Did you know Windows is actually silently recording an unbelievable amount of data about you and your users? Windows Forensic Analysis (FOR500) teaches you how to mine this mountain of data. Focused on building in-depth digital forensics knowledge of Microsoft Windows operating systems, this course will help you understand that forensic capabilities and artefacts is a core component of information security, covering areas such as how to: 

  • Recover, analyse, and authenticate forensic data on Windows systems
  • Track particular user activity on your network and organise findings for use in incident response
  • Conduct internal investigations
  • Detect civil/criminal litigation

You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. 


Learning Outcome

The artefacts and tool-agnostic techniques you will learn will lead to the successful analysis of any cyber incident and crime involving a Windows Operating System. This includes:

  • Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
  • Identify artefact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
  • Focus your capabilities on analysis instead of how to use a particular tool
  • Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

Who should Attend?

  • Information security professionals: learn the in-depth concepts of Windows digital forensics investigations
  • Incident response team members: use deep-dive digital forensics to help solve their Windows data breach and intrusion cases and perform damage assessments
  • Law enforcement officers, federal agents, and detectives: become deep subject-matter experts on digital forensics for Windows-based operating systems
  • Media exploitation analysts: master tactical exploitation and Document and Media Exploitation (DOMEX)
  • Anyone who has a background in information systems, information security, and computers and is interested to understand Windows forensics in-depth

This course is perfect for you if you are interested in in-depth and current Microsoft Windows Operating System forensics and analysis for any incident that occurs. If you have not updated your Windows forensic analysis skills in the past three years or more, this course is essential.


Eligibility Criteria

There are no prerequisite courses required to take this course.

Please note that this is an analysis-focused course; FOR500 does not cover the basics of evidentiary handling, the "chain of custody," or introductory drive acquisition. Our authors update FOR500 aggressively to stay current with the latest artefacts and techniques discovered. 


This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page

Information is accurate as of 30 December 2019