Last Day to Save $400 on 4-6 Day Courses at SANS Security West 2018 in San Diego!


To attend this webcast, login to your SANS Account or create your Account.

A glimpse into NEW FOR500: Windows Forensics Course: Windows 10 and beyond - what is your digital forensics investigation missing?

  • Friday, July 21st, 2017 at 1:00 PM EDT (17:00:00 UTC)
  • Rob Lee
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


Windows Forensic Analysis is constantly progressing. If you have been doing digital forensics for the past few years and haven't been able to keep your skills up to date, FOR500 Windows Forensic Analysis will bring your skills up to date. Do you know what a shell item is and why it is important to proper windows digital artifact analysis? Have you ever heard of the SRUM database and what it could mean in attempting to track individuals stealing data from your organizations? The latest evidence of execution artifacts such as ShimCache and AmCache registry hive files are critical to proving certain programs are executed. Even more so, Windows operating systems synchronize a lot of the data stored on the OS across multiple devices without you knowing about it. Completely updated through Windows 10 the new FOR500: Windows Forensics course is not an introduction to forensics class but focuses completely on artifacts that will help you solve the most complex investigations.

For more information about FOR500 or to see the next course runs visit:

Speaker Bio

Rob Lee

Rob Lee is the curriculum lead and author for digital forensic and incident response at the SANS Institute. With more than 19 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he provides consulting services via HARBINGERS LLC. in the Boston, MA. area. Before directing services at HARBINGERS, Rob worked with government agencies in law enforcement, defense, and intelligence communities as a lead for vulnerability discovery and exploit development teams supporting Title10/50 cyber operations. Following his work in the intel community, he worked at the incident response firm MANDIANT for 5 years. Notably, he co-authored MANDIANT's first detail threat intelligence reports on Chinese APT activity titled "M-Trends: The Advanced Persistent Threat."

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.