Windows Forensics Analysis Training

What You Will Learn

Master Windows Forensics - "You Can't Protect What You Don't Know About."

All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, Cloud Storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
Focus your capabilities on analysis instead of on how to use a particular tool
Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

FOR500 is continually updated. The course starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows step-by-step the tools and techniques that each investigator should employ to solve a forensic case.

Windows Forensics Course Topics:

Windows Operating Systems Focus (Windows 7, Windows 8/8.1, Windows 10, Server 2008/2012/2016)
Windows File Systems (NTFS, FAT, exFAT)
Advanced Evidence Acquisition Tools and Techniques
Registry Forensics
Shell Item Forensics

Shortcut Files (LNK) - Evidence of File Opening
Shellbags - Evidence of Folder Opening
JumpLists - Evidence of File Opening/Program Exec

Windows Artifact Analysis

Facebook, Gmail, Hotmail, Yahoo Chat, and Webmail Analysis
Microsoft Office Document Analysis
System Resource Usage Database
Windows 10 Timeline Database
Windows Recycle Bin Analysis
File and Picture Metadata Tracking and Examination
Ten Different Application Execution Artifacts Including Several New to Windows 10

Cloud Storage File and Metadata Examinations
- OneDrive, Dropbox, G Drive, G Suite File Stream, Box
Email Forensics (Host, Server, Web), Including Office 365 and G Suite
Event Log File Analysis
Firefox, Chrome, Edge, and Internet Explorer Browser Forensics
Deleted Registry Key and File Recovery
Recovering Missing Data From Registry and ESE Database .Log Files
String Searching and File Carving
Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
Media Analysis and Exploitation Involving:

Tracking User Communications Using a Windows PC (Email, Chat, IM, Webmail)
Identifying If and How a Suspect Downloaded a Specific File to the PC
Determining the Exact Time and Number of Times a Suspect Executed a Program
Showing When Any File Was First and Last Opened by a Suspect
Determining If a Suspect Had Knowledge of a Specific File
Showing the Exact Physical Location of the System
Tracking and Analyzing External and USB Devices
Showing How the Suspect Logged on to the Machine via the Console, RDP, or Network
Recovering and Examining Browser Artifacts, Even Those Used in a Private Browsing Mode
Discovering Utilization of Anti-Forensics, Including File Wiping, Time Manipulation, and Program Removal

The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10, and Server 2008/2012/2016 Techniques

You Will Be Able To

Perform proper Windows forensic analysis by applying key techniques focusing on Windows 7, Windows 8/8.1, and Windows10
Use full-scale forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geo-location, browser history, profile USB device usage, and more
Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
Audit cloud storage usage, including detailed user activity, identifying deleted files, and even documenting files available only in the cloud
Identify keywords searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding and accomplish detailed damage assessments
Use Windows Shellbag analysis tools to articulate every folder and directory that a user or attacker opened up while browsing local, removable, and network drives
Determine each time a unique and specific USB device was attached to the Windows system, the files and folders that were accessed on it, and who plugged it in by parsing Windows artifacts such as the Registry and Event Log files
Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
Determine where a crime was committed using Registry data to pinpoint the geo-location of a system by examining connected networks and wireless access points
Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts database carving to identify the web activity of suspects, even if privacy cleaners and in-private browsing are used
Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted

What Will You Receive

Windows 10 Enterprise version of the SIFT Workstation Virtual Machine with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response tools prebuilt into the environment
Full version licenses for 120 days:

Electronic Download package containing real-world cases to examine during and after class
FOR500 detailed electronic exercise workbook with nearly 500 pages in length with detailed step-by-step instructions
MP3 audio files of the complete course lecture
Complete course lecture

Syllabus (36 CPEs)

