Lesson 1Timeline construction: timestamp normalization, correlation across sources, timeline tools (PLASO/Timesketch) and methodologyThis part teaches steady building of forensic timelines. Students adjust timestamps, link events from sources, and use tools like PLASO and Timesketch to make, ask, and show timelines that back probe ends.
Collecting timestamped artifacts safelyTimezone handling and normalization rulesBuilding super timelines with PLASOVisualizing and querying in TimesketchCorrelating events across multiple sourcesUsing timelines to test case hypothesesLesson 2Windows-specific logs and artifacts: Event Logs (System, Security, Application), Windows Security Audit logs, Prefetch, LNK shortcut files, RecentDocs, UserAssistThis part explores Windows logs and traces that show user and system doings. Learners check Security, System, and Application logs, plus Prefetch, LNK, RecentDocs, and UserAssist to rebuild program runs and file uses.
Key Windows Event Log channels and usesSecurity Audit events for logon and accessPrefetch analysis for program executionLNK shortcuts and RecentDocs correlationsUserAssist entries and GUI-based activityCross-validating logs with file system dataLesson 3Application and browser artifacts: webmail access traces (cookies, cached pages, saved credentials), browser history, form autofill, extensions, webmail headersThis part focuses on app and browser traces that show online ways. Students check cookies, cache, saved logins, history, autofill, add-ons, and webmail tops to trace webmail use and possible data takes.
Browser history and visit reconstructionCookie and session artifact analysisCached pages and offline web contentSaved credentials and password storesForm autofill and input reconstructionWebmail headers and access indicatorsLesson 4Network and VPN artifacts: VPN client logs, Windows Networking Logs, routing tables, network captures (if available), DHCP, DNS cacheThis part deals with traces that show network and VPN use. Learners review VPN logs, Windows network logs, routing info, DHCP, DNS cache, and packet grabs to find remote access, data out paths, and command lines.
VPN client logs and session timelinesWindows firewall and networking logsDHCP leases and IP address attributionDNS cache and name resolution historyAnalyzing routing tables and tunnelsUsing packet captures when availableLesson 5File system and storage artifacts: NTFS structures (MFT, $LogFile, $UsnJrnl), file slack, alternate data streams, timestamps (MFT, $STANDARD_INFORMATION, $FILE_NAME)This part checks Windows file system traces key to probes. Learners look at NTFS parts, including MFT, $LogFile, and $UsnJrnl, plus file slack and extra data streams, to rebuild file past and hidden doings.
Master File Table structure and entries$LogFile and transaction rollback analysis$UsnJrnl for change tracking over timeInterpreting NTFS timestamp triadsFile slack and residual data inspectionAlternate Data Streams and hidden contentLesson 6External media and USB usage artifacts: Windows USBSTOR, SetupAPI, registry MountPoints2, PnP entries, artifacts showing device connection timestampsThis part checks Windows traces that record outside media use, focusing on USB. Students look at USBSTOR, SetupAPI, MountPoints2, and PnP data to find devices, first and last uses, and possible data move times.
USBSTOR keys and device identificationSetupAPI logs and installation timelinesMountPoints2 and volume label correlationsPnP device entries and connection historyCorrelating USB artifacts with user sessionsDetecting suspicious removable media activityLesson 7Deleted and unallocated space recovery: carving techniques, file slack analysis, undelete tools, recovering deleted email attachmentsThis part focuses on getting back proof from deleted and unused space. Students use carving ways, check file slack, use undelete tools, and aim to recover papers and email adds linked to suspected data outs.
Understanding deleted and unallocated spaceFile carving methods and tool selectionAnalyzing file slack for residual contentUsing undelete tools safely and forensicallyRecovering deleted email attachmentsValidating and documenting recovered dataLesson 8Defining investigative goals and hypotheses: proving exfiltration, establishing timeline, identifying user accounts and intentThis part covers turning case questions into solid forensic goals, making testable ideas, and linking them to specific traces. Learners plan to prove data out, build timelines, and judge user aims strongly.
Turning case questions into forensic objectivesLinking hypotheses to specific artifact sourcesPlanning to prove or refute data exfiltrationDesigning methods to establish activity timelinesAttributing actions to user accounts and devicesDocumenting assumptions, limits, and caveats
