Analyst I: Practical Windows Forensics Track
This course is included in the Analyst I – PWFA Training Track and Hero Bundle Training. Enroll to access the course.
Overview:
- Format: Browser-based labs, fully pre-configured, no downloads required
- Lab Time: 150 hours total access across all scenarios
- Access Period: 6 months
- Tool Stack: Industry-standard and famous tools for performing Windows disk and memory analysis.
- Case files: Includes memory dumps, disk images, and event logs.
- Reporting templates: Structured templates to help you document timelines, findings, and incident summaries clearly and professionally.
Recommended Experience
This course is designed for learners who:
- Have a foundational understanding of Windows forensic analysis
- Have completed 201 Practical Windows Forensics, or possess equivalent experience
System Requirements
- A modern browser (Google Chrome recommended)
- Stable internet connection
- No additional software or installations required
What’s Included:
You’ll get instant access to four realistic investigations, each modeled after real-world security incidents at our fictional company: Terra Nova Technology (TNT).
- FOR001: Disgruntled Manager’s Exodus – Intermediate
- FOR002: Suspicious Network Connection – Intermediate
- FOR003: Unauthorized Access – Advanced
- FOR004: Suspicious Logons – Beginner
Inside each case, you’ll:
- Analyze memory, disk, log artifacts
- Use enterprise-grade forensic tools in a fully pre-configured browser-based lab
- Build structured reports and timelines based on your findings
- Complete a scenario-end quiz to assess your understanding
Support & FAQs
Please use our Support & FAQ page to find more information and reach out to us and join our Discord community for general conversation topics and networking.
200FOR Investigation Scenario Bundle
This bundle includes four browser-based scenarios, each modeled after real-world enterprise incidents:
- FOR001: Disgruntled Manager’s Exodus – Intermediate
- FOR002: Suspicious Network Connection – Intermediate
- FOR003: Unauthorized Access to Confidential Share Drive – Advanced
- FOR004: Suspicious Logons to CTO Workstation – Beginner
Each scenario is fully self-contained and delivered in a cloud-based forensic lab—no downloads or setup required.
Learn, Practice, and Validate Your Skills
These scenarios are part of the “Practice” phase of our Learn → Practice → Validate framework. You’ll get to:
- Apply investigative techniques in realistic settings
- Analyze memory, disk, log, and network artifacts
- Build confidence with guided objectives and forensic tools
- Practice storytelling through reporting and evidence correlation
Certificate of Completion
Once you finish the course you will earn:
- A Certificate of Completion for finishing the full course
- Individual certificates for each scenario upon completing the end-of-scenario quiz
- An Achievement Badge after completing each investigation scenario
- A Forensic Excellence Badge for any scenario where you score 80% or higher on the quiz
🏆 Both badges qualify you for future leaderboard features and special recognition opportunities.
You must log in and have started this course to submit a review.
I have already taken the Practical Windows Forensics course, which contains many valuable tips on how to use Kape and the Zimmermann tools. With the four scenarios here from 200, I was able to apply what I had learned in four realistic scenarios. I can say that the scenarios are realistic because I have been working in the DFIR area and have had to deal with more or less similar incidents there. A valuable addition to the scenarios is the analysis of memory images, which is often neglected. The scenarios are feasible for everyone, whether beginner (with knowledge of FOR201) or advanced.