Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

FOR500: Windows Forensic Analysis

FOR500Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
Register NowCourse Preview
FOR500: Windows Forensic Analysis
Course created by:
Heather BarnhartOvie CarrollMattia EpifaniRob Lee
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob Lee
Register NowCourse Preview
  • GIAC Certified Forensic Examiner (GCFE)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Essential Skill Level

    Course material is for individuals with an understanding of IT or cyber security concepts

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Gain an essential understanding of Windows artifacts and learn to perform digital forensics in Microsoft Windows operating systems to recover, analyze, and authenticate data and solve a forensic case.

Featured Quote

This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.
Alexander ApplegateAuburn University

Course Overview

FOR500 builds comprehensive Microsoft Windows forensics knowledge of , providing the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. Use this knowledge to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. Newly updated to cover all Windows versions through Windows 11! It’s also the foundational course for those pursuing the GCFE certification (GIAC Certified Forensic Examiner), one of the most respected credentials in the digital forensics community.

What You’ll Learn

  • Conduct in-depth forensic analysis of Windows operating systems and media exploitation
  • Identify artifact and evidence locations to answer crucial questions
  • Become tool-agnostic by focusing your capabilities on analysis
  • Extract critical findings and build an in-house forensic capability
  • Establish structured analytical techniques to be successful in any security role

Business Takeaways

  • Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes
  • Use deep-dive digital forensics to help solve Windows data breach cases
  • Understand the wealth of telemetry available in the Windows Enterprise
  • Identify forensic artifact and evidence locations to answer crucial questions
  • Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools
  • Build tool-agnostic investigative capabilities by focusing on analysis techniques

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR500: Windows Forensic Analysis.

Section 1Digital Forensics and Advanced Data Triage

Section 1 examines digital forensics in today’s interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems.

Topics covered

  • Windows Operating System Components
  • Core Forensic Principles
  • Live Response and Triage-Based Acquisition Techniques

Labs

  • Carving Important Files from Free Space
  • Recovering Critical User Data
  • Parse Metadata Information in NTFS Master File Table and USN Journal

Section 2Registry Analysis, Application Execution, and Cloud Storage Forensics

In this section, digital forensic investigators will learn how to discover critical user and system information in Windows Registry that’s pertinent to almost any investigation.

Topics covered

  • Registry Core and Forensics In-Depth
  • Profile Users and Groups
  • Core System Information

Labs

  • Examining Which Applications a User Executed
  • Examining Recently Opened Files
  • Perform Cloud Storage Forensics

Section 3Shell Items and Removable Device Profiling

In this section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.

Topics covered

  • Shell Item Forensics
  • ShellBag Analysis
  • USB and BYOD Forensic Exams

Labs

  • Understand MSC, HID, and MTP Device Differences
  • Track USB and BYOD Device Data
  • Track Bluetooth and Printers

Section 4Email Analysis, Windows Search, SRUM, and Event Logs

Section four arms investigators with the core email analysis knowledge and capabilities to maintain and build upon this skill for many years to come.

Topics covered

  • Email Forensics
  • Forensicating Additional Windows OS Artifacts
  • Windows Event Log Analysis

Labs

  • Search for Email and File Attachments with Forensic Tools
  • Analyze Message Headers and Gauge Email Authenticity
  • Collect Evidence from Microsoft and Google Tools

Section 5Web Browser Forensics

During this section, students will comprehensively explore web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter. 

Topics covered

  • Browser Forensics
  • Private Browsing and Browser Artifact Recovery
  • SQLite and ESE Database Carving

Labs

  • Parse Automatic Crash Recovery Files
  • Identify Anti-Forensics Activity
  • Recover Microsoft Teams and Slack Chats

Section 6Windows Forensic Challenge

Nothing will prepare you more as an investigator than a complete hands-on challenge requiring you to use all the skills and knowledge presented throughout the course.

Things You Need To Know

Relevant Job Roles

Forensics Analyst (DCWF 211)

DoD 8140: Cyber Enablers

Investigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Digital Forensics Analyst

Digital Forensics and Incident Response

This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Cybercrime Investigation (OPM 221)

NICE: Investigation

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Cyber Crime Investigator (DCWF 221)

DoD 8140: Cyber Enablers

Collects and preserves digital evidence using documented techniques to support analytical and investigative objectives in cyber operations.

Explore learning path

Cyber Defense Incident Responder (DCWF 531)

DoD 8140: Cybersecurity

Responds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.

Explore learning path

Cyber Defense Forensics Analyst (DCWF 212)

DoD 8140: Cybersecurity

Analyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.

Explore learning path

Cybersecurity Analyst / Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Digital Evidence Analysis (OPM 211)

NICE: Investigation

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Heather Barnhart
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Ovie Carroll
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by Mari DeGrazia
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Enrollment options
    In-Person
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Jason Jordaan
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Ovie Carroll
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Mari DeGrazia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by Ovie Carroll
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Instructed by Kathryn Hedley
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    Virtual
Showing 8 of 25

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources