The IACIS Online WFE course is a 36-hour course of instruction; the course is designed to provide students with a detailed study of the Windows Operating System.
Through a variety of lectures, instructor-led and independent hands-on practical exercises students will study the Windows operating system in far greater detail, and with far more specificity regarding critical areas of forensic focus, than what can be accomplished in the more generalized, overview perspective of the BCFE course.
This program will focus on how a variety of Windows Operating Systems work “under the hood”, with a focus on the most current/common versions. At the conclusion of this course, students will have a clearer understanding of various operating system artifacts and why they present as they do, and how knowledge of these artifacts can play a significant role in the forensic and investigative process.
The WFE course champions a forensic tool-independent approach to learning. This approach allows for a deeper exploration of the underlying subject matter than might be afforded in other programs which are designed to complete a particular task or view/extract a particular artifact.
The WFE course is designed to build on and expand the students existing forensic knowledge and skillset and is not an entry level class. Prospective students should reference the “Prerequisites” section elsewhere in this document for additional information about expectations for students.
The WFE course will assist students in preparing for their CAWFE certification, however the training program is not taught to the certification, instead, students are recommended to take notes, participate, and make the most of the classroom environment. The material provided to students will be used as part of certification process, however, reading outside of the provided material is advisable and will benefit the student in obtaining a deeper understanding. As an example, the WFE material includes information about Artifact A, but the trainers focus on Artifacts B, C and D. The certification may include questions on Artifacts A and D.
Online WFE Course topics
- Virtualization: Concepts, artifacts, and practical usage. We explore the various terminology used to describe virtualization and its associated technologies. This extends to exploring WSL and Hyper-V technologies.
- Partitioning Schemes: Understanding MBR and GPT partitioning schemes. We explore these common schemes and parse some of the structures at the hex level. Understanding these structures provides a greater level of understanding (and refresher) on these data structures which can help to solidify findings in examiners investigations.
- File Systems: Overview of the common file-system NTFS and its critical use of metadata files such as $MFT, $Logfile, $Volume, $Bitmap, $Boot, MFT Records, Orphaned files, Alternate Data Streams, Directory Indexing
- Security Features and Encryption: common to the Windows Operating System, such as BitLocker and EFS
- Registry: Concepts and structures of common registry files such as SOFTWARE, SAM, SYSTEM, NTUSER.dat. Exploration of Shellbags, Amcache, UserAssist, AppCompatCache / Shimcache,
- Artifacts: We will review many Windows artifacts, such as: PowerShell, Clipboard, DoH, Access Control Lists, Thumbcache, Iconcache, PhotosApp, Windows Mail, Timeline, Backup, Event Logs, Link Files, Jump Lists, Prefetch, OneDrive, Notifications, Edge, Cortana, Services, Microsoft Defender Logging.
- RAM and virtual memory management concepts: We use command line tools to analyze a RAM image and determine application usage and user interaction.
