Windows Forensics

Files and Disks
This module establishes the foundation for Windows forensics by covering digital data fundamentals, encoding systems, and number systems essential for investigations. Students explore binary and hexadecimal formats, digital sizes, and the unique characteristics of Solid State Drives, while gaining practical experience with hex editors to view and manipulate file and disk data at the binary level.
 

Automatic Carving
Students learn advanced techniques for recovering deleted or fragmented files from disk images and unallocated space. The module covers automated carving tools and methodologies that identify file signatures and reconstruct complete files without relying on file system metadata, a critical skill when investigating systems where data has been deliberately deleted or corrupted.
 

Metadata
This module focuses on extracting and analyzing metadata embedded in Windows system files, including file creation times, modification dates, access records, and ownership information. Students learn how metadata provides crucial timeline evidence and context for forensic investigations, and practice using tools to preserve and interpret this information across various file types and system artifacts.
 

Steganography
Students gain hands-on experience detecting, extracting, and analyzing hidden data concealed within other files through steganographic techniques. The module covers visual analysis, automated detection tools, and specialized forensic software for recovering hidden information from images, documents, and other file types, while also teaching students how steganography works to better identify its use in investigations.
 

File System Analysis
This module provides in-depth training on Windows file system structures, focusing on NTFS architecture, the Master File Table (MFT), and system file analysis. Students learn to use the Forensic Toolkit (FTK) to examine disk images, navigate complex file system metadata, recover deleted files, and reconstruct file activities from MFT entries and other file system artifacts.
 

Registry Analysis
Students explore the Windows Registry structure, learning to extract and interpret data from registry hives that contain critical evidence of user activities, system configurations, and installed software. The module emphasizes analysis of NTUSER.DAT and other hives using specialized registry viewers, teaching techniques for conducting targeted searches and correlating registry data with other forensic evidence.
 

Artifacts
This module trains students to identify, extract, and correlate digital artifacts left by user activities across the Windows system. Coverage includes browser forensics (history, cache, downloads), Volume Shadow Copies, temporary files, and application artifacts, with emphasis on building comprehensive activity timelines by connecting diverse evidence sources into coherent investigative narratives.
 

Memory Analysis
Students master techniques for capturing RAM images and analyzing volatile system memory using Volatility and other specialized tools. The module covers memory structure fundamentals, process analysis, network connection enumeration, and data carving from memory dumps, providing skills to extract evidence of running processes, malware, passwords, and system state that exists only in volatile memory.
 

Windows Events
This module focuses on leveraging Windows Event Logs for forensic reconstruction, teaching students to navigate System, Security, Application, and custom logs using Event Viewer. Students learn to configure audit policies for comprehensive logging, conduct targeted searches within logs, and interpret events to detect unauthorized access, policy violations, system changes, and anomalous activities during investigations.
 

Network Analysis
Students learn to investigate network activities on Windows systems by analyzing network protocols, services, and traffic patterns. The module covers packet capture and analysis, network connection mapping, suspicious connection identification, and darknet activity detection, equipping students to reconstruct network events and trace potential attack origins through network forensic evidence.
 

Malware Analysis
This final module covers both static and dynamic malware analysis techniques essential for identifying and understanding malicious software on Windows systems. Students learn to examine malware without execution through static analysis, observe behavior in controlled environments through dynamic analysis, identify malware through signature detection, and understand advanced protection mechanisms like NX (No Execute) to defend against evolving threats.