Lesson 1Timeline construction: timestamp normalization, correlation across sources, timeline tools (PLASO/Timesketch) and methodologyThis section teaches systematic construction of forensic timelines. Students will normalize timestamps, correlate events across sources, and use tools like PLASO and Timesketch to build, query, and present timelines that support investigative conclusions.
Collecting timestamped artifacts safelyTimezone handling and normalization rulesBuilding super timelines with PLASOVisualizing and querying in TimesketchCorrelating events across multiple sourcesUsing timelines to test case hypothesesLesson 2Windows-specific logs and artifacts: Event Logs (System, Security, Application), Windows Security Audit logs, Prefetch, LNK shortcut files, RecentDocs, UserAssistThis section explores Windows logs and supporting artifacts that reveal user and system activity. Learners will analyze Security, System, and Application logs, plus Prefetch, LNK, RecentDocs, and UserAssist to reconstruct program execution and file access.
Key Windows Event Log channels and usesSecurity Audit events for logon and accessPrefetch analysis for program executionLNK shortcuts and RecentDocs correlationsUserAssist entries and GUI-based activityCross-validating logs with file system dataLesson 3Application and browser artifacts: webmail access traces (cookies, cached pages, saved credentials), browser history, form autofill, extensions, webmail headersThis section focuses on application and browser artifacts that reveal online behavior. Students will analyze cookies, cache, saved credentials, history, autofill, extensions, and webmail headers to trace webmail access and potential data exfiltration.
Browser history and visit reconstructionCookie and session artifact analysisCached pages and offline web contentSaved credentials and password storesForm autofill and input reconstructionWebmail headers and access indicatorsLesson 4Network and VPN artifacts: VPN client logs, Windows Networking Logs, routing tables, network captures (if available), DHCP, DNS cacheThis section addresses artifacts that reveal network and VPN usage. Learners will review VPN client logs, Windows networking logs, routing data, DHCP, DNS cache, and packet captures to identify remote access, exfiltration paths, and command channels.
VPN client logs and session timelinesWindows firewall and networking logsDHCP leases and IP address attributionDNS cache and name resolution historyAnalyzing routing tables and tunnelsUsing packet captures when availableLesson 5File system and storage artifacts: NTFS structures (MFT, $LogFile, $UsnJrnl), file slack, alternate data streams, timestamps (MFT, $STANDARD_INFORMATION, $FILE_NAME)This section examines Windows file system artifacts critical to investigations. Learners will analyze NTFS structures, including MFT, $LogFile, and $UsnJrnl, plus file slack and alternate data streams, to reconstruct file history and hidden activity.
Master File Table structure and entries$LogFile and transaction rollback analysis$UsnJrnl for change tracking over timeInterpreting NTFS timestamp triadsFile slack and residual data inspectionAlternate Data Streams and hidden contentLesson 6External media and USB usage artifacts: Windows USBSTOR, SetupAPI, registry MountPoints2, PnP entries, artifacts showing device connection timestampsThis section examines Windows artifacts that record external media usage, focusing on USB devices. Students will analyze USBSTOR, SetupAPI, MountPoints2, and PnP data to identify devices, first and last use, and potential data transfer windows.
USBSTOR keys and device identificationSetupAPI logs and installation timelinesMountPoints2 and volume label correlationsPnP device entries and connection historyCorrelating USB artifacts with user sessionsDetecting suspicious removable media activityLesson 7Deleted and unallocated space recovery: carving techniques, file slack analysis, undelete tools, recovering deleted email attachmentsThis section focuses on recovering evidence from deleted and unallocated space. Students will apply carving techniques, analyze file slack, use undelete tools, and target recovery of documents and email attachments relevant to suspected exfiltration.
Understanding deleted and unallocated spaceFile carving methods and tool selectionAnalyzing file slack for residual contentUsing undelete tools safely and forensicallyRecovering deleted email attachmentsValidating and documenting recovered dataLesson 8Defining investigative goals and hypotheses: proving exfiltration, establishing timeline, identifying user accounts and intentThis section covers translating case questions into concrete forensic goals, forming testable hypotheses, and mapping them to specific artifacts. Learners will plan how to prove exfiltration, build timelines, and assess user intent defensibly.
Turning case questions into forensic objectivesLinking hypotheses to specific artifact sourcesPlanning to prove or refute data exfiltrationDesigning methods to establish activity timelinesAttributing actions to user accounts and devicesDocumenting assumptions, limits, and caveats
