Introduction to Windows Forensics

Windows systems run enterprises, governments, and critical infrastructure around the world. When something goes wrong, organizations need examiners who can find out what happened, how it happened, and who was responsible.

Introduction to Windows Forensics gives you that foundation. You will learn how Windows systems generate persistent evidence through file structures, registry hives, event logs, caches, and application traces, and how each contributes to reconstructing user actions or malicious activity. You will also build the core investigative habits that every good analyst needs: maintaining forensic integrity, validating sources, following a consistent methodology, and approaching every case with a hypothesis in mind.

This is the first course of the Windows Forensics Learning Path. It assumes no prior forensic experience and is designed as a prerequisite for intermediate/advanced courses that are arriving later this year.

• The Investigative Mindset
• The Digital Forensic Process
• Foundational Principals
• Understanding How Data Is Stored
• Sources of Digital Evidence
• The Windows Operating System
• DFIR Software and Hardware
• Evidence Acquisition

• Computer capable of running a Windows 11 virtual machine
• Recommended: 16 GB RAM, modern multi-core CPU, ~100 GB free disk space
• Virtualization software: VMware Workstation Player, VirtualBox, or Hyper-V
• Note for Apple Silicon users (M1/M2/M3/M4): This course is built around x86/x64 Windows tooling. Apple Silicon Macs run ARM and rely on emulation (via Parallels or VMware Fusion with Windows 11 ARM) to run the lab environment, which can introduce compatibility issues with some forensic tools. An x86/x64 Windows or Linux host is strongly recommended.

• Basic computer literacy and comfort working in Windows
• Familiarity with the Windows command line or PowerShell
• No prior digital forensics experience required. The course is built for aspiring DFIR analysts, SOC analysts, IT professionals moving into security, and career-changers entering the field.
• Familiarity with running a virtual machine

Introduction to Windows Forensics is built for anyone who wants to develop practical, job-ready forensics skills on Windows systems. Whether you are new to DFIR or expanding your existing security skillset, you will leave with the foundational knowledge needed to start examining systems with confidence.

This course is well-suited for:

• Aspiring DFIR analysts
• SOC analysts looking to expand their skill set
• IT professionals moving into security
• Cybersecurity students and career changers looking to build their skills

• Course Introduction
  • Lab Setup
• The Investigative Mindset
  • What is Digital Forensics?
  • Digital Forensics and Incident Response (DFIR)
  • Roles in DFIR
  • The Investigative Mindset
  • The Iterative Investigation Loop
  • Telling the Story
  • Ethics and Objectivity
  • Scope, Authorization, and Handling Sensitive Material
  • Corroboration and Proving Knowledge
  • Professional Discipline
  • Your First Investigation
  • Quiz
• The Digital Forensic Process
  • The Digital Forensic Process
  • System Preservation
  • Live and Dead Forensics
  • Evidence Searching
  • Keyword Searching with Autopsy
  • The PICL Guidelines
  • Event Reconstruction
  • The Incident Response Lifecycle
  • Quiz
• Foundational Principals
  • Hashing & Integrity Verification
  • Maintaining Chain of Custody
  • Quiz
• Understanding How Data is Stored
  • Exploring Data at the Hex Level
  • Quiz
• Sources of Digital Evidence
  • Endpoint Devices
  • VMs, Mobile, and Peripherals
  • RAM, Network, and Cloud Evidence
  • Emerging Evidence Sources
  • Quiz
• The Windows Operating System
  • Windows Artifact Hunting
  • Quiz
• DFIR Software and Hardware
  • Setting Up Your Forensic Workstation
  • Quiz
• Evidence Acquisition
  • Acquiring a Memory Image
  • Checking for Encryption
  • Acquiring a Forensic Image
  • Quiz
  Conclusion
  • Course Wrap Up