The International Association of Computer Investigative Specialists

AWFE: Windows Forensic Examiner

AWFE Course Overview

The IACIS Advanced Windows Forensic Examiner (“AWFE”) course is a 36-hour course of instruction offered over five (5) consecutive days. It is designed to provide students with a detailed study of the Windows Operating System. Through a variety of lectures and instructor-led and independent hands-on practical exercises, students will study the Windows operating system in far greater detail and with far more specificity regarding critical areas of forensic focus than what can be accomplished in the more generalized perspective of the BCFE Training Program.

In short, this course will focus on how various Windows Operating Systems work “under the hood,” with a focus on the most current/common versions. At the conclusion of this course, students will have a clearer understanding of various operating system artifacts, why they present as they do, and how knowledge of these artifacts can play a significant role in the forensic and investigative process.

The AWFE course champions a forensic tool-independent approach to learning. This approach allows for a deeper exploration of the underlying subject matter than might be afforded in other programs, which are designed to complete a particular task or view/extract a particular artifact.

The AWFE course is designed to build on and expand the students’ existing forensic knowledge and skillset and is not an entry-level course. It is highly recommended that you have received training such as BCFE (or equivalent) prior to attending the WFE Class. Having completed the CFCE would be encouraged.

The AWFE course will assist students in preparing for their CAWFE certification. However, the training program is not taught to the certification. Instead, students are recommended to take notes, participate, and make the most of the classroom environment. The material provided to students may be used as part of the certification process; however, reading outside of the provided material is advisable and will benefit the student in obtaining a deeper understanding. For instance, we may explore in detail the inner workings of an artifact as it relates to Windows 11, but we may not do the same for older versions of Windows other than to potentially call out specific differences. Students are therefore encouraged to explore the current version of Windows and the prior version to ensure maximum exposure and learning is achieved.

  • Virtualization: Concepts, artifacts, and practical usage. We explore the various terminology used to describe virtualization and its associated technologies. This extends to exploring WSL and Hyper-V technologies.
  • Partitioning Schemes: Understanding MBR and GPT partitioning schemes. We explore these common schemes and parse some of the structures at the hex level. Understanding these structures provides a greater level of understanding (and refresher) on these data structures which can help to solidify findings in examiners investigations.
  • File Systems: Overview of the common file-system NTFS and its critical use of metadata files such as $MFT, $Logfile, $Volume, $Bitmap, $Boot, MFT Records, Orphaned files, Alternate Data Streams, Directory Indexing
  • Security Features and Encryption: common to the Windows Operating System, such as BitLocker and EFS
  • Registry: Concepts and structures of common registry files such as SOFTWARE, SAM, SYSTEM, NTUSER.dat. Exploration of Shellbags, Amcache, UserAssist, AppCompatCache / Shimcache,
  • Artifacts: We will review many Windows artifacts, such as: PowerShell, Clipboard, DoH, Access Control Lists, Thumbcache, Iconcache, PhotosApp, Windows Mail, Timeline, Backup, Event Logs, Link Files, Jump Lists, Prefetch, OneDrive, Notifications, Edge, Cortana, Services, Microsoft Defender Logging.
  • RAM and virtual memory management concepts: We use command line tools to analyze a RAM image and determine application usage and user interaction.

Quick Details

Core Competencies / Details

There are six competency areas addressed in the WFE course.

  1. Windows Virtualization Technologies and Inbuilt Security Mechanisms 
  2. Windows Partitioning Schemes 
  3. Windows File Systems 
  4. Windows Registry 
  5. Windows Artifacts
  6. Live Memory Acquisition and Analysis

Download PDFPlease click here to download the official WFE Core Competencies document which includes details for each core competency:

Download DOcument

IACIS ChairOur Windows Forensic Examiner course is guided by industry experts, including a distinguished IACIS Chair, ensuring that participants receive the latest knowledge and techniques relevant to the field of Windows digital forensics.

See Upcoming Events

Apply knowledge towards:

CFCE IACIS Certification

CFCE

Certified Forensic Computer Examiner Program

CAWFE IACIS Certification

ICMDE

Certified Mobile Device Examiner

CMDE IACIS Certification

CAWFE

Certified Advanced Windows Forensic Examiner

2025 Orlando Training Conference
2025
Orlando, FL
Learn More
Online WFE : Windows Forensic Examiner
Various Times
On Demand
Learn More
See More Events
Upcoming events Details of the next event for this course

Where and When is the AWFE Course Offered?

The WFE course is regularly offered in-person and online at various times and locations throughout the year. For the most current schedule and enrollment details, visit our EVENTS page.

How to Register for this Course

Existing IACIS members, simply log in with your IACIS credentials and go to the PURCHASE TRAINING page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Go to the PURCHASE TRAINING page to purchase and register for the course and complete your membership application.

Register Now
Skip to content