Windows Forensics


Table of Contents


Windows forensics is an essential skill in the cybersecurity world. This course covers a broad spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how to investigate after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners in these areas:

  • Searching the hard drive for evidence
  • Processing hidden files that are invisible or inaccessible containing past-usage information
  • Performing a forensic analysis on a computer to reveal usage details, recover data, and accomplish a full inspection after the machine has been defragged or formatted

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

This course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic proces

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators


  • Accessing concealed files on the system and extracting relevant information
  • Mastering the steps of incident response
  • Analyzing relevant case studies


ThinkCyber Level-1 Courses



The first module will cover different components of computer hardware. Participants will learn the main components of Storage-Disks, the structure of the Windows OS, and finally, the participants will install their first virtual forensics stations.

Technical content

  • Drives and Disks
    o The Anatomy of a Drive
    o Data Sizes
    ▪ Data Representation
    ▪ Hexadecimal
    ▪ ASCII
    ▪ Binary
    o Volumes & Partitions
    o Disk Partitioning and the Disk Management Tool
    ▪ MBR vs. GPT
    ▪ Understanding UEFI
    ▪ The HPA
    o Solid State Drive (SSD) Features
  • Understanding Windows OS structure
    o The filesystem
    o FAT
    ▪ FAT Structure
    ▪ File Allocation and Deletion
    o NTFS
    ▪ NTFS Structure
    ▪ Volume Boot Record
    ▪ Master File Table
    o The EFS Encryption
    o Windows Directory Structure
  • Virtualizing a Forensics Workstation
    o Setting up a Virtual Machine
    o Installing and Configuring the VM
    o Preparing the Environment


This module will expose participants to the internal components of the Windows OS. Participants will learn about tools that will help them with the forensics investigation process.

Technical content

  • Understanding Hashes and Encodings
    o Hash as a Digital Signature
    o The Use of Hash for Forensics
    o Base Encodings
  • Windows Artifacts
    o Startup Files
    o Jump List
    o Thumbnail Cache
    o Shadow Copy
    o Prefetch and Temp Directories
    o RecentApps
    o Registry Hives
  • Windows Passwords – Bypassing Windows Protection
    o Encryptions in the Windows OS
    ▪ Bit locker
    ▪ NTLM
    ▪ Kerberos
    o Cracking Windows Passwords
    o Cracking RAR/ZIP Passwords
  • Data and Files structure
    o Hexadecimal Editing Tools
    ▪ WinHex
    ▪ HxD
    o File Structure
    ▪ Headers and Trailer
    ▪ Magic Number
    o Embedded Metadata
    o Working with Clusters
    ▪ Slack Space
    ▪ Unallocated and Allocated Spaces


During this module, participants will master techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information.

Technical content

  • Forensic Data Carving
    o Using HxD for Forensics Carving
    ▪ Carving Files from an Existing File
    o Automatic File Carving Tools
    ▪ Foremost
    ▪ Scalpel
    ▪ Bulk-Extractor
  • Collecting Information
    o Indenting Evidence of Program Execution
    ▪ Extracting Registry Artifacts
    ▪ Event Viewer
    ▪ The Audition Policy
    ▪ Windows System Metadata
    o Detecting Hidden Files using ADS
    o Self-Extracting Archives (SFX)
    o Collecting Network Information
    ▪ Network Information
    ▪ Network Connections
    o Sysinternals-Suite Forensic Tools
    o Extracting Credentials using NirSoft
  • Drive Data Acquisition
    o Introduction to FTK-Imager
    ▪ Exploring System Files
    ▪ Creating an Image
    ▪ DD as an Alternative Image Capture Tool
    o Capturing Volatile-Memory
    ▪ Capturing a Memory-File
    ▪ Capture Methods and Technics
    ▪ Pagefile
    ▪ Hiberfil.sys


In this module, participants will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the RAM.

Technical content

  • Analyzing captured images
    o Features of FTK
    ▪ Extracting Protected Files
    ▪ Mounting an Image as a Drive
    ▪ Volatile Memory Capturing
    o MFT Dump
    ▪ Identifying Potential Threats
    ▪ Visualizing an MFT Reconstruction using DMDE
    o Analyzing Prefetch Files
    o Reconstructing Explorer with ShellBags
  • Working with Volatile-Memory
    o Extracting Data from RAM
    o Identifying Network Connections
    o Dumping Processes from Memory
  • Registry analysis
    o Using AccessData Registry Viewer to analyze Registry dumps
    o Finding user Information using Ntuser.dat and usrclass.dat
    o Using CLI to Access the Registry
    o Extracting Data from Registry
    o Forensics Findings in the Registry
  • Anti-Forensics Techniques
    o Wiping Drives
    o Advanced Stenographic Methods
    o File Obfuscation Techniques
    o Data Forgery
    o Drive and File Encryption
    o Artifact Removing


Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional report, including which points to consider when addressing the documentation of findings of an event.

Technical content

  • Introduction to report writing
    o Device Identification
    o Preservation of Data
    o Collecting Evidence
    o Examination and Analysis
    o Documentation
    o Evidence Presentation
    o Final Guidelines


The following labs are part of the actual BT210 course:
  • Lab 1 Virtualization Forensics Workstation
  • Lab 2 Understanding Hashes and Encryption
  • Lab 3 Using Artifacts
  • Lab 4 Understanding Windows Authentications
  • Lab 5 Data and Files Structure
  • Lab 6 Forensic Data Carving
  • Lab 7 Collecting Windows Information
  • Lab 8 Drive Data Acquisition
  • Lab 9 Analyzing Captured Images
  • Lab 10 Working with Volatile-Memory
  • Lab 11 Registry Analyzes
  • Lab 12 Forensics Report

Real Cases Studies

Case Study #1 (WF001)
A small finance company named Bitsafe has suffered from a collision attack. The incidents caused the loss of $130,000, by exploiting and forging the digital signature of a transaction between clients, allowing the attacker to break the communication encoded with the SHA-1 algorithm.
Case Study #2 (WF002)
Cellebrite, a company that provides digital forensics tools and software, was hacked. The hacker managed to extract 100 GB of photos containing law enforcement investigations evidence. The hacker has not yet publicly released anything from the stolen data archive, which includes customers' information, databases, and other technical data.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:

  • CHFI (EC|Council)

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details