What You Will Learn

Master Windows Forensics - "You Can't Protect the Unknown."

All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Corporations, governments, and law enforcement agencies increasingly require trained forensics specialists to perform investigations, recover vital intelligence from Windows systems, and ultimately get to the root cause of the crime. To help solve these cases, SANS is training a new cadre of the world's best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and available artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track individual user activity on your network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. You'll be able to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data and use it to your advantage.

Proper analysis requires real data for students to examine. This continually updated course trains digital forensic analysts through a series of hands-on laboratory exercises incorporating evidence found on the latest technologies, including Microsoft Windows versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage providers, Microsoft Teams, SharePoint, Exchange, and Outlook. Students will leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.

FOR500 starts with an intellectual property theft and corporate espionage case taking over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor course development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. Example cases demonstrate the latest artifacts and technologies an investigator might encounter while analyzing Windows systems in the enterprise. The detailed workbook teaches the tools and techniques that every investigator should employ step by step to solve a forensic case. The tools provided form a complete forensic lab that can be used long after the end of class.

Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. The course authors update FOR500 aggressively to stay current with the latest artifacts and techniques discovered. This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.

Through practical exercises and real-life case studies, students in FOR500: Windows Forensic Analysis will gain hands-on experience and develop the skills to:

Perform in-depth Windows forensic analysis by applying peer-reviewed techniques focusing on Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Windows Server products
Use state-of-the-art forensic tools and analysis methods to detail nearly every action a suspect accomplished on a Windows system, including who placed an artifact on the system and how, program execution, file/folder opening, geolocation, browser history, profile USB device usage, cloud storage usage, and more
Perform "fast forensics" to rapidly assess and triage systems to provide quick answers and facilitate informed business decisions
Uncover the exact time that a specific user last executed a program through Registry and Windows artifact analysis, and understand how this information can be used to prove intent in cases such as intellectual property theft, hacker-breached systems, and traditional crimes
Determine the number of times files have been opened by a suspect through browser forensics, shortcut file analysis (LNK), email analysis, and Windows Registry parsing
Learning about USN Journal to uncover file activity and deletion by the user
Audit cloud storage usage, including detailed user activity, identifying deleted files, signs of data exfiltration, and even uncovering detailed information and hash values on files available only in the cloud
Identify items searched by a specific user on a Windows system to pinpoint the data and information that the suspect was interested in finding, and accomplish detailed damage assessments
Use Windows ShellBag analysis tools to articulate every folder and directory a user or attacker interacted with while accessing local, removable, and network drives
Determine each time a unique and specific USB device was attached to the Windows system, the files and folders accessed on it, and what user plugged it in by parsing Windows artifacts such as Registry hives and Event Log files
Learn Event Log analysis techniques and use them to determine when and how users logged into a Windows system, whether via a remote session, at the keyboard, or simply by unlocking a screensaver
Mine the Windows Search Database to uncover a massive collection of file metadata and even file content from local drives, removable media, and applications like Microsoft Outlook, OneNote, SharePoint, and OneDrive
Determine where a crime was committed using Registry data and pinpoint the geolocation of a system by examining connected networks and wireless access points
Use browser forensic tools to perform detailed web browser analysis, parse raw SQLite, LevelDB, and ESE databases, and leverage memory forensics and session recovery artifacts to identify web activity, even if privacy cleaners and in-private browsing software are used
Parse Electron and WebView2 application LevelDB databases allowing the investigation of hundreds of third-party applications including most chat clients
Specifically determine how individuals used a system, who they communicated with, and files that were downloaded, modified, and deleted

