Windows Endpoint Investigation

Learn to Investigate Windows Systems Like a Professional Investigator

Answer the questions that matter: What ran? Who was here? How did the attacker move? What persistence did they install? What data left the network? What did they try to hide? Work through real forensic artifacts, build timelines across multiple hosts, detect anti-forensics, and complete two full capstone investigations.

Preview Course See Pricing

View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

✓Build forensic capabilities, allowing you to reconstruct the critical activities carried out by the adversary

✓Demonstrate knowledge and expertise to help solve data breaches

✓Manage incident cases and support stakeholders throughout the investigative process

✓Defend and validate the case management and investigative process

✓Develop reporting capabilities and presentation of forensic findings

Course Agenda View all 14 modules

Course overview

The Windows Endpoint Investigation course gives you the practical, hands-on expertise to forensically collect, analyse, and interpret data from Windows systems - turning raw artefacts into clear evidence for incident response and internal investigations.

Learn how to:

✓ Track user activity across networks and endpoints with precision

✓ Organise and present findings that stand up in real investigations

✓ Validate security tools, strengthen vulnerability assessments, and uncover insider threats

✓ Hunt down hackers and close critical gaps in your security policies

By the end, you'll have the complete skillset of a confident Windows forensics investigator - ready to support breach response, internal probes, and proactive defence.

Who this course is for

You're a SOC analyst, incident responder, security engineer, or IT professional with a sharp investigative mindset and you're ready to specialise in Windows forensics.

This course is designed for you if you want to:

✓ Gain deep, practical mastery of Windows artefacts and how attackers leave traces

✓ Learn to forensically capture, analyse, secure, and present digital evidence that stands up in real investigations

✓ Move from basic log review to conducting full-scope Windows-based cyber investigations

✓ Support incident response, internal probes, insider threat hunts, and proactive defence

In short: if you want to become the go-to expert who can track user activity, uncover hidden evidence, and deliver clear findings across Windows systems, this course is for you.

What you'll learn

By the end of this Windows Endpoint Investigation course you will be able to:

✓ Master Windows artefacts and perform full-scope digital forensics on Microsoft Windows systems

✓ Forensically capture, analyse, secure, and present digital evidence that stands up in real investigations

✓ Conduct deep forensic analysis of Windows systems, media, and endpoints

✓ Rapidly locate critical artefacts and evidence to answer key investigation questions

✓ Apply structured processes and repeatable analytical techniques to build advanced on-the-job forensic capability

✓ Extract actionable findings and turn them into clear, investigative reports or incident response deliverables

Key course takeaways

✓ Build production-ready forensic capabilities that let you rapidly answer critical questions and lead full cyber incident investigations

✓ Develop the real-world expertise to investigate and resolve data breaches and insider threats with confidence

✓ Master the most important Windows artefacts and evidence locations across endpoints, systems, and media

✓ Quickly locate, extract, and present the exact evidence needed to support investigations, legal matters, and business decisions

✓ Set up a complete, ready-to-use forensics lab using free, open-source, and commercial tools

✓ Create repeatable, process-driven investigative workflows that make you highly effective and consistent on the job

Lab Pack - Windows Endpoint Investigation

Two investigation scenarios: Insider exfiltration (INC-NE-2026-0915) where a departing employee stages 6.7 GB across USB and cloud storage over 9 days. Ransomware (INC-NE-2026-1022) tracing a phishing email through credential theft, lateral movement across 3 hosts, persistence installation, and encryption of 173K files.

Included: 2 PowerShell artifact generators, 10 HTML walkthroughs, 30+ exercises, 10 verification scripts, 4 report templates. All tools free (KAPE, EZ Tools suite, Velociraptor, Plaso, RegRipper, Timeline Explorer).

Windows Endpoint Investigation Lab Pack v1.0

2 scenarios · 10 walkthroughs · 30+ exercises · 4 report templates

Download Lab Pack (.zip)

Things you need to know

What are the prerequisites for this course?

There are no prerequisites for this course. The techniques and tools used in the course will equip you with the skills to analyse cyber incidents and crimes involving Windows systems.

What are the device requirements?

A device with approximately 16 GB of RAM or more. A device with adequate storage, preferably with 10 GB of free storage space on an external storage device (USB).

How will the course benefit your career?

Windows forensic capabilities will enhance your career and equip you with the required skills to investigate cyber incidents. Cyber threats to organisations are evolving at a rapid pace; therefore, there is an increase in the demand for individuals who can analyse systems, detect breaches, and recover critical evidence.

This course teaches how to investigate key artifacts (registry, logs, memory, and file system), detect malware, trace unauthorised access, and recover lost data. These skills are valuable for career growth in cybersecurity.

Forensics is a demanding skill required in roles such as forensic analyst, cybercrime investigator, SOC analyst, and security consultant, among many others.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Forensic evidence: All lab evidence files are fictional constructs. Validate forensic procedures against your jurisdiction's legal requirements before use in legal proceedings.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.1 | Last updated: June 2026

June 2026 - v1.1: Course renamed to Windows Endpoint Investigation.

2026 - v1.0: Course launch. 13 content modules organized by investigation question, 2 capstone investigations (insider threat and ransomware), 32 fieldcraft procedures, forensic field manual, and lab pack with artifact generators and walkthroughs.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes

3phases

100points

1scenario

Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.