Download PDF

Overview
The Windows Forensic Analysis course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. Hard drive sizes are increasingly difficult to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. Most fundamental analysts can easily image a hard drive using a write blocker. In this course, we will review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We will demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and critical files that will take minutes to acquire instead of the hours or days currently spent on acquisition.
We will also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities that employ both commercial and open-source tools and techniques. Seasoned investigators will need to know how to target the specific data that they need to begin to answer fundamental questions in their cases.
Exercises
- Install the Windows SIFT Workstation and get an orientation about its operations
- Undertake advanced triage-based acquisition and imaging - rapid acquisition
- Mount acquired disk images and evidence
- Carve important files from free space
- Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
- Recover chat sessions, web-based email, social networking, and private browsing
Topics
- Windows Operating System Components
- Core Forensic Principles
- Live Response and Triage-Based Acquisition Techniques
- Windows Image Mounting and Examination
- NTFS File System Overview
- Document and File Metadata
- File Carving
- Memory, Pagefile, and Unallocated Space Analysis
Overview
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed keyword searches, executed specific programs, opened and saved files, perused folders, and used removable devices.
Data is moving rapidly to the cloud, constituting a significant challenge and risk to the modern enterprise. Cloud storage applications are nearly ubiquitous on both consumer and business systems, causing interesting security and forensic challenges. In a world where some of the most important data is only present on third-party systems, how do we effectively accomplish our investigations? In this section we will dissect OneDrive, Google Drive, G Suite, Dropbox, and Box applications, deriving artifacts present in application logs and left behind on the endpoint. Detailed user activity, history of deleted files and discovery of cloud contents are all possible. Solutions to the very real challenges of forensic acquisition are also discussed. Understanding what can be gained through analysis of these popular applications will make investigations of less common cloud storage solutions easier when encountered.
Throughout the section, investigators will use their skills in a real hands-on case, exploring the evidence and analyzing evidence.
Exercises
- Profile a computer system using evidence found in the Registry
- Conduct a detailed profile of user activity using Registry evidence
- Examine which programs a user recently executed by examining Registry-based UserAssist, AppCompability, Amcache, RecentApps, BAM/DAM, and others
- Determine which files a user recently opened via the RecentDocs keys in the Registry
- Examine recently opened Office 365 files and determine first/last open times
- Find folders recently accessed by a user via the Open/Save keys in the Registry
- Perform cloud storage forensics, recovering information in logs, metadata, and files
Topics
Registry Forensics In-Depth
- Registry Core
- Profile Users and Groups
- Core System Information
- User Forensic Data
- Cloud Storage Forensics
- Tools Used
Overview
Being able to show the first and last time a file or folder was opened is a critical analysis skill. Utilizing shortcut (LNK), jump list, and Shellbag databases through the examination of SHELL ITEMS, we can quickly pinpoint which file or folder was opened and when. The knowledge obtained by examining SHELL ITEMS is crucial in tracking user activity in intellectual property theft cases internally or in tracking hackers.
Removable storage device investigations are often an essential part of performing digital forensics. We will show you how to perform in-depth USB device examinations on Windows 7, 8/8.1, and 10. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, and even the unique serial number of the device used.
Exercises
- Track USB and BYOD devices that were connected to the system via the Registry and file system
- Determine first and last connected times of USB devices that are plugged into your system
- Determine last removal time of USB devices that are plugged into your system
- Use Shortcut (LNK) file analysis to determine first/last times a file was opened
- Use Shellbag Registry Key Analysis to determine when a folder was accessed
- Use a jump list examination to determine when files were accessed by specific programs
- Unlock BitLocker-To-Go encrypted USB devices
Topics
- Shell Item Forensics
- USB and Bring Your Own Device (BYOD) Forensic Examinations
Overview
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. It is common for users to have an email that exists locally on their workstation, on their company email server, in a private cloud, and in multiple webmail accounts.
Additional artifacts such as Windows Prefetch are paramount to proving evidence of execution. The exciting Windows 10 Timeline database shows great promise in recording detailed user activity. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine several important user actions, including network usage by cloud storage and backdoors, even after execution of counter-forensic programs.
Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms each investigator with the core knowledge and capability to maintain this crucial skill for many years to come.
Exercises
- Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
- Analyze message headers and gauge email authenticity using SPF and DKIM
- Understand how Extended MAPI Headers can be used in an investigation
- Effectively collect evidence from Exchange and Office365
- Learn the latest on Unified Audit Logs in Office365
- Search for Webmail and Mobile Email remnants
- Understand key concepts like email object filtering, de-duplication, and message similarity
- Use forensic software to recover deleted objects from email archives
- Gain experience with a commercial email forensics and e-discovery tool
- Perform data visualization and timeline analysis
- Analyze document metadata present in email archives
- Analyze the various versions of the Windows Recycle Bin
- Analyze Windows Prefetch files to determine thousands of application execution times
- Use the System Resource Usage Monitor (SRUM) to answer questions never before available in Windows forensics
- Merge event logs and perform advanced filtering
- Profile account usage and determine logon session length
- Audit file and folder access
- Identify evidence of time manipulation on a system
- Supplement registry analysis with BYOD device auditing, including new Windows 10 events
- Analyze historical records of wireless network associations and geolocate a device
Topics
- Email Forensics
- Forensicating Additional Windows OS Artifacts
- Windows Event Log Analysis
Overview
With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, the investigator will comprehensively explore web browser evidence created during the use of Internet Explorer, Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. The analyst will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, tracking cookies, zoom levels, predictive site prefetching, and private browsing remnants. Finally, browser synchronization is explored, providing investigative artifacts derived from other devices.
Throughout the section, investigators will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Edge, Internet Explorer, and Tor correlated with other Windows operating system artifacts.
Exercises
- Track a suspect's activity in browser history and cache files and identify local file access
- Analyze artifacts found within the Extensible Storage Engine (ESE) database format
- Examine which files a suspect downloaded
- Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
- Parse automatic crash recovery files to reconstruct previous browser sessions
- Leverage Google Analytics cookies to profile user behaviors
- Learn to manually parse SQLite databases from Firefox and Chrome
- Identify anti-forensics activity and re-construct private browsing sessions
- Investigate browser auto-complete data
Topics
- Browser Forensics
Overview
Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the week. In the morning, you will have the option to work in teams on a real forensic case. Students will be provided new evidence to analyze, and the exercise will step you through the entire case flow, including proper acquisition, analysis, and reporting in preparation for a possible trial. Teams will work on the case with the objective of profiling computer usage and discovering the most critical pieces of evidence to present.
This complex case will involve an investigation into one of the most recent versions of the Windows Operating System. The evidence is real and provides the most realistic training opportunity currently available. Solving the case will require that students use all of the skills gained from each of the previous sections.
The section will conclude with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and short write-up wins the challenge...and the case!
Exercises
- Windows 10 Forensic Challenge
- Two Additional Full-Length Take Home Exercises to Hone Your Skills!
Topics
- Digital Forensic Case
- Presentation

