homepage
Open menu

FOR500: Windows Forensic Analysis

GIAC Certified Forensic Examiner (GCFE)
GIAC Certified Forensic Examiner (GCFE)
Register Now Course Demo
  • In Person (6 days)
  • Online
36 CPEs

FOR500 builds comprehensive digital forensics knowledge of Microsoft Windows operating systems providing the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. Use this knowledge to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. Newly updated to cover all Windows versions through Windows 11!

Course Authors:
Chad Tilbury
Chad Tilbury
Fellow
Rob Lee
Rob Lee
Fellow
Ovie Carroll
Ovie Carroll
Principal Instructor
What You Will LearnSyllabusCertificationPrerequisitesLaptop RequirementsAuthor StatementReviewsTraining & Pricing

What You Will Learn

Master Windows Forensics - "You Can't Protect the Unknown."

All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Corporations, governments, and law enforcement agencies increasingly require trained forensics specialists to perform investigations, recover vital intelligence from Windows systems, and ultimately get to the root cause of the crime. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and available artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track individual user activity on your network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. You'll be able to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data and use it to your advantage.

Proper analysis requires real data for students to examine. This continually updated course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest technologies, including Microsoft Windows versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage providers, SharePoint, Exchange, and Outlook. Students will leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.

FOR500: Windows Forensic Analysis will teach you to:

  • Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows XP, Windows 7, Windows 8/8.1, Windows 10, Windows 11 and Windows Server products.
  • Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file download, anti-forensics, and detailed system and user activity.
  • Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
  • Extract critical findings and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.

FOR500 starts with an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor course development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook teaches the tools and techniques that every investigator should employ step by step to solve a forensic case. The tools provided can be used long after the end of class.

Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. The course authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.

Buiness Takeaways

  • Build the skills necessary to conduct in-depth forensic analysis of all Windows operating systems, including on Windows XP through Windows 11, and Windows Server products
  • Develop in-house capabilities to investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions
  • Identify forensic artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file downloads, anti-forensics, and detailed system and user activity
  • Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
  • Build tool-agnostic investigative capabilities by focusing on analysis techniques instead of how to use a particular tool. Deeper understanding of core forensic artifacts and stronger analysis skills make any available tool more effective for attendees.

You Will Be Able To

  • Perform proper Windows forensic analysis by applying peer-reviewed techniques focusing on Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Windows Server products
  • Use state-of-the-art forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geolocation, browser history, profile USB device usage, cloud storage usage, and more
  • Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
  • Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
  • Audit cloud storage usage, including detailed user activity, identifying deleted files, signs of data exfiltration, and even documenting files available only in the cloud
  • Identify items searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding, and accomplish detailed damage assessments
  • Use Windows Shell Bag analysis tools to articulate every folder and directory a user or attacker interacted with while accessing local, removable, and network drives
  • Determine each time a unique and specific USB device was attached to the Windows system, the files and folders accessed on it, and what user plugged it in by parsing Windows artifacts such as Registry hives and Event Log files
  • Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
  • Determine where a crime was committed using Registry data and pinpoint the geolocation of a system by examining connected networks and wireless access points
  • Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite and ESE databases, and leverage session recovery artifacts to identify web activity, even if privacy cleaners and in-private browsing software are used
  • Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted

Windows Forensics Course Topics:

  • Windows Operating Systems Focus: Windows 7, Windows 8/8.1, Windows 10, Windows 11, Server 2008/2012/2016/2019/2022
  • Windows File Systems (NTFS, FAT, exFAT)
  • Advanced Evidence Acquisition Tools and Techniques
  • Registry Forensics
  • Shell Item Forensics
    • Shortcut Files (LNK) - Evidence of File Opening
    • ShellBags - Evidence of Folder Opening
    • JumpLists - Evidence of File Opening and Program Execution
  • Windows Artifact Analysis
    • Browser and Webmail Analysis
    • Microsoft Office Document Analysis
    • System Resource Usage Database
    • Windows Search Index Forensics
    • Windows 10 Timeline Database
    • Windows Recycle Bin Analysis
    • File and Picture Metadata Tracking and Examination
    • Myriad Application Execution Artifacts, including Several New to Windows 10 and 11

  • Cloud Storage File and Metadata Examinations

    • OneDrive and OneDrive for Business, Dropbox, Google Drive, Google Workspace, and Box
  • Email Forensics (Host, Server, Web), including Microsoft 365 and G Workspace (G Suite)
  • Microsoft Unified Audit Logging
  • Event Log Analysis
  • Chrome, Edge, Internet Explorer, and Firefox Browser Forensics
  • Microsoft 365 SharePoint, OneDrive, Teams, and Email
  • Google Workspace (G Suite) Applications and Logging
  • Deleted Registry Key and File Recovery
  • Recovering Missing Data from Registry and ESE Database .log Files
  • String Searching and File Carving
  • Examination of Cases Involving Windows 7 through Windows 11
  • Media Analysis and Exploitation to:
    • Track User Communications Using a Windows Device (Email, Chat, Webmail)
    • Identify If and How a Suspect Downloaded Specific Files to or from a Device
    • Determine the Exact Time and Number of Times a Suspect Executed a Program
    • Show When Any File Was First and Last Opened by a Suspect
    • Prove How Long an Application was Running and How Much Network Data was Sent and Received
    • Determine If a Suspect Had Knowledge of a Specific File
    • Show the Exact Physical Location of the System
    • Track and Analyze Removable Media and USB Mass Storage Class Devices
    • Show How the Suspect Logged on to the Machine via the Console, RDP, or Network
    • Recover and Examine Browser Artifacts, including Those from Private Browsing Mode
    • Discover the Use of Anti-Forensics, including File Wiping, Time Manipulation, and Application Removal
  • The Course Is Fully Updated to Include the Latest Windows XP, 7, 8, 8.1, 10, 11 and Server 2008/2012/2016/2019/2022 Artifacts, Tools, and Techniques

Hands-on Labs

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in an hands-on environment.