FOR500 Windows Forensic Analysis Course Topics

The Course Is Updated to Include the Latest Microsoft Windows Artifacts, Tools, and Techniques
Windows Operating Systems Focus: Windows 7, Windows 8/8.1, Windows 10, Windows 11, and Server 2008/2012/2016/2019/2022
Windows File Systems (NTFS, FAT, exFAT)
- NTFS Master File Table
- NTFS Alternate Data Streams
- NTFS USN Journal Analysis
Live and volatile evidence Acquisition Tools and Techniques
Registry Forensics
- Shell Item Forensics
- Shortcut Files (LNK) - Evidence of File Opening
- ShellBags - Evidence of Folder Opening
Jump Lists - Evidence of File Opening and Program Execution
Windows Artifact Analysis
- Browser and Webmail Analysis
- Microsoft Office Document Analysis
- System Resource Usage Database
- Windows Search Index Forensics
- Windows Recycle Bin Analysis
- File and Picture Metadata Tracking and Examination
- Myriad Application Execution Artifacts, including Several New to Windows 10 and 11
- Universal Windows Platform and Electron/WebView2 applications
Cloud Storage File and Metadata Examinations
- OneDrive and OneDrive for Business, Dropbox, Google Drive, and iCloud
Email Forensics (Host, Server, Web), including Microsoft 365 and Google Workspace (G Suite)
Microsoft Unified Audit Logging
Event Log Analysis
Chrome, Edge, Internet Explorer, and Firefox Browser Forensics
Chat clients, including Microsoft Teams and Skype, based on the Electron framework.
Window third-party applications including ChatGPT
Microsoft 365 SharePoint, OneDrive, Teams, and Email
Google Workspace (G Suite) Applications and Logging
Deleted Registry Key and File Recovery
Recovering Missing Data from Registry and ESE Database .log Files
Data Recovery, String Searching and File Carving
Examination of Cases Involving Windows 7 through Windows 11
Media Analysis and Exploitation to:
- Track User Communications Using a Windows Device (Email, Chat, Webmail)
- Identify Files Transferred To or Present on a Removable Device
- Determine the Exact Time and Number of Times a Suspect Executed a Program
- Show When Any File Was First and Last Opened by a Suspect
- Prove How Long an Application was Running and How Much Network Data was Sent and Received
- Determine If a Suspect Had Knowledge of a Specific File
- Show the Exact Physical Location of the System
- Track and Analyze Removable Media and USB Mass Storage Class Devices
- Track and Analyze Bluetooth and Audio devices and Printers
- Show How the Suspect Logged on to the Machine via the Console, RDP, or Network
- Recover and Examine Browser Artifacts, including Those from Private Browsing Mode
- Extract Chat Messages from a Variety of Chat Clients
- Recover Email from Servers, Cloud Instances, and Endpoint Residue Like Local Archives and the Windows Search Database
- Discover the Use of Anti-Forensics, including File Wiping, Time Manipulation, and Application Removal

What is Windows Forensics, And Why Is It Important?

Windows forensics is the recovery, analysis and authentication of electronically stored information on systems running the Microsoft Windows operating system. This field is crucial for cybersecurity (identifying breaches, malware, and unauthorized access), legal investigations (prosecuting cybercriminals), corporate security (detecting insider threats and ensuring compliance), and data recovery (retrieving lost files and reconstructing user actions).

Key forensic artifacts include the Windows Registry (system and user activity data), event logs (security and system events), prefetch files (recently executed programs), Master File Table (MFT) (file metadata), pagefile & hibernation files (RAM remnants), and jump lists (frequently accessed files).

When forensic experts analyze these elements, they can reconstruct user actions, detect malicious activities, and support legal proceedings, making Windows forensics a vital field in digital security and law enforcement.

Business Takeaways

Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes
Use deep-dive digital forensics to help solve Windows data breach cases
Understand the wealth of telemetry available in the Windows Enterprise
Identify forensic artifact and evidence locations to answer crucial questions
Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools
Build tool-agnostic investigative capabilities by focusing on analysis techniques

Skills Learned

Conduct in-depth forensic analysis of Windows operating systems and media exploitation
Identify artifact and evidence locations to answer crucial questions
Become tool-agnostic by focusing your capabilities on analysis
Extract critical findings and build an in-house forensic capability
Establish structured analytical techniques to be successful in any security role

What You Will Receive

Windows 10 Enterprise version of the SIFT Workstation Virtual Machine
Trial licenses for the following commercial tool suites:
ISO images filled with real-world cases and artifacts to examine during and after the course
FOR500 exercise workbook with almost 600 pages of detailed step-by-step instructions
MP3 audio files of the complete course lecture

What Comes Next?

FOR500: Windows Forensic Analysis™ will enhance your career by equipping you with specialized skills in digital investigations, cybersecurity, and incident response. As cyber threats grow, organizations increasingly need professionals who can analyze Windows-based systems, detect breaches, and recover critical evidence.

This course will teach you to investigate Windows artifacts (registry, logs, memory, and file system), detect malware, trace unauthorized access, and recover lost data. These skills are valuable for careers in cybersecurity, law enforcement, corporate security, and IT auditing.