GIAC Certified Forensic Examiner

The GIAC Certified Forensic Examiner (GCFE) certification validates a practitioner’s knowledge of computer forensic analysis, with an emphasis on core skills required to collect and analyze data from Windows computer systems. GCFE certification holders have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.

Windows Forensics and Data Triage
Windows Registry Forensics, USB Devices, Shell Items, Key Word Searching, Email and Event Logs
Web Browser Forensics (Firefox, IE and Chrome) and Tools (Nirsoft, Woanware, SQLite, ESEDatabaseView and Hindsight)

Prerequisites

FOR500: Windows Forensic Analysis focuses on in-depth analysis of the Microsoft Windows Operating System and artifacts. There are no prerequisite courses required to take this course. The artifacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System. Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. Our authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
BIOS settings must be set to enable virtualization technology, such as "Intel-VT".
Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
Wireless 802.11 Capability

MANDATORY FOR500 SYSTEM SOFTWARE REQUIREMENTS:

Host Operating System: Latest version of Windows 10 or macOS 10.15.x or a recent version of Linux operating system (released 2016 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 30 days)
Install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
Download and isntall 7Zip (for Windows Hosts) or Keka (macOS).

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"After 30 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR500: Windows Forensic Analysis was designed to impart these critical skills to students. Unlike many other training courses that focus on teaching a single tool, FOR500 provides training on many tools. While there are some exceptional tools available, we feel that all forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best tool for each task. However, we also understand that forensic analysts are not great because of the tools they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR500 teaches students to apply digital forensic methodologies to a variety of case types and situations, enabling them to apply the right methodology to achieve the best outcome in the real world. Finally, the course teaches and demonstrates the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR500 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR500 is a must-have course." - Ovie Carroll

"Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of SANS FOR500: Windows Forensic Analysis are the front-line troops deployed when you need accurate digital forensic, incident response, and media exploitation analysis. From analyzing terrorist laptops, data breaches, to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn how to conduct analysis and run investigations properly. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that the SANS FOR500 course helped prepare them to fight and solve crime." - Rob Lee

"Digital forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal." - Chad Tilbury

"Ovie has been great as an instructor for this course. His knowledge and passion to share his insight with us has excited me in learning and reviewing the case materials again even after lessons. I stayed back to spend extra time to read and learn so that I could prepare in anticipation of what he is offering us the next morning. He conducts start-of-the-day recaps and end-of-the-day pop quizzes to tie in knowledge that would have otherwise been just "another artifact" that was taught. He showed us how to think critically, to tell the story, and to always ask questions." - Yao Guang Tan

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (6 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend FOR500?

Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations
Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases and perform damage assessments
Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on digital forensics for Windows-based operating systems
Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX)
Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers

"I have been in IT infrastructure for over 20 years and my mind is blown by how much could be learned in this training. I recommend this class for everyone." - Nick Condos, ACADIA

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Reviews

Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam).

Juan M.

This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.

Alexander Applegate

Auburn University

As a member of the IR team, this course will aid in investing compromised hosts.

Mike Piclher

URS Corp.

FOR500: Windows Forensic Analysis

GIAC Certified Forensic Examiner (GCFE)

Course Authors:

Ovie Carroll

Rob Lee

Chad Tilbury

What You Will Learn

Syllabus (36 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Certified Forensic Examiner

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR500?

Need to justify a training request to your manager?

Reviews

Find ways to take this course

FOR500: Windows Forensic Analysis

GIAC Certified Forensic Examiner (GCFE)

Course Authors:

Ovie Carroll

Rob Lee

Chad Tilbury

What You Will Learn

Syllabus (36 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Certified Forensic Examiner

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR500?

Need to justify a training request to your manager?

Related Programs

Reviews

Find ways to take this course