DFIR with OSForensics & Digital Intelligence

Course Description:

This 5-day course is designed for Digital Forensic and Incident Response investigators to understand the primary artifacts that should be examined when completing any digital forensics investigation.  The course will provide a foundational understanding of relevant artifacts, their location, capture techniques and how this evidence can be utilized and applied to their investigations.  Using real world scenarios, captured forensic images and memory extractions, this course will utilize PassMark Software’s OSForensics toolkit as we navigate the core criteria of any DFIR investigation:  Acquisitions, Analysis, and Reporting.  This course will instruct students, step-by-step, as we walk through various real-life DFIR case scenarios.  Students will not only learn about important forensic artifacts, specific to DFIR cases, but also how to interpret timestamps, create timelines of user activity, and even learn how to best prepare evidence and artifacts for courtroom presentation.  Additional, 3rd party tools will also be utilized to validate results and offer further insight for the students benefit.  Note: This course will satisfy all requirements to test for the OSForensics Certified Examiner (OSFCE) certification.  The certification test will be administered at the end of the course, at no additional charge, for those students wishing to earn the OSFCE designation.

Course Presentation

The course will follow adult learning principles through training aids such as presentations, diagrams, and practical instructor leadexamples.  Each artifact will be presented in either one or more 50-minute sessions followed by review questions and practical exercises.  Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in moredetail.  Each day, students will have practical exercises to work on to reinforce the topics with a final practical at the culmination of thetraining.


  • Ability to read and understand the English language
  • Have attended a basic digital forensic training
  • Be familiar with the Microsoft Windows environment and data recovery concepts

Introduction and Tools Used During the Course

  • Introductions by the course instructors and students
  • Overview of course topics and goals
  • Overview of the tools that will be used in the course for demonstrations and student practical exercises

Intro to OSForensics

  • Installation of OSForensics (Workstation & USB installs)
  • Overview and functionality of the OSForensics toolkit
  • Creating a Case with OSForensics

File and Folder Structure Review

  • Understanding the Windows file and folder structure
  • File Header and Signature overview using the OSF Raw Disk Viewer

Advanced Forensic Acquisition

  • Overview of the OSForensics Disk Imaging feature
  • Creating E01, RAW, AFF4 and other bit-for-bit disk images
  • Creating customized Logical images
  • Rebuilding RAIDs
  • Restoring an Image to a Disk
  • Logical Acquisition of Android Devices
  • Mounting image files for forensic analysis

Live System Analysis (Triage)

  • Using the “Auto Triage” module in OSF
  • Creating a forensic image (E01) of a live system
  • Cloud Acquisition with OSForensics (Gmail, Dropbox, etc.)
  • Acquiring the Windows Clipboard history
  • Checking for BitLocker & recovering BitLocker keys
  • Rapid, on-scene review of recent user and file activity
  • Memory Acquisition (Full vs. Process-Specific dumps)

Log File Analysis

  • Analyzing Windows Event Logs with OSF’s Event Log Viewer
  • 3rd Party application log files
  • Log file parsing techniques
  • Web server log analysis

Windows Registry Artifacts

  • Overview of the Windows Registry
  • Traditional Registry files
  • Modern Windows 10/11 OS Registry files
  • Application, file and user tracking/linking across multiple Registry artifacts
  • Registry analysis with OSF’s Registry Viewer

Program Artifacts (Pre-Fetch and AmCache)

  • Pre-Fetch/Super Fetch overview
  • PF/SF file analysis
  • Connection to Registry artifacts
  • AmCache artifact analysis

Search Techniques

  • Keyword Searches
  • Regular Expression Searches
  • Creating & Using Hash Sets with OSF
  • Using the OSF File Name Search module
  • Creating & searching an Index
  • Advanced String Extraction with OSF
  • Deleted File Searching and Data Carving Techniques

Identifying User Activity & Creating Timelines

  • Using the User Activity module in OSF
  • MRU Artifacts
  • Clipboard History
  • USB Device History

Link Files, Shellbags and Jump Lists

  • User Link File structure and analysis
  • Shellbag artifacts
  • Jump List overview
    • Custom Destinations
    • Automatic Destinations

Internet Browsers

  • Internet Browser Foundations
    • Cookies
    • Favorites
    • History
    • Cache
  • Examining Browser database files
    • Search Terms
    • Downloads
    • Form History
    • Bookmarks

Email Artifacts

  • Understanding Loose Mail vs. Archive Mail
  • Email content and attachments
  • Email Link Analysis

Memory Forensic Analysis

  • Understanding Memory Structure
    • Handles
    • Threads
    • Processes and Objects
  • Pagefile and Hiberfile Analysis (String Extraction)
  • Extracting files and resources from Memory captures
  • Virtual Machine memory capture
  • Malware identification techniques

Password Extraction & File Decryption

  • Extracting user account information
  • Extracting web-related passwords
  • Extracting WiFi network names & passwords
  • Cracking a Windows User password
  • File Decryption & Dictionary attacks 

Volume Shadow Copies

  • Understanding the VSC process
  • Identification & Collection of VSC
  • Analysis of VSC’s with OSF
  • Comparing VSC’s with OSF

Virtual Disk Creation & Evidence Presentation

  • Creating Virtual Disks from your forensic images
  • Bypassing the Windows password
  • Deeper analysis of application history and user settings
  • Presentation of Virtual disk evidence for courtroom settings

OSForensics Certification

  • Review of OSForensics toolkit and test material
  • Application of OSFCE test

WHEN: May 2 – May 6, 2022
This course is taught by Digital Intelligence & PassMark Software

COST: $1,995 US Dollars

Cancellation of this class may occur if there are insufficient students registered. In the event of a cancellation, personnel will typically be notified by email within 48 hours of the registration closure date. IACIS is not responsible for any individual expenses incurred as a result of a cancellation. The limit of IACIS financial liability is a full refund of the course fee.


Existing IACIS members simply log in with your credentials and go to the Products page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Purchase training course HERE.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (treasurer@iacis.com)

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, May 1, 2022 : 1800 – 2100

             Monday, May 2, 2022: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios.

Book via the Caribe Royale Hotel site here.

Or book via phone by calling the following numbers:

Reservations Toll Free: 1-800-823-8300/1-888-258-7501 or our local number 407-238-8000.

Availability to book your stay is from now until 4/16/2022 or until hotel is sold out.

Dates of stay the rates are good for now until 5/12/2022 or until hotel is sold out.


If IACIS is unable to hold their 2022 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2023 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled. Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.