Certification in Windows forensics can set you apart in roles like digital forensic analyst, cybersecurity investigator, SOC analyst, or IT security consultant, increasing job opportunities and salary potential.

With businesses and law enforcement relying heavily on Windows environments, mastering forensic techniques ensures career growth in high-demand fields such as ethical hacking, compliance, and threat intelligence, making you a valuable asset in any security-focused organization.

Syllabus (36 CPEs)

Download PDF

Digital Forensics and Advanced Data Triage
Overview
Section 1 examines digital forensics in today’s interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems. Hard drive and digital media sizes are increasingly difficult and time-consuming to handle appropriately in digital cases. Being able to acquire data in an efficient and forensically sound manner is crucial to every investigator today. In this course section, we review the core techniques while introducing new triage-based acquisition and extraction capabilities that will increase the speed and efficiency of the acquisition process.
Exercises
- Windows SIFT Workstation Orientation
- BONUS - Triage-Based Acquisition and Imaging
- Mounting Acquired Disk Images and Evidence
- Carving Important Files from Free Space
- Recovering Critical User Data
- Parse Metadata Information in NTFS Master File Table and USN Journal
Topics
- Windows Operating System Components
  Key Differences in Modern Windows Operating Systems
- Core Forensic Principles
  Analysis Focus
  Determining Your Scope
  Creating and Investigative Plan
- Live Response and Triage-Based Acquisition Techniques
  RAM Acquisition and Following the Order of Volatility
  Triage-Based Forensics and Fast Forensic Acquisition
  Encryption Detection
  Registry and Locked File Extraction
  Leveraging the Volume Shadow Service
  KAPE Triage Collection
- Windows Image Mounting and Examination
- NTFS File System Overview
- Document and File Metadata
- Volume Shadow Copies
  File and Stream Carving
  Principles of Data Carving
  Recovering File System Metadata
  File and Stream Carving Tools
  Custom Carving Signatures
- Memory, Pagefile, and Unallocated Space Analysis
  Artifact Recovery and Examination
  Chat Application Analysis
  Internet Explorer, Edge, Firefox, Chrome, and InPrivate Browser Recovery
  Email and Webmail, including Yahoo, Outlook.com, and Gmail
Registry Analysis, Application Execution, and Cloud Storage Forensics
Overview
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. You'll learn how to navigate and analyze the Registry to obtain user profile and system data. During this course section, we will demonstrate investigative methods to prove that a specific user performed keyword searches, executed specific programs, opened and saved files, perused folders, and used removable devices.
Data is moving rapidly to the cloud, constituting a significant challenge and risk to the modern enterprise. Cloud storage applications are nearly ubiquitous on both consumer and business systems, causing interesting security and forensic challenges. In a world where some of the most important data is only present on third-party systems, how do we effectively accomplish our investigations? In this section we will dissect OneDrive and OneDrive for Business, Google Drive, Dropbox, and iCloud, deriving artifacts present in application logs and left behind on the endpoint. We'll demonstrate how to discover detailed user activity, the history of deleted files, content in the cloud, and content cached locally. Solutions to the very real challenges of forensic acquisition and proper logging are all discussed. Understanding what can be gained through analysis of these popular applications will also make investigations of less common cloud storage solutions easier.
Throughout this course section, students will use their skills in a real hands-on case, exploring and analyzing a rich set of evidence.
Exercises
- Profiling a Computer System Using Windows Registry
- Conducting a Detailed Profile of User Activity
- Examining Which Applications a User Executed
- Examining Recently Opened Files
- Perform Cloud Storage Forensics
Topics
- Registry Forensics In-Depth
- Registry Core
  Hives, Keys, and Values
  Registry Last Write Time
  MRU Lists
  Deleted Registry Key Recovery
  Identify Dirty Registry Hives and Recover Missing Data
  Rapidly Search and Timeline Multiple Registry Hives
- Profile Users and Groups
  Discover Usernames and Relevant Security Identifiers
  Last Login
  Last Failed Login
  Login Count
  Password Policy
  Local versus Domain Account Profiling
- Core System Information
  Identify the Current Control Set
  System Name and Version
  Document the System Time Zone
  Audit Installed Applications
  Wireless, Wired, VPN, and Broadband Network Auditing
  Perform Device Geolocation via Network Profiling
  Identify System Updates and Last Shutdown Time
  Registry-Based Malware Persistence Mechanisms
  Identify Webcam and Microphone Usage by Illicit Applications
- User Forensic Data
  Evidence of File Downloads
  Office and Microsoft 365 File History Analysis
  Windows 7, Windows 8/8.1, Windows 10/11 Search History
  Typed Paths and Directories
  Recent Documents
  Search for Documents with Malicious Macros Enabled
  Open Save/Run Dialog Evidence
  Application Execution History via UserAssist, Prefetch, System Resource Usage Monitor (SRUM), FeatureUsage, and BAM/DAM
