Aligned to the NIST NICE Framework (IN-WRL-002, PD-WRL-002)
Investigate Windows Recycle Bin artifacts in this hands-on course. Learn to parse $R and $I files, decode timestamps, and use tools like RBCmd.exe and Rifiuti2 to recover or analyze permanently deleted items. Ideal for entry-level DFIR learners.
This hands-on course introduces the forensic value of the Windows Recycle Bin and how it can be used to uncover evidence of deleted file activity. You will learn how Windows stores deleted items and how to analyze key artifacts, including $R and $I files, to extract information such as original file paths, sizes, and deletion timestamps.
The course covers essential tools and techniques used to parse and interpret Recycle Bin data, including practical usage of tools like RBCmd.exe and Rifiuti2. You will also explore the difference between recovered and permanently deleted files, and how to extract useful evidence even when files are no longer accessible.
Through hands-on exercises and a guided lab, you will apply these techniques in real scenarios, reinforcing your ability to investigate and analyze Recycle Bin artifacts effectively.
This course is strategically aligned to the NIST NICE Workforce Framework for Cybersecurity, supporting key DFIR job roles and competencies:
This alignment ensures the course reflects real-world cybersecurity workforce requirements and develops practical skills in digital forensic investigation and evidence interpretation.
How do I purchase a course?
You can enroll in any course directly through our platform using secure online payment.
How do I access my course after enrollment?
Once payment is complete, you will be redirected to the course and receive a confirmation email. You may also log in at any time to access your content via the My Dashboard section.
How long will I have access to the course material?
Lifetime access while the course remains available, with a guaranteed minimum of 1 year, even if it is updated or retired.
What are the general technical requirements?
Our platform is accessible from any device with internet access. For hands-on labs, we recommend:
Alternatively, we offer fully hosted Virtual Labs that allow you to complete technical exercises via the cloud. Please check our labs at: labs.cyber5w.com.
Can I ask for help if I don't understand something?
Of course! Reach out by email anytime.
What is the expected time commitment for each course?
Each course is self-paced and designed to accommodate different learning speeds. The time you'll need depends on your current knowledge, experience, and how deeply you choose to engage with the materials and hands-on labs.
Do you offer student discounts?
Yes, we offer a 25% discount to verified university or college students (must register with a valid academic email). Please contact us at [email protected] after registering and before purchasing.
Do you offer law enforcement and military professionals discounts?
Yes, we offer a 25% discount to active law enforcement and military professionals (official verification required). Please contact us at [email protected] after registering and before purchasing.
Do you offer corporate training or customized training solutions?
Absolutely. We provide customized training solutions for teams, security operations centers, and government entities, including on-site workshops, simulations, and private lab access. Please contact us at [email protected] for arrangement.
Do your courses include Certificate of Completion?
All of our courses include a Certificate of Completion, awarded upon successful completion of lessons, labs, or a final exam (where applicable). These certificates are designed to support your professional development in the DFIR and cybersecurity fields.
Can't find the answer you're looking for? Please chat to our friendly team.
Get in touchSign up for the latest findings, field advancements, and updates on upcoming webinars, conferences, seminars, and free courses.