  • lab 1.1 - Mounting Disk Images
  • lab 1.2 - Triage Imaging with KAPE
  • lab 1.3 - Mounting Triage VHDX Evidence
  • lab 1.4 - Memory Carving with AXIOM
  • lab 2.1 - User Account Profiling
  • lab 2.2 - System Profiling
  • lab 2.3 - NTUSER.DAT Analysis
  • lab 2.4 - Application Execution Analysis
  • lab 2.5 - Cloud Storage Forensics - Onedrive
  • lab 2.6 - Cloud Storage Forensics - Google
  • lab 3.2 - LNK Shell Item Analysis
  • lab 3.3 - Jumplist and Shellbags Shell Item Analysis
  • lab 3.4 - USB Analysis
  • lab 4.1 - Email Forensics
  • lab 4.2 - Windows Timeline and Recycle Bin Analysis
  • lab 4.3 - SRUM Analysis
  • lab 4.4 - Event Log Analysis
  • lab 5.1 - Automating Artifact Processing with KAPE
  • lab 5.2 - Chrome Browser Forensics
  • lab 5.3 - Edge and Internet Explorer Analysis
  • lab 5.4 - Firefox Forensics
  • lab 6.1 - FOR500 Forensic Challenge

NICE Roles

FOR500 maps to these NICE Roles

  • IN-FOR-001: Law Enforcement /Counter Intelligence Forensics Analyst
  • IN-FOR0002: Cyber Defense Forensics Analyst
  • IN-INV-001: Cyber Crime Investigator

What You Will Receive

  • Windows 10 Enterprise version of the SIFT Workstation Virtual Machine with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response (DFIR) tools prebuilt into the environment
  • Trial licenses for the following commercial tool suites:
  • ISO images filled with real-world cases and artifacts to examine during and after class
  • FOR500 exercise workbook with 550 pages of detailed step-by-step instructions
  • MP3 audio files of the complete course lecture

Syllabus (36 CPEs)

Download PDF
  • Overview

    The Windows Forensic Analysis course starts with an examination of digital forensics in today's interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. Hard drive and digital media sizes are increasingly difficult and time-consuming to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. In this course section, we review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process. We demonstrate how to acquire memory, the NTFS MFT, Windows logs, Registry, and critical files in minutes instead of the hours or days currently spent on acquisition.

    We also begin processing our collected evidence using stream-based and file-carving-based extraction capabilities employing both commercial and open-source tools and techniques. Students come away with the knowledge necessary to target the specific data needed to rapidly answer fundamental questions in their cases.

    Exercises
    • Install the Windows SIFT Workstation and get oriented with its capabilities
    • Undertake advanced triage-based acquisition and imaging resulting in rapid acquisition
    • Mount acquired disk images and evidence
    • Carve important files from free space
    • Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
    • Recover chat sessions, web-based email, social networking, and private browsing artifacts
    Topics

    • Windows Operating System Components

      • Key Differences in Modern Windows Operating Systems
    • Core Forensic Principles
      • Analysis Focus
      • Determining Your Scope
      • Creating and Investigative Plan
    • Live Response and Triage-Based Acquisition Techniques
      • RAM Acquisition and Following the Order of Volatility
      • Triage-Based Forensics and Fast Forensic Acquisition
      • Encryption Detection
      • Registry and Locked File Extraction
      • Leveraging the Volume Shadow Service
      • KAPE Triage Collection
    • Windows Image Mounting and Examination
    • NTFS File System Overview
    • Document and File Metadata
    • File and Stream Carving
      • Principles of Data Carving
      • Recovering File System Metadata
      • File and Stream Carving Tools
      • Custom Carving Signatures
    • Memory, Pagefile, and Unallocated Space Analysis
      • Artifact Recovery and Examination
      • Chat Application Analysis
      • Internet Explorer, Edge, Firefox, Chrome, and InPrivate Browser Recovery
      • Email and Webmail, including Yahoo, Outlook.com, and Gmail
  • Overview

    Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. You'll learn how to navigate and analyze the Registry to obtain user profile and system data. During this course section, we will demonstrate investigative methods to prove that a specific user performed keyword searches, executed specific programs, opened and saved files, perused folders, and used removable devices.

    Data is moving rapidly to the cloud, constituting a significant challenge and risk to the modern enterprise. Cloud storage applications are nearly ubiquitous on both consumer and business systems, causing interesting security and forensic challenges. In a world where some of the most important data is only present on third-party systems, how do we effectively accomplish our investigations? In this section we will dissect OneDrive and OneDrive for Business, Google Drive, Google Workspace (G Suite), Dropbox, and Box applications, deriving artifacts present in application logs and left behind on the endpoint. We'll demonstrate how to discover detailed user activity, the history of deleted files, content in the cloud, and content cached locally. Solutions to the very real challenges of forensic acquisition and proper logging are all discussed. Understanding what can be gained through analysis of these popular applications will also make investigations of less common cloud storage solutions easier.

    Throughout this course section, students will use their skills in a real hands-on case, exploring and analyzing a rich set of evidence.