  Universal Windows Platform (UWP) and MSIX registry hives
- Cloud Storage Forensics
  Microsoft OneDrive
  OneDrive Files on Demand
  Microsoft OneDrive for Business
  OneDrive Unified Audit Logs
  Google Drive for Desktop
  Google Workspace (G Suite) Logging
  Google Protobuf Data Format
  Dropbox
  Dropbox Decryption
  Dropbox Logging
  iCloud
  Synchronization and Timestamps
  Forensic Acquisition Challenges
  User Activity Enumeration
  Automating SQLite Database Parsing
Shell Items and Removable Device Profiling
Overview
Removable storage device investigations are an essential part of performing digital forensics. In this course section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.
Being able to show the first and last time a file or folder was opened is a critical analysis skill. Shell item analysis, including shortcut (LNK), Jump List, and ShellBag artifacts, allows investigators to quickly pinpoint the times of file and folder usage per user. The knowledge obtained by examining shell items is crucial to perform damage assessments, track user activity in intellectual property theft cases, and track where hackers spent time in the network.
Exercises
- Understand MSC, HID, and MTP Device Differences
- Track USB and BYOD Device Data
- Track Bluetooth and Printers
- Explore Removable Device Auditing Features in Windows
- Use ShellBag Registry Key Analysis to Audit Accessed Folders
Topics
- Shell Item Forensics
  Shortcut Files (LNK) - Evidence of File Opening
  Windows 7-10 Jump Lists - Evidence of File Opening and Program Execution
  ShellBag Analysis - Evidence of Folder Access
- USB and BYOD Forensic Examinations
  Vendor/Make/Version
  Unique Serial Number
  Last Drive Letter
  MountPoints2 and Drive Mapping Per User (Including Mapped Shares)
  Volume Name and Serial Number
  Username that Used the USB Device
  Time of First USB Device Connection
  Time of Last USB Device Connection
  Time of Last USB Device Removal
  Drive Capacity
  Auditing BYOD Devices at Scale
  Identify Malicious HID USB Devices
Email Analysis, Windows Search, SRUM, and Event Logs
Overview
Depending on the type of investigation and authorization, a wealth of evidence can be unearthed through the analysis of email files. Recovered email can bring excellent corroborating information to an investigation, and its informality often provides very incriminating evidence. Finding and collecting email is often one of our biggest challenges as it is common for users to have email existing simultaneously on their workstation, on the company email server, on a mobile device, and in multiple cloud or webmail accounts. Section 4 arms investigators with the core knowledge and capability to maintain and build upon this crucial skill for many years to come.
The Windows Search Index can index up to a million items on the file system, including file content, email, and over 600 kinds of metadata per file. It is an under-utilized resource providing profound forensic capabilities. Similarly, the System Resource Usage Monitor (SRUM), one of our most exciting digital artifacts, can help determine many important user actions, including network usage per application and historical VPN and wireless network usage. Imagine the ability to audit network usage by cloud storage and identify 60 days of remote access tool usage even after execution of counter-forensic programs.
Finally, Windows event log analysis has solved more cases than possibly any other type of analysis. Windows 11 now includes over 300 logs, and understanding the locations and content of the available log files is crucial to the success of any investigator. Many researchers overlook these records because they do not have adequate knowledge or tools to get the job done efficiently.
Exercises
- Search for Email and File Attachments with Forensic Tools
- Analyze Message Headers and Gauge Email Authenticity
- Collect Evidence from Microsoft and Google Tools
- Use Forensic Software to Recover Deleted Objects
- Perform Advanced Filtering and Analyze Historical Records
Topics
- Email Forensics
  Evidence of User Communication
  How Email Works
  Email Header Examination
  Email Authenticity
  Determining a Sender's Geographic Location
  Extended MAPI Headers
  Host-Based Email Forensics
  Exchange Recoverable Items
  Exchange and M365 Evidence Acquisition and Mail Export
  Exchange and M365 Compliance Search and eDiscovery
  Unified Audit Logs in Microsoft 365
  Google Workspace (G Suite) Logging
  Google Vault Analysis
  Recovering Data from Google Workspace Users
  Web and Cloud-Based Email
  Webmail Acquisition
  Email Searching and Examination
  Mobile Email Remnants
  Business Email Compromise Investigations
- Forensicating Additional Windows OS Artifacts
  Windows Search Index Database Forensics
  Extensible Storage Engine (ESE) Database Recovery and Repair
  Windows Thumbcache Analysis
  Windows Recycle Bin Analysis (XP, Windows 7-10)
  System Resource Usage Monitor (SRUM)
  Connected Networks, Duration, and Bandwidth Usage
  Applications Run and Bytes Sent/Received Per Application
  Application Push Notifications
  Energy Usage
- Windows Event Log Analysis
  Event Logs of Importance to a Digital Forensic Investigator
  EVTX and EVT Log Files
  Track Account Usage, including RDP, Brute Force Password Attacks, and Rogue Local Account Usage
  Prove System Time Manipulation
  Track BYOD and External Devices
  Microsoft Office Alert Logging
  Geo-locate a Device via Event Logs
Web Browser Forensics
Overview
With the increasing use of the web and the shift toward web-based applications and cloud computing, browser forensic analysis is a critical skill. During this section, students will comprehensively explore web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter.
Students will learn how to examine every significant artifact stored by the browser, including web storage, cookies, visit and download history, Internet cache files, browser extensions, and form data. We will show you how to find these records and identify the common mistakes investigators make when interpreting browser artifacts. You will also learn how to analyze some of the more obscure (and powerful) browser artifacts, such as session restore, HTML5 web storage, zoom levels, predictive site prefetching, and private browsing remnants. Browser synchronization is explained, providing investigative artifacts derived from other devices in use by the subject of the investigation. Finally, skills to investigate Chromium-based Electron\Webview2 Applications are introduced, opening capabilities to investigate hundreds of third-party Windows applications using this framework, including chat clients like Discord, Signal, Skype, Microsoft Teams, Slack, WhatsApp, Yammer, Asana, and more. ChatGPT usage is becoming common nature. Skills to parse activity within the application are explained and methods to analyze are provided.
Throughout the section, students will use their skills in real hands-on cases, exploring evidence created by Chrome, Firefox, Microsoft Edge, and Internet Explorer correlated with other Windows operating system artifacts.
Exercises
- Manually Parse SQLite Databases
- Track Suspect’s Activity in Browser History and Cache
- Parse Automatic Crash Recovery Files
- Identify Anti-Forensics Activity
- Recover Microsoft Teams and Slack Chats
Topics
- Browser Forensics
  History
  Cache
  Searches
  Downloads
  Understanding Browser Timestamps
- Chrome
  Chrome File Locations
  Correlating URLs and Visits Tables for Historical Context
  History and Page Transition Types
  Chrome Preferences File
  Web Data, Shortcuts, and Network Action Predictor Databases
  Chrome Timestamps
  Cache Examinations
  Download History
  Web Storage: IndexedDB, Local Storage, Session Storage, and Origin Private File System
  Chrome Session Recovery
  Chrome Profiles Feature
  Chromium Snapshots folder
  Identifying Cross-Device Chrome Synchronization
- Edge
  Chromium Edge vs. Google Chrome
  History, Cache, Web Storage, Cookies, Download History, and Session Recovery
  Microsoft Edge Collections
  Edge Internet Explorer Mode
  Chrome and Edge Extensions
  Edge Artifact Synchronization and Tracking Multiple Profiles
- Internet Explorer
  Internet Explorer Essentials and the Browser That Will Not Die
  WebCache.dat Database Examination
  Internet Explorer and Local File Access
- Electron and WebView2 Applications and Chat Client Forensics
  Electron Application Structure
  Electron Chromium Cache
  LevelDB Structure and Tools
  Manual Parsing of LevelDB
  Specialized LevelDB parsers and tools
- Firefox
  Firefox Artifact Locations
  SQLite Files and Firefox Quantum Updates
  Download History
  Firefox Cache2 Examinations
  Detailed Visit Type Data
  Form History
  Session Recovery
  Firefox Extensions
  Firefox Cross-Device Synchronization
- Private Browsing and Browser Artifact Recovery
  Chrome, Edge, and Firefox Private Browsing
  Investigating the Tor Browser
  Identifying Selective Database Deletion
- SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
  Deleted database record recovery
  DOM and Web Storage Objects
  Rebuilding Cached Web Pages
  Browser Ancestry
  Capturing Stored Browser Credentials
Windows Forensic Challenge
Overview
Nothing will prepare you more as an investigator than a complete hands-on challenge requiring you to use all the skills and knowledge presented throughout the course. With the option to work individually or in teams, students are provided new case evidence to analyze. Fast forensics techniques will be used to rapidly profile computer usage and discover the most critical pieces of evidence to answer investigative questions. The skills you learn in the class will prepare you for this ultimate CTF!
This complex case involves an investigation into the Windows operating system. The evidence is from real devices and provides the most realistic training opportunity currently available. Solving the case requires students to use all the skills gained from each of the previous course sections.
This section has been gamified into a CTF allowing everyone to participate easily, whether in person or online.
Exercises
- Full-length Windows 10 forensic challenge
- Bonus: One additional complete take home exercise to continue honing your skills!
Topics
- Digital Forensics Capstone
  Analysis
  Process and Triage a New Full Set of Evidence
  Find Critical Evidence Following the Evidence Analysis Methods Discussed Throughout the Week
  Examine Memory, Registry, Chat, Browser, Recovered Files, Synchronized Artifacts, Installed Malware, and More
- Solving
  Build an Investigative Timeline
  Piece Artifacts Together to Make Sense of the Crime
  Answer Critical Investigative Questions with Factual Evidence

