Free
DFIR Operator Series: Windows Forensics 101
Created for learners to analyze and triage Windows systems (including artifacts and indicators of compromise) and review Operating Systems at a detailed level. Allows learners to apply critical thinking to various steps of forensics investigations (of Windows based systems) and communicate those findings to stakeholders and executive leadership.

4
H
6
M
Time
intermediate
difficulty
4
ceu/cpe
Course Content
DFIR Overview: Analysis (Video)
Analysis
Windows EVTX Overview (Text)
Windows Artifacts
Windows Registry, Shellbags & Amcache (Text)
Windows Artifacts
DFIR: Reporting & Wrapping Up
Capstone
Windows NTFS & FAT Filesystem (Video)
Windows Artifacts
Lab #3: $MFT Parsing (Overview Video)
Windows Artifacts
Windows NTFS: $MFT (Video)
Windows Artifacts
Final Capstone Lab
Capstone
Lab #8: Memory Forensics
Memory
Lab #7: EVTX Analysis
Analysis
Lab #6: MFT Analysis
Analysis
Lab #5: Registry Analysis
Analysis
Lab #4: Parsing Registry Files
Windows Artifacts
Lab #3: $MFT Parsing
Windows Artifacts
Lab #3: $MFT Parsing (Overview Video)
Examination
Lab #2: Artifact Collection
Examination
Lab #1: Disk Acquisition
Data Collection
Lab #1: Disk Acquisition (Overview Video)
Data Collection
Lab Test
Capstone
Capstone Summary Video
Capstone
Capstone Lab Activity
Capstone
Course Description
Created for learners to be able to analyze and triage Windows systems (including specific artifacts and indicators of compromise) and review Operating Systems at a detailed level. This course allows learners a chance to applying critical thinking to various steps of forensics investigations (of Windows based systems) and communicate those findings to stakeholders and executive leadership.