    Exercises
    • Profile a computer system using evidence found in the Windows Registry
    • Conduct a detailed profile of user activity using Registry evidence
    • Examine which applications a user executed by examining Registry-based UserAssist, Prefetch, Capability/AccessManager, FeatureUsage, Background Activity Monitor data, and others
    • Determine which files and folders a user opened and interacted with via multiple Registry keys tracking user interactions
    • Examine recently opened Microsoft 365 and SharePoint files and determine first and last open times
    • Identify critical folders accessed by a user via the Common Dialog and Open/Save keys in the Registry
    • Perform cloud storage forensics, recovering information on local files, cloud-only files, and deleted items available in logs, application metadata databases, and host-based artifacts.
    Topics
    • Registry Forensics In-Depth
    • Registry Core
      • Hives, Keys, and Values
      • Registry Last Write Time
      • MRU Lists
      • Deleted Registry Key Recovery
      • Identify Dirty Registry Hives and Recover Missing Data
      • Rapidly Search and Timeline Multiple Registry Hives
    • Profile Users and Groups
      • Discover Usernames and Relevant Security Identifiers
      • Last Login
      • Last Failed Login
      • Login Count
      • Password Policy
      • Local versus Domain Account Profiling
    • Core System Information
      • Identify the Current Control Set
      • System Name and Version
      • Document the System Time Zone
      • Wireless, Wired, VPN, and Broadband Network Auditing
      • Perform Device Geolocation via Network Profiling
      • Identify System Updates and Last Shutdown Time
      • Registry-Based Malware Persistence Mechanisms
      • Identify Webcam and Microphone Usage by Illicit Applications
    • User Forensic Data
      • Evidence of File Downloads
      • Office and Microsoft 365 File History Analysis
      • Windows 7, Windows 8/8.1, Windows 10/11 Search History
      • Typed Paths and Directories
      • Recent Documents
      • Search for Documents with Malicious Macros Enabled
      • Open Save/Run Dialog Evidence
      • Application Execution History via UserAssist, Prefetch, Windows 10 Timeline, System Resource Usage Monitor (SRUM), FeatureUsage, and BAM/DAM
    • Cloud Storage Forensics
      • Microsoft OneDrive
      • OneDrive Files on Demand
      • Microsoft OneDrive for Business
      • OneDrive Unified Audit Logs
      • Google Drive for Desktop
      • Google Workspace (G Suite) File Stream
      • Google Workspace (G Suite) Logging
      • Google Protobuf Data Format
      • Dropbox
      • Dropbox Decryption
      • Dropbox Logging
      • Box Drive
      • Box Backup and Sync
      • Synchronization and Timestamps
      • Forensic Acquisition Challenges
      • User Activity Enumeration
      • Automating SQLite Database Parsing
  • Overview

    Being able to show the first and last time a file or folder was opened is a critical analysis skill. Shell item analysis, including shortcut (LNK), Jump List, and ShellBag artifacts, allows investigators to quickly pinpoint the times of file and folder usage per user. The knowledge obtained by examining shell items is crucial to perform damage assessments, track user activity in intellectual property theft cases, and track where hackers spent time in the network.

    Removable storage device investigations are an essential part of performing digital forensics. In this course section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

    Exercises
    • Understand the difference between mass storage class (MSC), human interface devices (HID), and media transfer protocol (MTP) devices
    • Track USB devices and BYOD devices connected to the system using the Registry, event logs, and file system artifacts.
    • Determine first and last connected times of USB devices
    • Determine last removal time of USB devices
    • Explore the new removable device auditing features introduced in Windows 8 and Windows 10
    • Use shortcut (LNK) file analysis to determine first/last times a file was opened, and track files and folders present on removable media and across network shares
    • Use Shell Bag Registry Key Analysis to audit accessed folders
    • Use Jump List examination to determine when files were accessed by specific programs.
    Topics
    • Shell Item Forensics
      • Shortcut Files (LNK) - Evidence of File Opening
      • Windows 7-10 Jump Lists - Evidence of File Opening and Program Execution
      • ShellBag Analysis - Evidence of Folder Access
    • USB and BYOD Forensic Examinations
      • Vendor/Make/Version
      • Unique Serial Number
      • Last Drive Letter
      • MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
      • Volume Name and Serial Number
      • Username that Used the USB Device
      • Time of First USB Device Connection
      • Time of Last USB Device Connection
      • Time of Last USB Device Removal
      • Drive Capacity
      • Auditing BYOD Devices at Scale
      • Identify Malicious HID USB Devices
  • Overview

    Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. Finding and collecting email is often one of our biggest challenges as it is common for users to have email existing simultaneously on their workstation, on the company email server, on a mobile device, and in multiple cloud or webmail accounts.

    The Windows Search Index can index up to a million items on the file system, including file content, email, and over 600 kinds of metadata per file. It is an under-utlized resource providing profound forensic capabilities. The Windows 10 (and now Windows 11) Timeline database shows great promise in recording detailed user activity, including additional application execution artifacts, mapping file usage to specific programs and users, and additional device identification via synchronized artifacts. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine many important user actions, including network usage per application and historical VPN and wireless network usage. Imagine the ability to audit network usage by cloud storage and identify excessive usage by remote access tools even after execution of counter-forensic programs

    Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Windows 11 now includes over 340 logs, and understanding the locations and content of the available log files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently. This section arms investigators with the core knowledge and capability to maintain and build upon this crucial skill for many years to come.

