For IR Practitioners, DFIR Examiners, and Detection Engineers Who Need Artifact-Level Forensic Depth Beyond Tool Output
Windows Forensics
Analyze Windows artifacts at the level that survives cross-examination.
Perform deep forensic analysis of Windows systems — MFT parsing, USN Journal analysis, Prefetch and Amcache interpretation, ShellBags and LNK file examination, registry forensics, event log deep analysis, volume shadow copy recovery, and timeline construction. Every artifact is taught at the structural level: understand the raw data, validate tool output, detect anti-forensics, and produce findings you can defend in court.
The Raw-First Method — every artifact examined at the binary level before tool output, correlated across sources, tested for anti-forensic manipulation.
What you'll be able to do
Who this course is for
“I run KAPE and EZ Tools but I don't understand what the output means at the byte level.” You parse MFT records and Prefetch files with tools, but you can't explain the $SI vs $FN timestamp difference under cross-examination. This course teaches the binary structures behind every artifact so you know what you're looking at, not just what the tool says.
“I can investigate in the cloud but I'm lost when it reaches the endpoint.” IR practitioners who handle sign-in logs and audit trails but struggle when the investigation pivots to a disk image. MFT, USN Journal, registry hives, event logs — you need the artifact analysis skills that complete the cross-domain investigation.
“The attacker timestomped the evidence and I couldn't prove it.” Anti-forensic detection is built into every artifact module. $SI/$FN timestamp mismatches, EventRecordId gaps, selective Prefetch deletion residue — you learn to detect the manipulation that tools alone miss.
“I need my forensic findings to hold up in legal proceedings.” Court-defensible methodology from evidence handling through examination report writing. Chain of custody, confidence assessment, multi-artifact correlation — findings that survive cross-examination because you can explain how you reached them.
“I want to specialize in DFIR but I can't justify expensive forensic tool licenses.” Every tool in this course is free. KAPE, the complete EZ Tools suite (MFTECmd, PECmd, AmcacheParser, SBECmd, EvtxECmd), Arsenal Image Mounter, Timeline Explorer. Professional-depth forensics without vendor lock-in.
“I need to build a timeline across multiple artifact sources, not just read one log.” The capstone investigations require you to correlate MFT entries, Prefetch records, registry timestamps, USN Journal events, and event logs into a single coherent timeline. This is how real investigations reconstruct what happened.
Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.
Before and after this course
You run MFTECmd and get output. You don't know what the $SI created timestamp means vs the $FN created timestamp — or why the difference matters for proving timestomping.
Your investigation stops at “the file was on disk.” You can't prove when it was executed, by which user, from which parent process, or what it did after execution.
You write investigation reports that document what you found but can't defend how you reached the conclusion under hostile questioning.
Each artifact source tells you a fragment. You can't combine MFT, Prefetch, ShellBags, and event logs into a single timeline that proves the full attack narrative.
You read MFT records at the binary level. $SI/$FN mismatches jump out as timestomping indicators. You validate tool output against the raw data and catch what the parser missed.
Prefetch proves execution time and frequency. Amcache proves first execution. ShellBags prove folder access. Event 4688 proves the parent process. You chain five artifact sources to prove the complete sequence.
Your examination reports follow the court-defensible format: evidence collected, analysis performed, findings with confidence assessment. You can explain every step from collection to conclusion.
Your super timeline integrates MFT, USN, Prefetch, ShellBags, registry, event logs, and SRUM into one chronological narrative. The insider investigation and ransomware capstone each require this.
How the course works
The Raw-First Method — every artifact examined at the binary level before tool output, correlated across sources, tested for anti-forensic manipulation:
What creates this artifact? What does its presence prove? What does its absence mean?
Raw collection preserving evidence integrity. Chain of custody from the first byte.
Binary structure analysis before tool output. You understand what the parser reads.
Multi-artifact cross-validation. One source suggests; two sources confirm; three sources prove.
Court-defensible findings with confidence assessment. You can explain your methodology under oath.
What the content looks like
This is a real analysis from Module 2. Before you run MFTECmd, you understand what the MFT record looks like in raw hex — so you know exactly what the parser is reading and can detect when the data has been manipulated.
The $SI timestamps say January. The $FN timestamps say March. That 66-day gap is the smoking gun — the attacker timestomped $STANDARD_INFORMATION to match a legitimate file, but $FILE_NAME timestamps are set by the NTFS kernel and can't be modified by user-space tools. Every forensic artifact module teaches this level of structural understanding.
Lab Pack — Windows Forensic Analysis
Two investigation scenarios: Insider exfiltration (INC-NE-2026-0915) — 6-week data theft by departing engineer, three USB drives, OneDrive personal account, document renaming. Ransomware (INC-NE-2026-1022) — 72-hour attack across three hosts, phishing to encryption, 10 persistence mechanisms.
Included: 2 PowerShell artifact generators, 10 HTML walkthroughs, 30+ exercises, 10 verification scripts, 4 court-defensible report templates. All tools free (KAPE, EZ Tools suite, Arsenal Image Mounter, Timeline Explorer).
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.
Forensic evidence: All lab evidence files are fictional constructs. Validate forensic procedures against your jurisdiction's legal requirements before use in legal proceedings.
Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 1.0 | Last updated: 2026
2026 — v1.0: Course launch. 15 modules across 4 phases. Complete Windows forensic artifact analysis from MFT binary structures through court-defensible investigation methodology.
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.