GIAC Certified Forensic Examiner

The GIAC Certified Forensic Examiner (GCFE) certification validates a practitioner’s knowledge of computer forensic analysis, with an emphasis on core skills required to collect and analyze data from Windows computer systems. GCFE certification holders have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.

Windows Forensics and Data Triage
Windows Registry Forensics, USB Devices, Shell Items, Email Forensics and Log Analysis
Advanced Web Browser Forensics (Chrome, Edge, Firefox)

More Certification Details

Prerequisites

There are no prerequisite courses required to take this course. The artifacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS

CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
16GB of RAM or more is required.
300GB of free storage space or more is required.
At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

Additional optional components for this course:

A USB storage device is necessary to complete one optional lab step in the course. The storage size of the USB media should be larger than the amount of RAM in the laptop.

MANDATORY FOR500 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
Download and install VMware Workstation Pro 17+ (for Windows hosts), or VMWare Fusion Pro 13+ (for macOS hosts) prior to class beginning. Workstation Pro and Fusion Pro are now available free for personal use from the VMware website. Licensed commercial subscriptions to these products can also be used.
On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

“Digital forensics is booming and the need for skilled practitioners is more prevalent than ever before. Every action a user makes on a Windows PC is tracked, whether they like it or not. No matter the crime, it is likely a PC is involved. Understanding how to repel computer intrusions, stop intellectual property theft, trace the legitimacy of a file, understand how data ended up on a PC, and to find the truth behind the artifact is the goal of this course. This course should be mandatory for anyone in digital forensics who has the goal of letting the data tell the truth. This course is current, relevant and will be helpful to those just starting out and the seasoned DFIR veterans who need a refreshing reality check on what is possible now more so than ever before in digital forensics.”

– Heather Barnhart

"My first forensic case was on a Windows 95 machine — and today, with Windows 11, the journey continues. Computer forensics remains a fertile and highly relevant field because modern Windows systems are at the crossroads of local activity, cloud integration, and mobile convergence. The same apps and data that live in the cloud or on a smartphone often leave traces on the PC. Understanding how these elements interact — and how system behavior evolves with each new feature — is essential for any thorough investigation. With over two decades of experience in digital forensics, I’ve seen firsthand how the Windows platform continues to offer critical insight into user activity, system compromise, and cross-platform correlations. Far from being obsolete, the analysis of computers is more important than ever in today’s complex, hybrid digital ecosystem."