    Exercises
    • Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
    • Analyze message headers and gauge email authenticity using SPF and DKIM
    • Understand how Extended MAPI Headers can be used in an investigation
    • Effectively collect evidence from Exchange, Microsoft 365, and Google Workspace (G Suite)
    • Learn the latest on Unified Audit Logs in Microsoft 365
    • Search for webmail and mobile email remnants
    • Use forensic software to recover deleted objects from email archives
    • Gain experience with a commercial email forensics and e-discovery suite
    • Extract and review document metadata present in email archives
    • Understand the tools and logs necessary to respond to business email compromise events
    • Analyze the various versions of the Windows Recycle Bin
    • Use the System Resource Usage Monitor (SRUM) to answer questions with data never before available in Windows forensics
    • Track cloud storage usage hour by hour on a target system
    • Parse the Windows Search Index and take advantage of extended metadata collection
    • Merge event logs and perform advanced filtering to easily get through millions of events
    • Profile account usage and determine logon session length
    • Identify evidence of time manipulation on a system
    • Supplement registry analysis with BYOD device auditing
    • Analyze historical records of wireless network associations and geolocate a device
    Topics
    • Email Forensics
      • Evidence of User Communication
      • How Email Works
      • Email Header Examination
      • Email Authenticity
      • Determining a Sender's Geographic Location
      • Extended MAPI Headers
      • Host-Based Email Forensics
      • Exchange Recoverable Items
      • Exchange and M365 Evidence Acquisition and Mail Export
      • Exchange and M365 Compliance Search and eDiscovery
      • Unified Audit Logs in Microsoft 365
      • Google Workspace (G Suite) Logging
      • Recovering Data from Google Workspace Users
      • Web and Cloud-Based Email
      • Webmail Acquisition
      • Email Searching and Examination
      • Mobile Email Remnants
      • Business Email Compromise Investigations
    • Forensicating Additional Windows OS Artifacts
      • Windows Search Index Forensics
      • Extensible Storage Engine (ESE) Database Recovery and Repair
      • Windows Thumbcache Analysis
      • Windows Recycle Bin Analysis (XP, Windows 7-10)
      • Windows Timeline Activities Database
      • System Resource Usage Monitor (SRUM)
        • Connected Networks, Duration, and Bandwidth Usage
        • Applications Run and Bytes Sent/Received Per Application
        • Application Push Notifications
        • Energy Usage
    • Windows Event Log Analysis
      • Event Logs that Matter to a Digital Forensic Investigator
      • EVTX and EVT Log Files
        • Track Account Usage, including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
        • Prove System Time Manipulation
        • Track BYOD and External Devices
        • Microsoft Office Alert Logging
        • Geo-locate a Device via Event Logs
  • Overview

    With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, students will comprehensively explore web browser evidence created during the use of Internet Explorer, Microsoft Edge, Firefox, and Google Chrome. The hands-on skills taught here, such as SQLite and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. Students will learn how to examine every significant artifact stored by the browser, including cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and private browsing remnants. Finally, we'll explore browser synchronization, providing investigative artifacts derived from other devices in use by the subject of the investigation.

    Throughout the section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Microsoft Edge, Internet Explorer, and Tor correlated with other Windows operating system artifacts.

    Exercises
    • Learn to manually parse SQLite databases from Firefox and Chrome
    • Explore the similarities and differences between Google Chrome and Microsoft Edge
    • Track a suspect's activity in browser history and cache files and identify local file access
    • Analyze artifacts found within the Extensible Storage Engine (ESE) database format
    • Examine which files a suspect downloaded
    • Determine URLs that suspects typed, clicked on, bookmarked, or were merely re-directed to while web browsing
    • Parse automatic crash recovery files to reconstruct multiple previous browser sessions
    • Identify anti-forensics activity and re-construct private browsing sessions
    • Investigate browser auto-complete and form data, bringing the investigation closer to a "hands-on keyboard"
    • Learn how each browser synchronizes data with other devices and how to leverage synchronized data to audit activity occurring on previously unknown user devices like mobile phones, tablets, and other workstations.
    Topics
    • Browser Forensics
      • History
      • Cache
      • Searches
      • Downloads
      • Understanding Browser Timestamps
      • Chrome
        • Chrome File Locations
        • Correlating URLs and Visits Tables for Historical Context
        • History and Page Transition Types
        • Chrome Preferences File
        • Web Data, Shortcuts, and Network Action Predictor Databases
        • Chrome Timestamps
        • Cache Examinations
        • Download History
        • Media History
        • Web Storage, IndexDB, and the HTML5 File System
        • Chrome Session Recovery
        • Chrome Profiles Feature
        • Identifying Cross-Device Chrome Synchronization
      • Edge
        • Chromium Edge vs. Google Chrome
        • History, Cache, Cookies, Download History, and Session Recovery
        • Microsoft Edge Collections
        • Edge Internet Explorer Mode
        • Chrome and Edge Extensions
        • Edge Artifact Synchronization and Tracking Multiple Profiles
        • Edge HTML and the Spartan.edb Database
        • Reading List, WebNotes, Top Sites, and SweptTabs
      • Internet Explorer
        • IE Forensic File Locations
        • WebCache.dat History Files
        • Cache Recovery and Timestamps
        • Microsoft Universal Application Artifacts
        • Gaining Access to Credentials Stored in the Windows Vault
        • Internet Explorer Tab Recovery Analysis
        • Cross-Device Synchronization, Including Tabs, History, Favorites, and Passwords
      • Firefox
        • Firefox Artifact Locations
        • SQLite Files and Firefox Quantum Updates
        • Download History
        • Firefox Cache2 Examinations
        • Detailed Visit Type Data
        • Form History
        • Session Recovery
        • Firefox Extensions
        • Firefox Cross-Device Synchronization
      • Private Browsing and Browser Artifact Recovery
        • IE and EdgeHTML InPrivate Browsing
        • Chrome, Edge, and Firefox Private Browsing
        • Investigating the Tor Browser
        • Identifying Selective Database Deletion
      • SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
        • DOM and Web Storage Objects
        • Rebuilding Cached Web Pages
        • Browser Ancestry
  • Overview

    Nothing will prepare you more as an investigator than a full hands-on challenge that requires you to use the skills and knowledge presented throughout the course. With the option to work individually or in teams, students will be provided new evidence to analyze, and the exercise will step them through the entire case flow, including proper acquisition, analysis, and reporting of investigative findings. Fast forensics techniques will be used in order to rapidly profile computer usage and discover the most critical pieces of evidence to answer investigative questions.

    This complex case involves an investigation into one of the most recent versions of the Windows operating system. The evidence is from real devices and provides the most realistic training opportunity currently available. Solving the case requires students to use all of the skills gained from each of the previous course sections.

    The section concludes with a mock trial involving presentations of the evidence collected. The team with the best in-class presentation and documentation wins the challenge - and solves the case!

    Exercises
    • Full-length Windows 10 forensic challenge
    • Bonus: One additional complete take home exercise to continue honing your skills!
    Topics
    • Digital Forensics Capstone
      • Analysis
        • Process and Triage a New Full Set of Evidence
        • Find Critical Evidence Following the Evidence Analysis Methods Discussed Throughout the Week
        • Examine Memory, Registry, Chat, Browser, Recovered Files, Synchronized Artifacts, Installed Malware, and More
      • Reporting
        • Build an Investigative Timeline
        • Answer Critical Investigative Questions with Factual Evidence
        • Practice Executive Summary and Report Generation
        • Present Technical Case Findings

GIAC Certified Forensic Examiner

The GIAC Certified Forensic Examiner (GCFE) certification validates a practitioner’s knowledge of computer forensic analysis, with an emphasis on core skills required to collect and analyze data from Windows computer systems. GCFE certification holders have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.

  • Windows Forensics and Data Triage
  • Windows Registry Forensics, USB Devices, Shell Items, Email Forensics and Log Analysis
  • Advanced Web Browser Forensics (Chrome, Edge, Firefox)
More Certification Details

Prerequisites

There are no prerequisite courses required to take this course. The artifacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System.

Laptop Requirements

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system provided you can install and run VMware virtualization products. Students are provided with a digital forensic lab built into a VMware Virtual Machine. You must have a minimum of 8 gigabytes (GB) of RAM or higher for the class virtual machine to function, but 16 GB of RAM is highly recommended for the best experience.

It is critical that your CPU and operating system support 64-bit applications so that our 64-bit guest virtual machine can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to the start of the class. Your version of VMware cannot be more than one version behind the latest available version of the software. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware.

MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel i5/i7 (4th generation+) x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important a 64-bit system processor is MANDATORY.)
  • 8 GB of RAM or higher is mandatory for this class (Important - 8 GB of RAM or higher of RAM is mandatory and minimum. For the best experience, 16GB of RAM is recommended.)
  • USB 3.0
  • 300+ GB host system hard drive minimum
  • 200 GB minimum of free space on your host hard drive: Free space is absolutely critical to host the virtual machines and evidence files provided with the class
  • Students must have Local Administrator access within their host operating system and access to the BIOS settings

OPTIONAL FOR500 SYSTEM HARDWARE REQUIREMENTS:

A USB removable storage device is necessary to complete one optional exercise in the course. The storage size of the USB media should be larger than the RAM size of the student laptop.

MANDATORY FOR500 SYSTEM SOFTWARE REQUIREMENTS:

Host Operating System: Fully patched and updated Windows, Mac OSX (10.10+), or a recent version of the Linux operating system (released 2016 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE module

CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

  1. Microsoft Office (any version) with Excel or LiberOffice with Calc installed on your host. You can download Office Trial Software online (free for 30 days)
  2. Install VMware Workstation, VMware Fusion, or VMware Player (your version should be no more than one version behind the latest available from VMware)
  3. Download and install 7Zip on your host (Mac users should ensure they have a capable unarchiving tool such as Keka)

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  1. Bring the proper system hardware (64bit/8+GB Ram) and operating system configuration
  2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip and make sure everything works before class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"After 30 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. This course was designed to impart these critical skills to students. Unlike many other training courses that focus on teaching a single tool, FOR500 provides training on many tools. While there are some exceptional tools available, forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best one for each task. However, forensic analysts are not great because of the tools they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR500 teaches analysts to apply digital forensic methodologies to a variety of case types and situations, enabling them to apply the right methodology to achieve the best outcome in the real world. Finally, the course presents the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR500 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR500 is a must-have course." - Ovie Carroll

"Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of FOR500 are the front-line troops deployed when you need accurate digital forensic, incident response, and media exploitation analysis. From analyzing terrorist laptops and data breaches to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they have learned how to properly conduct analyses and run investigations. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that FOR500 helped prepare them to solve cases and fight crime." - Rob Lee

"Digital forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for investigators working to repel computer intrusions, stop intellectual property theft, and put bad actors in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, but with frequent updates I am confident this course provides the most up-to-date training available, whether you are just starting out or are looking to add new skills to your forensic arsenal." - Chad Tilbury

"Ovie has been great as an instructor for this course. His knowledge and passion to share his insight with us has excited me in learning and reviewing the case materials again even after lessons. I stayed back to spend extra time to read and learn so that I could prepare in anticipation of what he is offering us the next morning. He conducts start-of-the-day recaps and end-of-the-day pop quizzes to tie in knowledge that would have otherwise been just 'another artifact' that was taught. He showed us how to think critically, to tell the story, and to always ask questions." - Yao Guang Tan

Ways to Learn

  • OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

  • Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

  • In Person (6 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

Who Should Attend FOR500?

  • Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations
  • Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases, perform damage assessments, and develop indicators of compromise.
  • Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on digital forensics for Windows-based operating systems
  • Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX)
  • Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers

NICE Framework Work Roles

  • Cyber Crime Investigator (OPM 221)
  • Cyber Defense Forensics Analyst (OPM 212)

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Related Programs

DoDD 8140
DoDD 8140 (0)
See how this and other SANS Courses and GIAC Certifications align with the Department of Defense Directive 8140.
Masters Program
Masters Program
This course and certification can be applied to a master's degree program at the SANS Technology Institute.

Reviews

Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam).
Juan M.
This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.
Alexander Applegate
Auburn University
As a member of the IR team, this course will aid in investing compromised hosts.
Mike Piclher
URS Corp.
    Africa/Abidjan
    Africa/Accra
    Africa/Addis Ababa
    Africa/Algiers
    Africa/Asmara
    Africa/Asmera
    Africa/Bamako
    Africa/Bangui
    Africa/Banjul
    Africa/Bissau
    Africa/Blantyre
    Africa/Brazzaville
    Africa/Bujumbura
    Africa/Cairo
    Africa/Casablanca
    Africa/Ceuta
    Africa/Conakry
    Africa/Dakar
    Africa/Dar es Salaam
    Africa/Djibouti
    Africa/Douala
    Africa/El Aaiun
    Africa/Freetown
    Africa/Gaborone
    Africa/Harare
    Africa/Johannesburg
    Africa/Juba
    Africa/Kampala
    Africa/Khartoum
    Africa/Kigali
    Africa/Kinshasa
    Africa/Lagos
    Africa/Libreville
    Africa/Lome
    Africa/Luanda
    Africa/Lubumbashi
    Africa/Lusaka
    Africa/Malabo
    Africa/Maputo
    Africa/Maseru
    Africa/Mbabane
    Africa/Mogadishu
    Africa/Monrovia
    Africa/Nairobi
    Africa/Ndjamena
    Africa/Niamey
    Africa/Nouakchott
    Africa/Ouagadougou
    Africa/Porto-Novo
    Africa/Sao Tome
    Africa/Timbuktu
    Africa/Tripoli
    Africa/Tunis
    Africa/Windhoek
    America/Adak
    America/Anchorage
    America/Anguilla
    America/Antigua
    America/Araguaina
    America/Argentina/Buenos Aires
    America/Argentina/Catamarca
    America/Argentina/ComodRivadavia
    America/Argentina/Cordoba
    America/Argentina/Jujuy
    America/Argentina/La Rioja
    America/Argentina/Mendoza
    America/Argentina/Rio Gallegos
    America/Argentina/Salta
    America/Argentina/San Juan
    America/Argentina/San Luis
    America/Argentina/Tucuman
    America/Argentina/Ushuaia
    America/Aruba
    America/Asuncion
    America/Atikokan
    America/Atka
    America/Bahia
    America/Bahia Banderas
    America/Barbados
    America/Belem
    America/Belize
    America/Blanc-Sablon
    America/Boa Vista
    America/Bogota
    America/Boise
    America/Buenos Aires
    America/Cambridge Bay
    America/Campo Grande
    America/Cancun
    America/Caracas
    America/Catamarca
    America/Cayenne
    America/Cayman
    America/Chicago
    America/Chihuahua
    America/Coral Harbour
    America/Cordoba
    America/Costa Rica
    America/Creston
    America/Cuiaba
    America/Curacao
    America/Danmarkshavn
    America/Dawson
    America/Dawson Creek
    America/Denver
    America/Detroit
    America/Dominica
    America/Edmonton
    America/Eirunepe
    America/El Salvador
    America/Ensenada
    America/Fort Nelson
    America/Fort Wayne
    America/Fortaleza
    America/Glace Bay
    America/Godthab
    America/Goose Bay
    America/Grand Turk
    America/Grenada
    America/Guadeloupe
    America/Guatemala
    America/Guayaquil
    America/Guyana
    America/Halifax
    America/Havana
    America/Hermosillo
    America/Indiana/Indianapolis
    America/Indiana/Knox
    America/Indiana/Marengo
    America/Indiana/Petersburg
    America/Indiana/Tell City
    America/Indiana/Vevay
    America/Indiana/Vincennes
    America/Indiana/Winamac
    America/Indianapolis
    America/Inuvik
    America/Iqaluit
    America/Jamaica
    America/Jujuy
    America/Juneau
