Windows Forensics Fundamentals is the first step into the world of computer forensics, covering a wide spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how they can be inspected after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners in these areas:

  • Searching the hard drive for evidence.
  • Processing hidden files that are invisible or inaccessible containing past-usage information.
  • Tracing Windows artifacts left behind by the operating system for clues of what the computer was used for.
  • Performing a forensics analysis on a computer to reveal usage details, recover data, and accomplish a full inspection even after the computer has been defragged or formatted.

The course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic process. Primarily:

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • IT security personnel
  • Basic knowledge in IT or networking.
  • Participants should be familiar with the following concepts:
    • Computer components
    • Operating Systems
    • OSI model
  • CS001 provides a solid foundation of preliminary knowledge required for this course.

    40 Hours

    Cyber Security


    Certificate: No

    Price: contact us for more details

    Leave your details

    Course Outline


    • Understanding how computer hardware is utilized for forensic processes.
    • Accessing concealed files on the system and extracting relevant information from them.
    • Mastering the first steps of incident response by exercising different practices of a forensics investigation, such as uncovering hidden files, Windows Registry monitoring, using a forensics toolkit and more.
    • Acquiring basic knowledge in steganography techniques and its uses in forensics.
    • Analyzing relevant case studies and exercising the learnt topics hands-on.


    Course Outline

    Module 1: Examining Computer Hardware – 2 hours

    The first module will cover different components of computer hardware and explain how it is used by forensics investigators for extracting or retrieving information. It is also critical to understand how some characteristics of hardware are manipulated by hackers to store information on the computer, steal data or implant malware, for the investigation process of a cyber-crime. Participants will receive a deep understanding of how hardware works, accompanied by practical demos shown live during the class.

    • Hard-Disk Drive (HDD)
      • How it works
      • How data is stored
      • Deleted information
    • Memory
      • RAM – demo: extracting sensitive information
      • Cache memory
      • Memory files – what are they and where they are stored?
    • USB
      • Types of USB
      • How it works
      • Demo: USB data sniffing

    Module 2: Hacking into Windows Systems – 4 hours

    In this module participants will learn how to access protected or locked systems during the investigation process, and how to penetrate into encrypted machines. They will cover the differences between Windows versions and learn how to bypass the protections of each system to reach the data stored on the computer.

    • Differences between Windows operating systems
    • FAT vs. NTFS
    • Introduction to EFS
    • Bypassing Windows protection
      • “Loud” penetration
      • “Silent” penetration
      • Lab: penetrating an encrypted OS

    Module 3: Basics of Windows Forensics – 16 hours

    This module will immerse participants into processes of the actual forensic investigation. Starting with providing a solid base to the world of forensics and familiarization with fundamentals concepts and tools for every forensic investigator, up to advanced methods of restoring information, all including practical hands-on exercises. 

    • Hash – digital signature
      • The use of hash for forensics
      • Different kinds of hash
      • Case study: how the Israeli defense forces use hash for protection against trojans
    • Startup files
      • Msconfig
      • Autostart
      • Task manager
    • Mastering windows tools
      • Chkdsk
      • Defragment
      • Task list
    • Formatting vs. wiping
      • Different methods and tools
      • Demo: drive formatting on a closer look


      Restoring files

      • Hard disk
        • Deleted files
        • Fragmented files
        • Hidden files
      • Memory
        • Extracting data from RAM
        • Pagefile
        • Swap file
        • Registry files

      Module 4: Steganography Basics – 4 hours

      Steganography is the art of hiding secret messages or files within an ordinary file; it is used by cyber criminals to conceal sensitive information on the OS, under the disguise of existing files or folders. During this module students will explore some of the basic approaches of steganography in the world of forensics, and understand how to uncover information on the OS that the user tried to hide. Participants will receive a clear understanding of how files look from within the OS, and learn how incident response teams can detect tempered files.

      • Commands to the OS
      • Hiding files on Windows
      • Hiding files using ADS
      • Hexadecimal base
      • Viewing hexadecimal files


      Module 5: Windows Registry – 6 hours

      Windows Registry stores a large number of sensitive information and is the primary source of data extraction. During this module, participants will get to know the different locations where information can be found and extracted. They will perform the extraction and point out the data that is critical for the investigation, as well as become familiar with different monitoring processes. 

      • Registry hives
        • HKEY_USERS
      • Finding information
        • dat
        • Sam
        • System
      • Registry monitoring and analyzing tools
      • Labs:
        • Extracting data from registry
        • Forensics findings in the registry
        • Using registry commercial tools for investigating

      Module 6: Using Forensic Toolkit (FTK) – 8 hours

      FTK is a free tool used by most practitioners in the forensics industry. It allows the user to perform most processes of data extraction during a forensics investigation of Windows OS. During this module, students will learn the different capabilities of this tool, and exercise using some of its relevant functions, summarizing all the topics that were covered during this course.

      • Features of FTK
        • Making an image
        • Memory capturing
        • Extracting protected files
        • Mounting an image
      • Acquiring data
      • Using and managing filters
      • Decrypting EFS and other encrypted files
      • TestDisk
      • Event logs
      • Basics of writing a forensics report
      • Final lab – exercising the forensics process:
        • Bypassing an encrypted machine
        • Extracting information from the machine (users, logs, events, network status, running programs, etc.)
        • Writing a report