– Mattia Epifani

"After 30 years in law enforcement, three capabilities immediately rise to the top of my list when I think of what makes a great digital forensic analyst: superior technical skill, sound investigative methodology, and the ability to overcome obstacles. This course was designed to impart these critical skills to students. Unlike many other training courses that focus on teaching a single tool, FOR500 provides training on many tools. While there are some exceptional tools available, forensic analysts need a variety of tools in their arsenal to be able to pick and choose the best one for each task. However, forensic analysts are not great because of the tools they use, but because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR500 teaches analysts to apply digital forensic methodologies to a variety of case types and situations, enabling them to apply the right methodology to achieve the best outcome in the real world. Finally, the course presents the problem-solving skills necessary to be a truly successful forensic analyst. Almost immediately after starting your forensic career, you will learn that each forensic analysis presents its own unique challenges. A technique that worked flawlessly for previous examinations may not work for the next one. A good forensic analyst must be able to overcome obstacles through advanced troubleshooting and problem-solving. FOR500 gives students the foundation to solve future problems, overcome obstacles, and become great forensic analysts. No matter if you are new to the forensic community or have been doing forensics for years, FOR500 is a must-have course."

– Ovie Carroll

"Former students have contacted me regularly about how they were able to use their digital forensic skills in very real situations that were part of the nightly news cycle. The skills you learn in this class are used directly to stop evil. Graduates of FOR500 are the front-line troops deployed when you need accurate digital forensic, incident response, and media exploitation analysis. From analyzing terrorist laptops and data breaches to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they have learned how to properly conduct analyses and run investigations. It brings me great comfort knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks. Graduates are doing just that on a daily basis. I am proud that FOR500 helped prepare them to solve cases and fight crime."

– Rob Lee

Ways to Learn

OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

View Available Dates & Time Zones

In Person (6 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

View Available Dates & Locations

Who Should Attend FOR500?

Information security professionals who want to learn the in-depth concepts of Windows digital forensics investigations
Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases, perform damage assessments, and develop indicators of compromise
Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on digital forensics for Windows-based operating systems
Media exploitation analysts who need to master tactical exploitation and Document and Media Exploitation (DOMEX)
Anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers

NICE Framework Work Roles

Cyber Crime Investigator (OPM 221)
Cyber Defense Forensics Analyst (OPM 212)
Law Enforcement/Counter Intelligence Forensics Analyst (OPM211)

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Courses

Hands-On Simulations

Certifications

Ways to Train

Training Events & Summits

Free Training Events

Security Awareness

By Focus Area

By NICE Framework

DoDD 8140 Work Roles

By European Skills Framework

By Skills Roadmap

New to Cyber

Leadership

Degree and Certificate Programs

Watch & Listen

Read

Download

SANS Community Benefits

CISO Network

Team Development

Leadership Development

Security Awareness

Public Sector Partnerships

Sponsorship Opportunities

FOR500: Windows Forensic Analysis

GIAC Certified Forensic Examiner (GCFE)

Course Authors:

Rob Lee

Ovie Carroll

Heather Barnhart

Mattia Epifani

What You Will Learn

Master Windows Forensics - "You Can't Protect the Unknown."

Through practical exercises and real-life case studies, students in FOR500: Windows Forensic Analysis will gain hands-on experience and develop the skills to:

FOR500 Windows Forensic Analysis Course Topics

What is Windows Forensics, And Why Is It Important?

Business Takeaways

Skills Learned

What You Will Receive

What Comes Next?

Syllabus (36 CPEs)

Digital Forensics and Advanced Data Triage

Overview

Exercises

Topics

Registry Analysis, Application Execution, and Cloud Storage Forensics

Overview

Exercises

Topics

Shell Items and Removable Device Profiling

Overview

Exercises

Topics

Email Analysis, Windows Search, SRUM, and Event Logs

Overview

Exercises

Topics

Web Browser Forensics

Overview

Exercises

Topics

Windows Forensic Challenge

Overview

Exercises

Topics

GIAC Certified Forensic Examiner

Prerequisites

Laptop Requirements

MANDATORY FOR500 SYSTEM HARDWARE REQUIREMENTS

MANDATORY FOR500 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

Author Statement

Ways to Learn

Who Should Attend FOR500?

Need to justify a training request to your manager?

Related Programs

Reviews

Filters:

Register for FOR500

Loading...