Skip to content

Training Tracks
Analyst Defense Labs
Free Training
Events
Log In

Training Tracks
Analyst Defense Labs
Free Training
Events
Log In

Practical Windows Forensics

Current Status

Not Enrolled

Enroll in this course to get access

Price

Closed

Get Started

Take this Course

This course is included in the Analyst I – PWFA Training Track and Hero Bundle Training. Enroll to access the course.

> View Course Syllabus

Support & FAQs

Please use our Support & FAQ page to find more information and reach out to us and join our Discord community for general conversation topics and networking.

Important: Virtual Labs

Your labs are real virtual machines in the cloud. This means it may take a few minutes until they are started up and available.
Whenever you have less than 15 minutes remaining, you will have the option to extend your lab by 1 hour.
When a VM shuts down, it will not store your files and data.
For the best experience, it’s recommended to use Google Chrome where you will have copy and paste functionality.

Tools Used

Arsenal Image Mounter, Kroll Artifact Browser (KAPE), Eric Zimmerman Tools (Timeline Explorer, Registry Explorer, MFTECmd, AppCompatCacheParser, AmcacheParser, PECmd, EvtxECmd), Event Log Explorer, RegRipper, Sysinternals Autoruns, Sysmon, Volatility3, QEMU, Plaso Tools, Log2Timeline

Certificate of Completion

Once you finish the course you will receive your Certificate of Completion!

Average Review Score:

★★★★★

Excellent Learning Resource

By cmk on 27 December, 2024 at 10:37

★★★★★

It is essential to learn about cybersecurity continuously. The PWF course is an invaluable resource for this purpose. Markus shares his expertise and always responds on Discord when you contact him. Throughout the course, you will be guided through an investigation and learn various techniques. Markus presents his framework for a Digital Forensics and Incident Response (DFIR) investigation. I highly recommend this course.

You must log in and have started this course to submit a review.

Username or Email Address

Password

Remember Me

Course Content

1) Welcome to Practical Windows Forensics! 2 Topics Sample Lesson

Lesson Content

0% Complete 0/2 Steps

Welcome and course introduction

PWF course roadmap

2) Online Lab Instructions 1 Topic

You don't currently have access to this content

Lesson Content

0% Complete 0/1 Steps

Lab Instructions and Overview

3) Data Collection Process 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Forensic process overview

Data collection options

Target system data collection

4) Examination of the Forensic Data 5 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/5 Steps

Lab Instructions – Windows Forensic VM

Data examination process overview

Mounting the disk image with Arsenal Image Mounter

Overview of Windows files and forensic artifacts

Creating a triage data collection with KAPE

5) Disk Analysis Introduction 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

Sources of evidence and disk analysis process overview

Notes taking and course materials

5.1) Windows Registry Analysis 7 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/7 Steps

Windows registry overview

Exploring the registry with Registry Explorer

Gathering system information with RegRipper

RegRipper analysis continued

Parsing registry hives in bulk with RegRipper

User accounts and SIDs Overview

Analysis of user accounts, groups and profiles

5.2) User Behavior Analysis 4 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/4 Steps

User behavior analysis overview

UserAssist analysis

RecentDocs analysis

ShellBags analysis

5.3) Overview of Disk Structures, Partitions and File Systems 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

What is a file system

Exploring disk structures and the NTFS

5.4) Analysis of the Master File Table (MFT) 5 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/5 Steps

Overview of MFT Records

Analysis of MFT Records with MFTECmd

MFT parsing and in-depth analysis with MFTECmd

File timestamps and the MACB timestamp format

Investigating file timestomping

5.5) Finding Evidence of Deleted Files with USN Journal Analysis 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

How can we find evidence of deleted files?

Analyzing the USN Journal for deleted files

5.6) Analyzing Evidence of Program Execution 8 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/8 Steps

Execution artifacts introduction

Analyzing the Background Activity Moderator (BAM)

Analysis of the Application Compatibility Cache (ShimCache)

Overview of the Amcache

Analyzing the Amcache with AmcacheParser

BONUS: Amcache in-depth analysis and why scheduled tasks matter

Windows Prefetch analysis with PECmd

Windows Prefetch timeline analysis

5.7) Finding Evidence of Persistence Mechanisms 5 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/5 Steps

Analyzing Windows run keys with Registry Explorer and RegRipper

How to find evidence of persistence in startup folders

Windows Services overview and analysis

Detecting and analyzing malicious scheduled tasks

Persistence mechanisms analysis with Sysinternals Autoruns

5.8) Uncover Malicious Activity with Windows Event Log Analysis 10 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/10 Steps

Windows event logs overview

Analyzing Windows event logs with EventLogExplorer and EvtxECmd

Windows Defender event log analysis

Analyzing service installs using the System event log

Security event log and authentication events

Authentication events and logon IDs

PowerShell event logs overview

Analyzing malicious PowerShell events

Overview of the Sysmon event log and relevant event IDs

Detecting malicious events in Sysmon event logs

6) Windows Memory Analysis 8 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/8 Steps

Important files for memory analysis

Lab instructions – Linux Forensic VM

Gathering Windows system information with Volatility3

Detecting suspicious Windows processes

Dumping processes from the memory

Detecting and analyzing injected DLLs

Identifying process owners and associated SIDs

Detecting and analyzing malicious registry key entries from memory

7) Kitchen-Sink Analysis with Super Timelines 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Super timeline analysis process and important requirements

Super Timeline overview with Timeline Explorer

Analyzing malicious activity using the Super Timeline

8) Reporting 1 Topic

You don't currently have access to this content

Lesson Content

0% Complete 0/1 Steps

Considerations and reporting types

9) Final! 1 Topic

You don't currently have access to this content

Lesson Content

0% Complete 0/1 Steps

Wrap up and next steps

Training

Training Tracks Analyst Defense Labs Hero Bundle Events

Company

About Us Contact & Support Imprint Terms & Conditions Privacy Policy

Community

Blog Join Discord Affiliate Program Career FAQs Subscribe to Newsletter →

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options
Manage services
Manage {vendor_count} vendors
Read more about these purposes

Preferences

{title}
{title}
{title}

Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information

First Name

Last Name

Country

email

Professional Experience

role

linkedin

I'm interested in

training

Personal Training Group Training Workshops Corporate Training

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.