some of the case studies include:

🕵🏻 No Prefetch? No Problem.
Learn how to trace malware or suspicious program execution even when traditional evidence like Prefetch files is missing. This case study walks you through advanced artifact correlation to build a timeline of attacker activity.

💣 Hunting Wipers: Uncovering sdelete and Beyond
Not all deletions are innocent. Dive into a case study where a threat actor uses sdelete to wipe their tracks and how forensic traces in NTFS, registry, and logs still tell the story.

🗑️ Deleted Doesn't Mean Gone.
Explore how deleted files, shortcuts, and shellbags can be recovered and interpreted to reconstruct user activity and attacker behavior in a compromised system.

🧪 Suspicious Installer or Admin Mistake?
Investigate a case where legitimate software was used as a LOLBin. You'll learn how to differentiate between administrator behavior and post-exploitation tactics.

📎 Malicious LNK Files: A Shortcut to Trouble
Learn how attackers use Windows shortcut files (.lnk) to execute malware silently. In this case study, you’ll recover and analyze LNK files to trace back user activity and uncover hidden execution paths.

👻 GhostTask Investigations: The Scheduled Jobs That Disappear
Uncover the mystery of Scheduled Tasks that leave minimal forensic traces. You’ll learn how attackers abuse Task Scheduler and how to recover or reconstruct their activity, even when tasks are deleted.

🔌 Execution from USB Devices: Following the Plug-in Trail
Explore a scenario where malware was launched from a removable device. You’ll trace USB insertions, mounted paths, and execution history using SetupAPI logs, registry entries, and forensic images.

🧹 Detecting Anti-Forensics: Timestomping and Log Tampering
Attackers may alter timestamps and clear logs to evade detection. This case study shows how to detect timestomping and use alternate forensic artifacts like $MFT, $LogFile, and $UsnJrnl to reconstruct the truth.

Instructor

Dr. Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research. More details could be found here or contact him directly through twitter here.


CCDFA Certificate

Why you should get the CCDFA certificate?

  • Professional Certificate

    CCDFA is the only certification that will truly assess your skills in multiple domains, all using a single certification-process.

  • Experiential Learning

    CCDFA includes more than 35 hands-on labs that cover skills related to the basic of digital forensic, disks, file systems, and Windows.

  • Evaluated by Experts

    CCDFA requires students to take a practical assessment and submit a report for the expert committee to evaluate.

Learning Objectives

After completing this course, you are expected to:

  • Understand the fundamentals of digital forensic investigations

  • Demonstrate correct methods of evidence gathering

  • Learn how to extract file metadata and analyze files using a hex-editor

  • Summarize the analysis results and write investigative reports

  • Ability to analyze and fix corrupted disks

  • Ability to analyze FAT32 and NTFS file systems, plus recover and carve files from raw data

  • Ability to investigate Windows System Artifacts

  • Investigating Windows Program Execution Artifacts

  • Investigating Windows Registry and Windows Shellbags

  • Ability to analyze Windows Events Logs, Scheduled Tasks, and different Windows Applications (e.g. Skype, One Drive, etc)

Prerequisites

This course assumes no prior experience in digital forensics or incident response. However, a foundational understanding of computer science, operating systems, file systems, or a related field is highly recommended.

Important: Learners should have experience installing software and working with virtual machines using a hypervisor. Please ensure you are comfortable setting up and managing virtual environments independently before starting the course.

The Value of the Training

Unlock the skills needed to identify, investigate, and understand digital incidents in a hands-on, guided environment. This training bridges the gap between theory and practice by walking you through real-world case scenarios, forensic imaging, artifact analysis, timeline reconstruction, and report writing.

Whether you're pursuing a career in digital forensics, incident response, or security operations, this course provides the core foundation and investigative techniques required to uncover evidence, trace attacker activity, and respond effectively in today's evolving threat landscape.

Who is this Certificate For?

This training is ideal for cybersecurity professionals, digital forensics analysts, SOC analysts, blue teamers, and anyone looking to build or strengthen their digital investigation skills.

Whether you're just entering the DFIR field or you're an experienced analyst looking to refine your techniques, this course offers a structured, hands-on approach to evidence acquisition, artifact analysis, and incident response, preparing you to investigate and respond to real-world security incidents with confidence.

System Requirements:

what you need to for the course

To ensure an optimal learning experience, participants should have access to a computer capable of running virtualization software such as VMware Workstation or VirtualBox, with at least 8 GB of RAM and 40 GB of free disk space.

We highly recommend using our hosted virtual lab environment, provided as part of the course. This eliminates the need to configure local virtual machines and allows you to seamlessly follow along with all hands-on exercises in a secure, controlled environment.

Refund Policy:

Refund requests for In-person and Online Virtual Training are accepted before the refund deadline and as long as the online course has not been accessed. To initiate a refund, please submit your request to [email protected]. The registration fee will be refunded, minus a $50 refund processing fee, to the original payment method. Please be advised that CYBER 5W OnDemand Courses are non-refundable and non-transferable once payment has been completed and course material has been accessed.

Testimonials

“Breadcrumbs and Footprints... Affirmative .LNKs (pun intended) and Trace Evidence ... A ton of information, intelligence, and investigative leads are packed into Prefetch, Jumplist, LNK, and Thumbnail files.
"To a great mind nothing is little" -- S. Holmes.
Solid applicable Windows Forensics foundation from Dr. Ali Hadi and the Cyber5W Team. Here

Private Investigations | Digital Forensics

Eli W. Wilkerson

“This was a great day one! Really dived into it and wasn’t just a broad overview. Already working in VM’s and it is very hands on. Ali takes the time to answer all questions thoroughly. Here

Sarah