Online WFE : Windows Forensic Examiner

The IACIS Online WFE Training Program is a 36-hour course of instruction; the program is designed to provide students with a detailed study of the Windows Operating System.

Through a variety of lectures, instructor-led and independent hands-on practical exercises students will study the Windows operating system in far greater detail, and with far more specificity regarding critical areas of forensic focus, than what can be accomplished in the more generalized, overview perspective of the BCFE Training Program.

In short, this program will focus on how a variety of Windows Operating Systems work “under the hood”, with a focus on the most current/common versions. At the conclusion of this course, students will have a clearer understanding of various operating system artifacts and why they present as they do, and how knowledge of these artifacts can play a significant role in the forensic and investigative process.

The WFE Training Program champions a forensic tool-independent approach to learning. This approach allows for a deeper exploration of the underlying subject matter than might be afforded in other programs which are designed to complete a particular task or view/extract a particular artifact.

The WFE Training Program is designed to build on and expand the students existing forensic knowledge and skillset and is not an entry level class. Prospective students should reference the “Prerequisites” section elsewhere in this document for additional information about expectations for students.

The WFE Training Program will assist students in preparing for their CAWFE certification, however the training program is not taught to the certification, instead, students are recommended to take notes, participate, and make the most of the classroom environment. The material provided to students will be used as part of certification process, however, reading outside of the provided material is advisable and will benefit the student in obtaining a deeper understanding. As an example, the WFE material includes information about Artifact A, but the trainers focus on Artifacts B, C and D. The certification may include questions on Artifacts A and D.

Topics include but are not limited to:

  • Virtualization: Concepts, artefacts and practical usage. We explore the various terminology used to describe virtualization and its associated technologies. In this topic, we work through a command line approach to virtualize a suspect forensic image and discuss how to bypass user logon passwords.
  • Partitioning schemes: Understanding MBR and GPT partitioning schemes. We explore these common schemes and parse some of the structures at the hex level. Understanding some of these structures enables the examiner in linking devices to Windows artifacts.
  • File Systems: Overview of the common file-systems with a focus on NTFS and its critical use of metadata files and understanding of their structures.
  • Security Features and Encryption common to the Windows Operating System.
  • Registry: Concepts, structures and artefacts common to the Windows Operating System will be covered during the week including; SOFTWARE, SAM, SYSTEM, NTUSER.dat etc
  • Artifacts & More: We will review the concepts, identification and analysis of many Windows artefacts, such as how to determine application usage, user interactions, event logs, volume shadow copies etc. We also cover some of Microsoft Windows defaults in order to assist an examiner in determining user knowledge when things change from the norm.
  • RAM and virtual memory management concepts. We use command line tools to analyze a RAM image and determine application usage and user interaction.

PREREQUISITE: Basic Computer Forensic Examiner [BCFE] course AND completion of the Certified Forensic Computer Examiner [CFCE] certification is highly recommended, but not required.

SYLLABUS: Online WFE Syllabus coming soon

CERTIFICATION: Completion of the online WFE course entitles each member to one attempt at the CAWFE Certification process.  The attempt must be completed within the time frame of your online cycle.  Each online class cycle is three months; a fourth month is allowed for testing.



Existing IACIS members simply log in with your credentials and go to the products page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase.

Apply for membership and purchase the course on the PRODUCTS PAGE


COST: $995 US Dollars


PAYMENT MUST BE RECEIVED PRIOR TO THE START OF THE ONLINE TRAINING. All online cycles must be started and completed within the active course cycle completion dates. Students who fail to complete course exercises within the specified timeframe will be removed from the process and he/she will forfeit any fees paid. Under certain circumstances students with an identified hardship may request to be transferred to the following online training cycle. To qualify for this request, the student must notify the course administrator ( a minimum of 30 days before the end of the class cycle. This type of request will be granted on a limited basis and only as a one (1) time transfer. There will be no refunds issued to students who fail to start or complete the online training cycle.