Talk With an Expert

FOR500: Windows Forensic Analysis

FOR500Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
FOR500: Windows Forensic Analysis
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
  • GIAC Certified Forensic Examiner (GCFE)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Gain an essential understanding of Windows artifacts and learn to perform digital forensics in Microsoft Windows operating systems to recover, analyze, and authenticate data and solve a forensic case.

Course Overview

FOR500 builds comprehensive Microsoft Windows forensics knowledge of , providing the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. Use this knowledge to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. Newly updated to cover all Windows versions through Windows 11! It’s also the foundational course for those pursuing the GCFE certification (GIAC Certified Forensic Examiner), one of the most respected credentials in the digital forensics community.

What You’ll Learn

  • Conduct in-depth forensic analysis of Windows operating systems and media exploitation
  • Identify artifact and evidence locations to answer crucial questions
  • Become tool-agnostic by focusing your capabilities on analysis
  • Extract critical findings and build an in-house forensic capability
  • Establish structured analytical techniques to be successful in any security role

Business Takeaways

  • Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes
  • Use deep-dive digital forensics to help solve Windows data breach cases
  • Understand the wealth of telemetry available in the Windows Enterprise
  • Identify forensic artifact and evidence locations to answer crucial questions
  • Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools
  • Build tool-agnostic investigative capabilities by focusing on analysis techniques

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR500: Windows Forensic Analysis.

Section 1Digital Forensics and Advanced Data Triage

Section 1 examines digital forensics in today’s interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems.

Topics covered

  • Windows Operating System Components
  • Core Forensic Principles
  • Live Response and Triage-Based Acquisition Techniques

Labs

  • Carving Important Files from Free Space
  • Recovering Critical User Data
  • Parse Metadata Information in NTFS Master File Table and USN Journal

Section 2Registry Analysis, Application Execution, and Cloud Storage Forensics

In this section, digital forensic investigators will learn how to discover critical user and system information in Windows Registry that’s pertinent to almost any investigation.

Topics covered

  • Registry Core and Forensics In-Depth
  • Profile Users and Groups
  • Core System Information

Labs

  • Examining Which Applications a User Executed
  • Examining Recently Opened Files
  • Perform Cloud Storage Forensics

Section 3Shell Items and Removable Device Profiling

In this section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

Topics covered

  • Shell Item Forensics
  • ShellBag Analysis
  • USB and BYOD Forensic Exams

Labs

  • Understand MSC, HID, and MTP Device Differences
  • Track USB and BYOD Device Data
  • Track Bluetooth and Printers

Section 4Email Analysis, Windows Search, SRUM, and Event Logs

Section four arms investigators with the core email analysis knowledge and capabilities to maintain and build upon this skill for many years to come.

Topics covered

  • Email Forensics
  • Forensicating Additional Windows OS Artifacts
  • Windows Event Log Analysis

Labs

  • Search for Email and File Attachments with Forensic Tools
  • Analyze Message Headers and Gauge Email Authenticity
  • Collect Evidence from Microsoft and Google Tools

Section 5Web Browser Forensics

During this section, students will comprehensively explore web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. 

Topics covered

  • Browser Forensics
  • Private Browsing and Browser Artifact Recovery
  • SQLite and ESE Database Carving

Labs

  • Parse Automatic Crash Recovery Files
  • Identify Anti-Forensics Activity
  • Recover Microsoft Teams and Slack Chats

Section 6Windows Forensic Challenge

Nothing will prepare you more as an investigator than a complete hands-on challenge requiring you to use all the skills and knowledge presented throughout the course.

Things You Need To Know

Relevant Job Roles

Forensics Analyst (DCWF 211)

DoD 8140: Cyber Enablers

Investigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.

Explore learning path

Digital Forensics Analyst

Digital Forensics and Incident Response

This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.

Explore learning path

Cyber Defense Forensics Analyst (DCWF 212)

DoD 8140: Cybersecurity

Analyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Heather Barnhart
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Mari DeGrazia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by Ovie Carroll
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by Kathryn Hedley
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Phill Moore
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Malaga, ES

    Instructed by Jess Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Heather Barnhart
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by Jess Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 21

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources