Windows Forensics


Windows Forensics is an essential skill in the cybersecurity world. Covering a broad spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how to investigate after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners in these areas:

  • Searching the hard drive for evidence
  • Processing hidden files that are invisible or inaccessible containing past-usage information
  • Performing a forensic analysis on a computer to reveal usage details, recover data, and accomplish a full inspection after the machine has been defragged or formatted

Duration: 40 hours

Target Audience
This course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic process

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators


  • ThinkCyber Level-1 Courses


  • Accessing concealed files on the system and extracting relevant information
  • Mastering the steps of incident response
  • Analyzing relevant case studies


Module 1: Computer Hardware

The first module will cover different components of computer hardware. Students will learn the main components of Storage-Disks, the structure of the Windows OS, and finally, the students will install their first virtual forensics stations.

  • Drives and Disks
    o The Anatomy of a Drive
    o Data Sizes
  • Data Representation
  • Hexadecimal
  • Binary
    o Volumes & Partitions
    o Disk Partitioning and the Disk Management Tool
  • MBR vs. GPT
  • Understanding UEFI
  • The HPA
    o Solid State Drive (SSD) Features
  • Understanding Windows OS structure
    o The filesystem
    o FAT
  • FAT Structure
  • File Allocation and Deletion
    o NTFS
  • NTFS Structure
  • Volume Boot Record
  • Master File Table
    o The EFS Encryption
    o Windows Directory Structure
  • Virtualizing a Forensics Workstation
    o Setting up a Virtual Machine
    o Installing and Configuring the VM
    o Preparing the Environment

Module 2: Forensic Fundamentals

This module will expose students to the internal components of the Windows OS. Students will learn about tools that will help them with the Forensics investigation process.

  • Understanding Hashes and Encodings
    o Hash as a Digital Signature
    o The Use of Hash for Forensics
    o Base Encodings
  • Windows Artifacts
    o Startup Files
    o Jump List
    o Thumbnail Cache
    o Shadow Copy
    o Prefetch and Temp Directories
    o RecentApps
    o Registry Hives
  • Windows Passwords – Bypassing Windows Protection
    o Encryptions in the Windows OS
  • Bit locker
  • NTLM
  • Kerberos
    o Cracking Windows Passwords
    o Cracking RAR/ZIP Passwords
  • Data and Files structure
    o Hexadecimal Editing Tools
  • WinHex
  • HxD
    o File Structure
  • Headers and Trailer
  • Magic Number
    o Embedded Metadata
    o Working with Clusters
  • Slack Space
  • Unallocated and Allocated Spaces

Module 3: Collecting Evidence

During this module, students will master techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information. Students will learn techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information.

  • Forensic Data Carving
    o Using HxD for Forensics Carving
  • Carving Files from an Existing File
    o Automatic File Carving Tools
  • Foremost
  • Scalpel
  • Bulk-Extractor
  • Collecting Information
    o Indenting Evidence of Program Execution
  • Extracting Registry Artifacts
  • Event Viewer
  • The Audition Policy
  • Windows System Metadata
    o Detecting Hidden Files using ADS
    o Self-Extracting Archives (SFX)
    o Collecting Network Information
  • Network Information
  • Network Connections
    o Sysinternals-Suite Forensic Tools
    o Extracting Credentials using NirSoft
  • Drive Data Acquisition
    o Introduction to FTK-Imager
  • Exploring System Files
  • Creating an Image
  • DD as an Alternative Image Capture Tool
    o Capturing Volatile-Memory
  • Capturing a Memory-File
  • Capture Methods and Technics
  • Pagefile
  • Hiberfil.sys

Module 4: Analyzing Forensic Findings

In this module, students will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the Ram.

  • Analyzing captured images
    o Features of FTK
  • Extracting Protected Files
  • Mounting an Image as a Drive
  • Volatile Memory Capturing
    o MFT Dump
  • Identifying Potential Threats
  • Visualizing an MFT Reconstruction using DMDE
    o Analyzing Prefetch Files
    o Reconstructing Explorer with ShellBags
  • Working with Volatile-Memory
    o Extracting Data from RAM
    o Identifying Network Connections
    o Dumping Processes from Memory
  • Registry analysis
    o Using AccessData Registry Viewer to analyze Registry dumps
    o Finding user Information using Ntuser.dat and usrclass.dat
    o Using CLI to Access the Registry
    o Extracting Data from Registry
    o Forensics Findings in the Registry
  • Anti-Forensics Techniques
    o Wiping Drives
    o Advanced Stenographic Methods
    o File Obfuscation Techniques
    o Data Forgery
    o Drive and File Encryption
    o Artifact Removing
    Module 5: Data Labelling and Report Writing Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional report, including which points to consider when addressing the documentation of findings of an event.
  • Introduction to report writing
    o Device Identification
    o Preservation of Data
    o Collecting Evidence
    o Examination and Analysis
    o Documentation
    o Evidence Presentation