Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

FOR500: Windows Forensic Analysis

FOR500Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
Register NowCourse Preview
FOR500: Windows Forensic Analysis
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
Register NowCourse Preview
  • GIAC Certified Forensic Examiner (GCFE)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Gain an essential understanding of Windows artifacts and learn to perform digital forensics in Microsoft Windows operating systems to recover, analyze, and authenticate data and solve a forensic case.

Featured Quote

This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.
Alexander ApplegateAuburn University

Course Overview

FOR500 builds comprehensive Microsoft Windows forensics knowledge of , providing the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. Use this knowledge to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. Newly updated to cover all Windows versions through Windows 11! It’s also the foundational course for those pursuing the GCFE certification (GIAC Certified Forensic Examiner), one of the most respected credentials in the digital forensics community.

What You’ll Learn

  • Conduct in-depth forensic analysis of Windows operating systems and media exploitation
  • Identify artifact and evidence locations to answer crucial questions
  • Become tool-agnostic by focusing your capabilities on analysis
  • Extract critical findings and build an in-house forensic capability
  • Establish structured analytical techniques to be successful in any security role

Business Takeaways

  • Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes
  • Use deep-dive digital forensics to help solve Windows data breach cases
  • Understand the wealth of telemetry available in the Windows Enterprise
  • Identify forensic artifact and evidence locations to answer crucial questions
  • Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools
  • Build tool-agnostic investigative capabilities by focusing on analysis techniques

Meet Your Authors

  • Slide 1 of 4
    Heather Barnhart
    Heather Barnhart

    Heather Barnhart

    Fellow

    Heather has 20+ years of experience working with government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her case experience ranges from fraud, crimes against children, counter-terrorism, and homicide investigations.

    Read more about Heather Barnhart
  • Slide 2 of 4
    Ovie Carroll
    Ovie Carroll

    Ovie Carroll

    Principal Instructor

    For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove.

    Read more about Ovie Carroll
  • Slide 3 of 4
    Mattia Epifani
    Mattia Epifani

    Mattia Epifani

    Certified Instructor

    Mattia Epifani pioneered methodologies for extracting critical evidence from encrypted mobile ecosystems, including iOS and Apple Watch. His groundbreaking work has become foundational for law enforcement and forensic analysts worldwide.

    Read more about Mattia Epifani
  • Slide 4 of 4
    Rob Lee
    Rob Lee

    Rob Lee

    Fellow

    Rob Lee is the Chief of Research and Head of Faculty at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics.

    Read more about Rob Lee
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR500: Windows Forensic Analysis.

Section 1Digital Forensics and Advanced Data Triage

Section 1 examines digital forensics in today’s interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems.

Topics covered

  • Windows Operating System Components
  • Core Forensic Principles
  • Live Response and Triage-Based Acquisition Techniques

Labs

  • Carving Important Files from Free Space
  • Recovering Critical User Data
  • Parse Metadata Information in NTFS Master File Table and USN Journal

Section 2Registry Analysis, Application Execution, and Cloud Storage Forensics

In this section, digital forensic investigators will learn how to discover critical user and system information in Windows Registry that’s pertinent to almost any investigation.

Topics covered

  • Registry Core and Forensics In-Depth
  • Profile Users and Groups
  • Core System Information

Labs

  • Examining Which Applications a User Executed
  • Examining Recently Opened Files
  • Perform Cloud Storage Forensics

Section 3Shell Items and Removable Device Profiling

In this section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

Topics covered

  • Shell Item Forensics
  • ShellBag Analysis
  • USB and BYOD Forensic Exams

Labs

  • Understand MSC, HID, and MTP Device Differences
  • Track USB and BYOD Device Data
  • Track Bluetooth and Printers

Section 4Email Analysis, Windows Search, SRUM, and Event Logs

Section four arms investigators with the core email analysis knowledge and capabilities to maintain and build upon this skill for many years to come.

Topics covered

  • Email Forensics
  • Forensicating Additional Windows OS Artifacts
  • Windows Event Log Analysis

Labs

  • Search for Email and File Attachments with Forensic Tools
  • Analyze Message Headers and Gauge Email Authenticity
  • Collect Evidence from Microsoft and Google Tools

Section 5Web Browser Forensics

During this section, students will comprehensively explore web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. 

Topics covered

  • Browser Forensics
  • Private Browsing and Browser Artifact Recovery
  • SQLite and ESE Database Carving

Labs

  • Parse Automatic Crash Recovery Files
  • Identify Anti-Forensics Activity
  • Recover Microsoft Teams and Slack Chats

Section 6Windows Forensic Challenge

Nothing will prepare you more as an investigator than a complete hands-on challenge requiring you to use all the skills and knowledge presented throughout the course.

Things You Need To Know

Relevant Job Roles

Forensics Analyst (DCWF 211)

DoD 8140: Cyber Enablers

Investigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.

Explore learning path

Digital Forensics Analyst

Digital Forensics and Incident Response

This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.

Explore learning path

Cyber Defense Forensics Analyst (DCWF 212)

DoD 8140: Cybersecurity

Analyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Heather Barnhart
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Mari DeGrazia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by Ovie Carroll
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Instructed by Kathryn Hedley
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Phill Moore
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Malaga, ES

    Instructed by Jess Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Heather Barnhart
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by Jess Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
Showing 8 of 21

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 2
    As a member of the IR team, this course will aid in investigating compromised hosts.
    Mike Piclher URS Corp.
  • Slide 2 of 2
    Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam).
    Juan M.
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources