Windows Forensics
What about this course?
This course will familiarize students with all aspects of Windows forensics. By the end of this course, students will be able to perform live analysis, capture volatile data, make images of media, analyze filesystems, analyze network traffic, analyze files, perform memory analysis, and analyze malware for a Windows subject on a Linux system with readily available free and open-source tools. Students will also gain an in-depth understanding of how Windows works under the covers.
![line-about](/assets/mock/courses/mock-line-about.png)
Instructor for this course
Dr. Philip Polstra
This course is composed by the following modules
Course Introduction
Forensic Basics: Background
Forensic Basics: First Steps
Starting an Investigation
Using Netcat
Automating the Netcat Server
Automating the Netcat Client
Collecting Volatile Data Part 1
Collecting Volatile Data Part 2
Collecting Volatile Data Part 3
Collecting Volatile Data Part 4
Collecting Volatile Data Part 5
Creating Filesystem Images Part 1
Creating Filesystem Images Part 2
Creating Filesystem Images Part 3
Software Write Blocking using udev Rules
Making Images from a Physical Disk
Mounting Images Part 1: MBR Basics
Mounting Images Part 2: Mounting MBR Partitions on Linux
Mounting Images Part 3: Mounting Extended Partitions on Linux
Automating Image Mounting with Python: Part 1A - MBR Partitions
Automating Image Mounting with Python: Part 1B - MBR Partitions
Automating Image Mounting with Python: Part 2 - Extended Partitions
Automating Image Mounting with Python: Part 3: GPT Basics
Automating Image Mounting with Python: Part 4: Mounting GPT Partitions
File Allocation Table Part 1: FAT Basics
File Allocation Table Part 2: Using Active Disk Editor to View Images
File Allocation Table Part 3: Volume Boot Records
File Allocation Table Part 4: Using Active Disk Editor to View VBR
File Allocation Table Part 5: using Python to Examine the VBR
File Allocation Table Part 6: Active Disk Editor to examine FAT
File Allocation Table Part 7: using Python to interpret the FAT
File Allocation Table Part 8: Directory Entries
File Allocation Table Part 9: Examining Directories using Active Disk Editor
File Allocation Table Part 10A: using Python to Interpret Directories
File Allocation Table Part 10B: using Python to Interpret Directories
File Allocation Table Part 11: Introduction to The Sleuth Kit
File Allocation Table Part 12A: Intro to Autopsy
File Allocation Table Part 12B: Intro to Autopsy
File Allocation Table Part 13: Deleted File Basics
File Allocation Table Part 14: Deleted Files and Active Disk Editor
File Allocation Table Part 15A: Deleted Files and Python
File Allocation Table Part 15B: Deleted Files and Python
File Forensics Part 1
File Forensics Part 2A: Active Disk Editor
File Forensics Part 2B: Active Disk Editor
File Forensics Part 3: using the File Utility
File Forensics Part 4: Finding Mismatched Files with Shell Scripts
File Forensics Part 5: Finding Files with Python
File Forensics Part 6: using Scalpel to Carve Files
NTFS Part 1: The Basics
NTFS Part 2: Volume Boot Record
NTFS Part 3: MFT Entry Basics
NTFS Part 4: MFT Attributes 10 and 30
NTFS Part 5: Data Attribute for a Small File
NTFS Part 6: Data Attribute for a Medium File
NTFS Part 7: Data Attribute with Negative Offsets
NTFS Part 8: Large Files
NTFS part 9: Directory Basics
NTFS Part 10: Small Directory Demo
NTFS Part 11A: Medium sized Directories
NTFS Part 11B: Medium sized Directories
NTFS Part 12A: Large Directories
NTFS Part 12B: Large Directories
NTFS Part 13A: Deleted Files
NTFS Part 13B: Deleted Files
Python and NTFS Part 1
Python and NTFS Part 2: MFT Headers
Python and NTFS Part 3: Attribute Headers
Python and NTFS Part 4: Standard Info
Python and NTFS Part 5: Filename Attribute
Python and NTFS Part 6: Data Attribute
Python and NTFS Part 7: Index Root
Python and NTFS Part 8: Index Allocations
Python and NTFS Part 9: Index Allocations
Python and NTFS Part 10: Attribute Lists
Python and NTFS Part 11A: Extracting Files & Directories
Python and NTFS Part 11B: Extracting Files & Directories
Python and NTFS Part 12: Enhancing the Extract Script
Creating Timelines Part 1: Extracting Timeline Information
Creating Timelines Part 2: Importing Timeline Information into a Spreadsheet
Creating Timelines Part 3: Importing Timeline Information into a Database
Creating Timelines Part 4: Creating a Timeline Table and running Queries
Creating Timelines Part 5: Bash Script to Create Timelines
Creating Timelines Part 6: Understanding NTFS Timestamps
Creating Timelines Part 7: Printing Timelines File by File
Registry Part 1: The Basics
Registry Part 2: Extracting Hives
Registry Part 3: Examining the Registry
Registry Part 4: The System Hive
Registry Part 5: The Software Hive
Registry Part 6: the User Hive
Registry Part 7A: RegRipper
Registry Part 7B: RegRipper
Registry Part 7C: RegRipper
Windows Artifacts Part 1: Recycle Bin
Windows Artifacts Part 2: Event Logs
Windows Artifacts Part 3: Prefetch Files
Windows Artifacts Part 4: User App Data Directories
Windows Artifacts Part 5: Misc Artifacts
Windows Artifacts Part 6: Web Browser History
Memory Forensics Part 1: Introduction to Volatility
Memory Forensics Part 2: Volatility Basics
Memory Forensics Part 3: Volatility Process Commands
Memory Forensics Part 4: Looking for a Single Process
Memory Forensics Part 5: Looking Deeper at a Single Process
Memory Forensics Part 6: Finding Malware
Memory Forensics Part 7a: More Volatility Commands
Memory Forensics Part 7b: More Volatility Commands
Suspicious Files Part 1: is it in a Database?
Suspicious Files Part 2: it is not in a Database?
Suspicious Files Part 3: Packers
Suspicious Files Part 4: Setting up a Sandbox
Suspicious Files Part 5: Setting up a 32-bit Debugger
Suspicious Files Part 6: Examining a 32-bit Executable
Suspicious Files Part 7: Examining a 64-bit Executable
Finishing the Job
The Road Ahead
Common Course Questions
If you have a question you don’t see on this list, please visit our Frequently Asked Questions page by clicking the button below.
If you’d prefer getting in touch with one of our experts, we encourage you to call one of the numbers above or fill out our contact form.
Do you offer training for all student levels?