    America/Kentucky/Louisville
    America/Kentucky/Monticello
    America/Knox IN
    America/Kralendijk
    America/La Paz
    America/Lima
    America/Los Angeles
    America/Louisville
    America/Lower Princes
    America/Maceio
    America/Managua
    America/Manaus
    America/Marigot
    America/Martinique
    America/Matamoros
    America/Mazatlan
    America/Mendoza
    America/Menominee
    America/Merida
    America/Metlakatla
    America/Mexico City
    America/Miquelon
    America/Moncton
    America/Monterrey
    America/Montevideo
    America/Montreal
    America/Montserrat
    America/Nassau
    America/New York
    America/Nipigon
    America/Nome
    America/Noronha
    America/North Dakota/Beulah
    America/North Dakota/Center
    America/North Dakota/New Salem
    America/Nuuk
    America/Ojinaga
    America/Panama
    America/Pangnirtung
    America/Paramaribo
    America/Phoenix
    America/Port-au-Prince
    America/Port of Spain
    America/Porto Acre
    America/Porto Velho
    America/Puerto Rico
    America/Punta Arenas
    America/Rainy River
    America/Rankin Inlet
    America/Recife
    America/Regina
    America/Resolute
    America/Rio Branco
    America/Rosario
    America/Santa Isabel
    America/Santarem
    America/Santiago
    America/Santo Domingo
    America/Sao Paulo
    America/Scoresbysund
    America/Shiprock
    America/Sitka
    America/St Barthelemy
    America/St Johns
    America/St Kitts
    America/St Lucia
    America/St Thomas
    America/St Vincent
    America/Swift Current
    America/Tegucigalpa
    America/Thule
    America/Thunder Bay
    America/Tijuana
    America/Toronto
    America/Tortola
    America/Vancouver
    America/Virgin
    America/Whitehorse
    America/Winnipeg
    America/Yakutat
    America/Yellowknife
    Antarctica/Casey
    Antarctica/Davis
    Antarctica/DumontDUrville
    Antarctica/Macquarie
    Antarctica/Mawson
    Antarctica/McMurdo
    Antarctica/Palmer
    Antarctica/Rothera
    Antarctica/South Pole
    Antarctica/Syowa
    Antarctica/Troll
    Antarctica/Vostok
    Arctic/Longyearbyen
    Asia/Aden
    Asia/Almaty
    Asia/Amman
    Asia/Anadyr
    Asia/Aqtau
    Asia/Aqtobe
    Asia/Ashgabat
    Asia/Ashkhabad
    Asia/Atyrau
    Asia/Baghdad
    Asia/Bahrain
    Asia/Baku
    Asia/Bangkok
    Asia/Barnaul
    Asia/Beirut
    Asia/Bishkek
    Asia/Brunei
    Asia/Calcutta
    Asia/Chita
    Asia/Choibalsan
    Asia/Chongqing
    Asia/Chungking
    Asia/Colombo
    Asia/Dacca
    Asia/Damascus
    Asia/Dhaka
    Asia/Dili
    Asia/Dubai
    Asia/Dushanbe
    Asia/Famagusta
    Asia/Gaza
    Asia/Harbin
    Asia/Hebron
    Asia/Ho Chi Minh
    Asia/Hong Kong
    Asia/Hovd
    Asia/Irkutsk
    Asia/Istanbul
    Asia/Jakarta
    Asia/Jayapura
    Asia/Jerusalem
    Asia/Kabul
    Asia/Kamchatka
    Asia/Karachi
    Asia/Kashgar
    Asia/Kathmandu
    Asia/Katmandu
    Asia/Khandyga
    Asia/Kolkata
    Asia/Krasnoyarsk
    Asia/Kuala Lumpur
    Asia/Kuching
    Asia/Kuwait
    Asia/Macao
    Asia/Macau
    Asia/Magadan
    Asia/Makassar
    Asia/Manila
    Asia/Muscat
    Asia/Nicosia
    Asia/Novokuznetsk
    Asia/Novosibirsk
    Asia/Omsk
    Asia/Oral
    Asia/Phnom Penh
    Asia/Pontianak
    Asia/Pyongyang
    Asia/Qatar
    Asia/Qostanay
    Asia/Qyzylorda
    Asia/Rangoon
    Asia/Riyadh
    Asia/Saigon
    Asia/Sakhalin
    Asia/Samarkand
    Asia/Seoul
    Asia/Shanghai
    Asia/Singapore
    Asia/Srednekolymsk
    Asia/Taipei
    Asia/Tashkent
    Asia/Tbilisi
    Asia/Tehran
    Asia/Tel Aviv
    Asia/Thimbu
    Asia/Thimphu
    Asia/Tokyo
    Asia/Tomsk
    Asia/Ujung Pandang
    Asia/Ulaanbaatar
    Asia/Ulan Bator
    Asia/Urumqi
    Asia/Ust-Nera
    Asia/Vientiane
    Asia/Vladivostok
    Asia/Yakutsk
    Asia/Yangon
    Asia/Yekaterinburg
    Asia/Yerevan
    Atlantic/Azores
    Atlantic/Bermuda
    Atlantic/Canary
    Atlantic/Cape Verde
    Atlantic/Faeroe
    Atlantic/Faroe
    Atlantic/Jan Mayen
    Atlantic/Madeira
    Atlantic/Reykjavik
    Atlantic/South Georgia
    Atlantic/St Helena
    Atlantic/Stanley
    Australia/ACT
    Australia/Adelaide
    Australia/Brisbane
    Australia/Broken Hill
    Australia/Canberra
    Australia/Currie
    Australia/Darwin
    Australia/Eucla
    Australia/Hobart
    Australia/LHI
    Australia/Lindeman
    Australia/Lord Howe
    Australia/Melbourne
    Australia/NSW
    Australia/North
    Australia/Perth
    Australia/Queensland
    Australia/South
    Australia/Sydney
    Australia/Tasmania
    Australia/Victoria
    Australia/West
    Australia/Yancowinna
    Brazil/Acre
    Brazil/DeNoronha
    Brazil/East
    Brazil/West
    CET
    CST6CDT
    Canada/Atlantic
    Canada/Central
    Canada/Eastern
    Canada/Mountain
    Canada/Newfoundland
    Canada/Pacific
    Canada/Saskatchewan
    Canada/Yukon
    Chile/Continental
    Chile/EasterIsland
    Cuba
    EET
    EST
    EST5EDT
    Egypt
    Eire
    Etc/GMT
    Etc/GMT+0
    Etc/GMT+1
    Etc/GMT+10
    Etc/GMT+11
    Etc/GMT+12
    Etc/GMT+2
    Etc/GMT+3
    Etc/GMT+4
    Etc/GMT+5
    Etc/GMT+6
    Etc/GMT+7
    Etc/GMT+8
    Etc/GMT+9
    Etc/GMT-0
    Etc/GMT-1
    Etc/GMT-10
    Etc/GMT-11
    Etc/GMT-12
    Etc/GMT-13
    Etc/GMT-14
    Etc/GMT-2
    Etc/GMT-3
    Etc/GMT-4
    Etc/GMT-5
    Etc/GMT-6
    Etc/GMT-7
    Etc/GMT-8
    Etc/GMT-9
    Etc/GMT0
    Etc/Greenwich
    Etc/UCT
    Etc/UTC
    Etc/Universal
    Etc/Zulu
    Europe/Amsterdam
    Europe/Andorra
    Europe/Astrakhan
    Europe/Athens
    Europe/Belfast
    Europe/Belgrade
    Europe/Berlin
    Europe/Bratislava
    Europe/Brussels
    Europe/Bucharest
    Europe/Budapest
    Europe/Busingen
    Europe/Chisinau
    Europe/Copenhagen
    Europe/Dublin
    Europe/Gibraltar
    Europe/Guernsey
    Europe/Helsinki
    Europe/Isle of Man
    Europe/Istanbul
    Europe/Jersey
    Europe/Kaliningrad
    Europe/Kiev
    Europe/Kirov
    Europe/Lisbon
    Europe/Ljubljana
    Europe/London
    Europe/Luxembourg
    Europe/Madrid
    Europe/Malta
    Europe/Mariehamn
    Europe/Minsk
    Europe/Monaco
    Europe/Moscow
    Europe/Nicosia
    Europe/Oslo
    Europe/Paris
    Europe/Podgorica
    Europe/Prague
    Europe/Riga
    Europe/Rome
    Europe/Samara
    Europe/San Marino
    Europe/Sarajevo
    Europe/Saratov
    Europe/Simferopol
    Europe/Skopje
    Europe/Sofia
    Europe/Stockholm
    Europe/Tallinn
    Europe/Tirane
    Europe/Tiraspol
    Europe/Ulyanovsk
    Europe/Uzhgorod
    Europe/Vaduz
    Europe/Vatican
    Europe/Vienna
    Europe/Vilnius
    Europe/Volgograd
    Europe/Warsaw
    Europe/Zagreb
    Europe/Zaporozhye
    Europe/Zurich
    GB
    GB-Eire
    GMT
    GMT+0
    GMT-0
    GMT0
    Greenwich
    HST
    Hongkong
    Iceland
    Indian/Antananarivo
    Indian/Chagos
    Indian/Christmas
    Indian/Cocos
    Indian/Comoro
    Indian/Kerguelen
    Indian/Mahe
    Indian/Maldives
    Indian/Mauritius
    Indian/Mayotte
    Indian/Reunion
    Iran
    Israel
    Jamaica
    Japan
    Kwajalein
    Libya
    MET
    MST
    MST7MDT
    Mexico/BajaNorte
    Mexico/BajaSur
    Mexico/General
    NZ
    NZ-CHAT
    Navajo
    PRC
    PST8PDT
    Pacific/Apia
    Pacific/Auckland
    Pacific/Bougainville
    Pacific/Chatham
    Pacific/Chuuk
    Pacific/Easter
    Pacific/Efate
    Pacific/Enderbury
    Pacific/Fakaofo
    Pacific/Fiji
    Pacific/Funafuti
    Pacific/Galapagos
    Pacific/Gambier
    Pacific/Guadalcanal
    Pacific/Guam
    Pacific/Honolulu
    Pacific/Johnston
    Pacific/Kiritimati
    Pacific/Kosrae
    Pacific/Kwajalein
    Pacific/Majuro
    Pacific/Marquesas
    Pacific/Midway
    Pacific/Nauru
    Pacific/Niue
    Pacific/Norfolk
    Pacific/Noumea
    Pacific/Pago Pago
    Pacific/Palau
    Pacific/Pitcairn
    Pacific/Pohnpei
    Pacific/Ponape
    Pacific/Port Moresby
    Pacific/Rarotonga
    Pacific/Saipan
    Pacific/Samoa
    Pacific/Tahiti
    Pacific/Tarawa
    Pacific/Tongatapu
    Pacific/Truk
    Pacific/Wake
    Pacific/Wallis
    Pacific/Yap
    Poland
    Portugal
    ROC
    ROK
    Singapore
    Turkey
    UCT
    US/Alaska
    US/Aleutian
    US/Arizona
    US/Central
    US/East-Indiana
    US/Eastern
    US/Hawaii
    US/Indiana-Starke
    US/Michigan
    US/Mountain
    US/Pacific
    US/Samoa
    UTC
    Universal
    W-SU
    WET
    Zulu
    Filters:
    Training Formats
          Location
          Dates

          Register for FOR500

          Loading...