FIVE   |   TWELVE   |   92%   |   40

        SCENARIOS                     LABS                            HANDS-ON           DURATION

Windows Forensics is an essential skill in the cybersecurity world. This training covers a broad spectrum of aspects of the forensic investigation process performed on Windows OS. Participants will learn how different computer components work and how they can investigate after a cyber-incident. The training will focus on developing hands-on capabilities of forensics teams or individual practitioners.

LAB 01

Virtualization Forensics Workstation

LAB 02

Understanding Hashes and Encryption

LAB 03

Using Artifacts

LAB 04

Understanding Windows Authentications

LAB 05

Data and Files Structure

LAB 06

Forensic Data Carving

LAB 07

Collecting Windows Information

LAB 08

Drive Data Acquisition

LAB 09

Analyzing Captured Images

LAB 10

Working with Volatile-Memory

LAB 11

Registry Analyzes

LAB 12

Forensics Report

Scenario: WF001

A small finance company named Bitsafe has suffered from a collision attack. The incidents caused the loss of $130,000, by exploiting and forge the digital signature of a transaction between clients, allowing the attacker to break the communication encoded with the SHA-1 algorithm.


Scenario: WF002

Cellebrite company that provides digital forensics tools and software was hacked. The hacker managed to extract 100 GB of photos containing law enforcement investigations evidence. The hacker has not yet publicly released anything from the stolen data archive, which includes customers' information, databases, and other technical data.

Annotation 2020-05-21 193232.jpg

Scenario: WF003

Researchers from the “SciTech” institute have discovered some images taken by criminals from the dark web markets. Digital images come with basic metadata, as well as EXIF data that contains information about the device with which it was taken. The forensics investigator has been asked to reveal the locations of the images for further investigation.


Scenario: WF004

A CTO of a small stocks marketing company claimed that he found suspicious activity on his laptop. He stated that some of his files suddenly moved from one location to another when other files seem to be modified on illogical dates. He asked you as the Forensics expert to check if you can find anomaly indicators that are relevant to his files.


Scenario: WF005

A large transnational company related services and products in Tourism had unauthorized access lately. Some weird cronjobs were created, and there has been some unexpected outgoing traffic. We think someone has gained access to the server and managed to create a backdoor using the website itself.

  • White LinkedIn Icon
  • White Facebook Icon

Ze'ev Jabotinsky St 7,
Ramat Gan, IL.

© 2020 by ThinkCyber