Course Curriculum

  • 01

    Introduction

    • Welcome to "Investigating Windows Program Executions"!

  • 02

    Prefetch

    • The Definition of Prefetch

    • Analyze Prefetch

    • PECmd

    • WinPrefetchView

    • Prefetch Lab

    • Prefetch Lab Solutions

  • 03

    AmCache

    • The Definition of AmCache

    • Analyze AmCache

    • Registry Explorer

    • AmCacheParser

    • AmCache Lab

    • AmCache Lab Solutions

  • 04

    AppCompat (Shimcache)

    • The Definition of AppCompatCache (Shimcache)

    • AppCompatCacheParser

    • RegRipper

    • AppCompatCache (Shimcache) Lab

    • AppCompatCache (Shimcache) Lab Solutions

  • 05

    UserAssist

    • The Definition of UserAssist

    • Analyze the UserAssist

    • UserAssist Lab

    • UserAssist Lab Solutions

  • 06

    Background Activity Moderator (BAM)

    • The Definition of Background Activity Moderator (BAM)

    • Analyze BAM

  • 07

    Summary

    • Summary

Learning Outcomes

After completing this course, you will learn the following.

  • You will be able to effectively locate and analyze execution artifacts.

  • You will be able to answer questions related to the significance and meaning of said artifacts.

  • You will be able use forensic tools introduced in relation to analyzing and extracting execution artifacts.

Technical Requirements

For the hands-on labs in this course

  • Windows machine (recommended Windows 10)

  • “Working with FTK Imager” or equivalent background

  • FTK Imager

What is next at Cyber 5W?

Add your email to the mailing list to get the latest updates