Course Overview

The objective of this course is to show students how to perform a full digital forensic investigation of a Windows system in a complete DIY setup.

The course covers a full digital forensic investigation of a Windows system. It begins with the simple preparation of our lab, which consists of setting up a "victim" VM and a forensic workstation. We'll then run an attack simulation script on the victim VM that simulates attack patterns as commonly observed by threat actors in the industry to create a realistic setting for our investigation. From there, we’ll kick off the forensic process, beginning with the data collection, examination and extraction before diving deeper into the analysis of the information at hand.

The data analysis section consists of a comprehensive investigation, including various tools and many different forensic artifacts with which every analyst should be familiar. We will not only analyze artifacts, but also discuss their behavior to learn when, why and how to interpret the data contained within these artifacts. The investigation covers Windows disk and memory artifacts and ends with the analysis of the timelines generated from both.

This course also covers many important artifacts and concepts relating to Windows forensic analysis. We'll use several freely available tools for the analysis that are well known and recognized in the industry. The student will leave the course with a comprehensive understanding of the forensic process, important Windows artifacts and forensic tools and a forensic workstation available and ready to go for future investigations.


System Requirements

•  Basic IT knowledge

•  Familiarity with Windows operating systems and virtualization

•  Basic knowledge of command line utilities (Windows CMD, PowerShell, Ubuntu)

•  Critical thinking, curiosity, passion for investigations and solving cases

•  Min. 4GB RAM and 60 GB storage; Ideally, 8GB RAM, 2+ CPUs and 150GB storage (specifically for the last section "Super timelines")

 

Q&As

* Where can I find support? You can find support through the Discord channel: https://discord.gg/WKsaGE2CV3 Please be patient, self-determined and willing to learn. That's the only way to gain the skills you want!

* Will you be able to provide any of the VM's? Due to licensing restrictions, unfortunately not.

* Where is the course material hosted? The course material is hosted on Github: https://github.com/bluecapesecurity/PWF

Who Should Take Practical Windows Forensics?

•  Beginners wanting to break into cyber security
•  SOC Analysts, Junior and senior IT security staff
•  Current DFIR and security analysts
•  Blue Teamers / Red Teamers / Penetration Testers
•  Lawyers and compliance staff


"Everything I wish I knew when I started analyzing Windows systems as a DFIR consultant."

Hacker Stealing Information Example

Practical Windows Forensics Course Curriculum - 11 Hours

  1) Welcome to Practical Windows Forensics (PWF)
Available in days
days after you enroll
  2) Lab Requirements
Available in days
days after you enroll
  3) Setting up your forensic workstation
Available in days
days after you enroll
  4) Prepare your target system
Available in days
days after you enroll
  5) Data collection process
Available in days
days after you enroll
  6) Examination of the forensic data
Available in days
days after you enroll
  7) Disk analysis introduction
Available in days
days after you enroll
  7.1) Windows registry analysis
Available in days
days after you enroll
  7.2) User behavior analysis
Available in days
days after you enroll
  7.3) Overview of disk structures, partitions and file systems
Available in days
days after you enroll
  7.4) Analysis of the Master File Table (MFT)
Available in days
days after you enroll
  7.5) Finding evidence of deleted files with USN Journal analysis
Available in days
days after you enroll
  7.6) Analyzing evidence of program execution on Windows systems
Available in days
days after you enroll
  7.7) Finding evidence of persistence mechanisms
Available in days
days after you enroll
  7.8) Uncover malicious activity with Windows event log analysis
Available in days
days after you enroll
  8) Windows memory forensic analysis
Available in days
days after you enroll
  9) Kitchen-Sink analysis with Super Timelines
Available in days
days after you enroll
  10) Reporting
Available in days
days after you enroll
  11) Final
Available in days
days after you enroll
Markus Schober - Course Instructor

About the Instructor: Markus Schober

Markus Schober is the founder of Blue Cape Security, where he offers defensive cyber security training and career development services. Prior to founding the company, Markus worked in the incident response and digital forensics (DFIR) industry for over 7 years as a Principal Consultant and manager at IBM X-Force. There, he led numerous engagements responding to cyber attacks as well as trained and mentored cyber security professionals. He also has many years of software engineering experience in both the United States and Europe.

Markus has a Masters in Information Technology and currently holds or has held certifications such as the CISSP, GCFA and GCIH, amongst others.

Markus’ mission is to help close the gap between professionals and organizations in the cyber security industry by democratizing training and disrupting hiring processes. When not working, he enjoys spending time with his family, traveling and following various sport events.

 

Social media links

Website - https://www.bluecapesecurity.com

LinkedIn - https://www.linkedin.com/in/markusschober123/

Twitter - https://twitter.com/mascho

Discord - https://discord.gg/WKsaGE2CV3

all-access membership wolf logo

This course is included in our
All-Access Membership
starting at $29.99/month

Get full access to the Practical Windows Forensics course and our full course catalog when you enroll in our All-Access Membership.

Frequently Asked Questions


Can I get a refund if I'm unhappy with my purchase?

Yes. All courses come with a 24-hour money-back guarantee.


Will I receive a certificate of completion when I finish a course?

Yes. All courses come with a certificate of completion.


Do the courses count as Continuing Education Units (CEUs)?

Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.

What is the All-Access Pass?

As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.


What if you already own courses on TCM Academy?

If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.


I can see the course, but it won’t load or play. What should I do?

We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at [email protected] and we will help you out.