Sign In
In this section

Windows Field Forensics Course Structure: Investigation Questions, Fieldcraft, Forensic Lab

3 hours · Module 0

This section explains the course structure so you know what to expect before you start working through the content.

Estimated time: 15 minutes.

Ten modules, ten investigation questions

Each content module is organized around one question a forensic investigator needs to answer. The modules follow the order you typically work through during an investigation: collect the evidence first, then determine what ran, who was involved, how the attacker moved, what they installed, what they took, what changed on the filesystem, what they tried to hide, and finally assemble the complete picture.

This ordering is deliberate. In a real investigation, you cannot analyse execution artifacts you have not collected. You cannot build a timeline from sources you do not understand individually. You cannot identify anti-forensic cleanup unless you first know what the artifacts should look like when they are intact. Each module assumes the skills from the modules before it.

Module 1: Evidence Acquisition and Triage. How do you collect and preserve the evidence before you can analyse anything? KAPE, Velociraptor, memory acquisition, disk imaging, fleet-wide collection. The decisions you make in the first 30 minutes determine what evidence exists for the rest of the investigation.

Module 2: What Ran on This System? Prefetch, Amcache, Shimcache, BAM, SRUM, process creation events. The execution evidence hierarchy. Identifying attacker tools from artifact patterns even when tools have been renamed or deleted.

Module 3: Who Was Here and What Did They Do? User profile artifacts, SAM accounts, ShellBags, LNK files, Jump Lists, UserAssist. Reconstructing what the user (or attacker using the user's session) did on the system. Distinguishing legitimate user activity from attacker actions in the same session.

Module 4: How Did the Attacker Get In and Move? Logon events, RDP artifacts, PsExec traces, WMI persistence, credential theft indicators, lateral movement reconstruction across hosts. This module frequently requires correlating evidence from multiple systems.

Module 5: What Did They Install to Stay? Registry Run keys, scheduled tasks, services, WMI subscriptions, DLL search order hijacking, startup folder entries. Full persistence enumeration. The attacker's goal is to survive a reboot. Your goal is to find every mechanism they planted.

Module 6: What Data Left the Network? SRUM network usage, USB device history, browser downloads, email artifacts, cloud storage sync databases. Quantifying exfiltration. Often the most critical module for determining the business impact of an incident.

Module 7: What Happened on the Filesystem? MFT analysis, USN Journal, file deletion recovery, timestomping detection, mass rename/encrypt velocity analysis. The filesystem records everything, including the attacker's attempts to cover their tracks.

Module 8: What Did They Try to Hide? Anti-forensic techniques and recovery. Log clearing, timestamp manipulation, Prefetch cleanup, VSS snapshot recovery, record gap analysis. You cannot identify what has been erased unless you know what should have been there.

Module 9: Building the Complete Picture. Super timelines with Plaso. Multi-host timeline correlation. Producing findings with confidence levels. This module assembles everything from Modules 2 through 8 into a single chronological narrative.

Module 10: Communication and Application Forensics. Browser forensics (Chromium and Firefox), Electron application parsing (Teams, Slack, Discord), Windows Search Database, email, cloud storage artifacts. The modern endpoint contains entire databases of user activity inside application data directories.

After the content modules, two investigation scenarios let you apply everything against complete evidence sets: an insider threat case and a ransomware incident. These are full-length investigations, not exercises. You work the case from triage collection through final findings.

How each sub is structured

Every content sub teaches one artifact or technique in the context of the module's investigation question. The structure follows a consistent pattern:

Opening. A one-line statement of what the artifact is and a scenario that sets the investigation context. You know immediately what problem this sub helps you solve.

Evidence location. Where the artifact lives on the filesystem, what tools parse it, and how KAPE collects it. A teal reference card you can return to during casework.

Reading the output. An annotated entry from investigation evidence. You see exactly what the parsed output looks like, with each significant field explained. You learn to read the output before you try to analyse hundreds of entries.

Analysis method. The structured approach to working with the artifact at scale. Filters, triage workflows, cross-referencing techniques. Applied to the scenario evidence so you see the method work on real data.

Edge cases. What breaks the standard approach. Missing artifacts, capacity limits, attacker cleanup, platform differences.

Fieldcraft. Where the sub includes one, this is a step-by-step procedure you execute on your own evidence. The Fieldcraft is the operational output of the sub.

Verification. Questions you answer against your own evidence to confirm you can apply what the sub taught.

Not every sub has every section. Some artifacts don't need an edge cases section. Some subs don't have a Fieldcraft. The structure adapts to the topic.

Fieldcraft cards

Fieldcraft cards are operational procedures. Each one walks you through a specific forensic task: parsing an artifact with a tool, building a triage package, identifying attacker tools from output patterns, constructing a timeline.

There are 31 Fieldcraft cards across the course. They appear inside the sub where the skill is taught, after the teaching content. Each card includes what you need (tools, evidence, prerequisites), numbered steps, and the expected output.

You can use Fieldcraft cards in two ways. During the course, they are hands-on exercises that apply the teaching to your own evidence. After the course, they are reference procedures you return to during casework. The cards are designed to be self-contained. If you need to parse Prefetch on an engagement six months from now, you can open Section 2.2, scroll to the Fieldcraft, and follow the procedure without re-reading the teaching content.

Not every sub has a Fieldcraft. Conceptual subs (like Module 2's execution evidence hierarchy) teach reasoning, not tool procedures. Tool-focused subs (like Prefetch parsing or MFT analysis) have one Fieldcraft each.

Forensic Lab

The Forensic Lab provides investigation cases you can work through after completing the relevant module. Each case presents a scenario and an evidence set. You apply the skills from the module to produce findings.

The cases range from beginner (single artifact, clear indicators) to advanced (multi-host, conflicting evidence, anti-forensic cleanup). Each case has a defined set of findings the evidence supports. You work the case independently, then check your findings against the expected results.

Forensic Lab cases are accessible from the module pages through the Practice and Resources panel. They are not embedded in the content subs. The content teaches the skill. The Forensic Lab tests whether you can apply it independently without the structure of the sub guiding you.

Using this course as a field reference

This course is designed to work as both a learning path and a reference. During your first pass, work through the modules in order. The investigation-question structure builds skills sequentially: you need to collect evidence (Module 1) before you can analyse execution artifacts (Module 2), and you need to understand individual artifact types (Modules 2-8) before you build complete timelines (Module 9).

After your first pass, you will come back to individual subs during casework. The evidence location cards, annotated output blocks, DLL profile references, and Fieldcraft procedures are designed to be useful when you need a specific answer during an investigation. Bookmark the subs you use most frequently.

The Operational Reference module (after Module 10) consolidates every tool command, artifact path, registry key, and event ID from the course into a single reference. During casework, you will often go there first and then back to the relevant content sub if you need the analytical context.

The course exam tests investigation-level reasoning, not artifact memorization. It presents a three-phase investigation scenario (triage, investigation, response) and asks you to produce findings from evidence. The exam is available after completing 80% of the course content. Pass mark is 70%.

Next: Section 0.3 covers the forensic toolstack. Every tool you need for this course, where to get it, and which modules use it.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →