WFE: Windows Forensic Examiner

The IACIS Windows Forensic Examiner Training Program is a 36-hour course of instruction offered over five (5) consecutive days. It is designed to provide students with a detailed study of the Windows Operating System. Through a variety of lectures and instructor-led and independent hands-on practical exercises, students will study the Windows operating system in far greater detail and with far more specificity regarding critical areas of forensic focus than what can be accomplished in the more generalized overview perspective of the BCFE Training Program.

In short, this program will focus on how various Windows Operating Systems work “under the hood,” with a focus on the most current/common versions. At the conclusion of this course, students will have a clearer understanding of various operating system artifacts, why they present as they do, and how knowledge of these artifacts can play a significant role in the forensic and investigative process.

The WFE Training Program champions a forensic tool-independent approach to learning. This approach allows for a deeper exploration of the underlying subject matter than might be afforded in other programs, which are designed to complete a particular task or view/extract a particular artifact.

The WFE Training Program is designed to build on and expand the students’ existing forensic knowledge and skillset and is not an entry-level class. It is highly recommended that you have received training such as BCFE (or equivalent) prior to attending the WFE Class. Having completed the CFCE would be encouraged.

The WFE Training Program will assist students in preparing for their CAWFE certification. However, the training program is not taught to the certification. Instead, students are recommended to take notes, participate, and make the most of the classroom environment. The material provided to students may be used as part of the certification process; however, reading outside of the provided material is advisable and will benefit the student in obtaining a deeper understanding. For instance, we may explore in detail the inner workings of an artifact as it relates to Windows 11, but we may not do the same for older versions of Windows other than to potentially call out specific differences. Students are therefore encouraged to explore the current version of Windows and the prior version to ensure maximum exposure and learning is achieved.

The course topics will include:

  • Virtualization: Concepts, artifacts, and practical usage. We explore the various terminology used to describe virtualization and its associated technologies. This extends to exploring WSL and Hyper-V technologies.
  • Partitioning Schemes: Understanding MBR and GPT partitioning schemes. We explore these common schemes and parse some of the structures at the hex level. Understanding these structures provides a greater level of understanding (and refresher) on these data structures which can help to solidify findings in examiners investigations.
  • File Systems: Overview of the common file-system NTFS and its critical use of metadata files such as $MFT, $Logfile, $Volume, $Bitmap, $Boot, MFT Records, Orphaned files, Alternate Data Streams, Directory Indexing
  • Security Features and Encryption: common to the Windows Operating System, such as BitLocker and EFS
  • Registry: Concepts and structures of common registry files such as SOFTWARE, SAM, SYSTEM, NTUSER.dat. Exploration of Shellbags, Amcache, UserAssist, AppCompatCache / Shimcache,
  • Artifacts: We will review many Windows artifacts, such as: PowerShell, Clipboard, DoH, Access Control Lists, Thumbcache, Iconcache, PhotosApp, Windows Mail, Timeline, Backup, Event Logs, Link Files, Jump Lists, Prefetch, OneDrive, Notifications, Edge, Cortana, Services, Microsoft Defender Logging.
  • RAM and virtual memory management concepts: We use command line tools to analyze a RAM image and determine application usage and user interaction.

WHEN:  April 28 – May 2, 2025

COST: $2,695.00 US Dollars

EQUIPMENT: Classroom laptops will be given to the students to take home and keep.

COURSE SYLLABUS:

CORE COMPETENCIES

REGISTRATION: NOW OPEN
Existing IACIS members, simply log in with your credentials and go to the Products page to purchase and register for the course. 

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Purchase training course HERE.

***IMPORTANT*** Regarding IACIS’s upcoming 2025 WFE Training, please note that payment must be received NO LATER than 45 days prior the first day of class, by March 12th, 2025. Failure to meet this deadline will result in the forfeiture of your reserved seat, which will be made available to other interested registrants. This policy is strictly enforced, with NO EXCEPTIONS.

While we do accept purchase orders, full payment is expected by the March 12th deadline. As IACIS makes advance purchases of all necessary equipment and materials, ensuring that all seats are confirmed is essential to our training courses.

To assist in this process, we kindly request that you inform your finance department of the March 12th payment deadline to prevent any issues that could jeopardize your participation in IACIS’s training.  Please make sure you have all the appropriate paperwork turned in and in a timely manner to facilitate a smooth and prompt transfer of the payment for your training.  If you have any questions or concerns, please contact our Treasurer at treasurer@iacis.com

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.**** 

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 27, 2025: 1800 – 2000

             Monday, April 28, 2025: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly on the first day.

COURSE NOTES:

Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET each day, with a one-hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks). The wearing of shorts, flip-flops, tank tops, etc., is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.

HOTEL BOOKING

The course will be taught at the Caribe Royale Orlando, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios. 

Book via the Caribe Royale Orlando site here. If you choose to stay at a different hotel and commute to the conference, you may be subject to parking fees per conference center policy. 

Or book via phone by calling the following numbers: 

Reservations Toll-Free: 1-800-823-8300/1-888-258-7501 or the local number 407-238-8000.

CANCELLATION INFO: If IACIS is unable to hold the Orlando training event, then all students who have registered and paid will have the option of a full refund or a reserved seat at next year’s training event.  IACIS is not responsible for any outside expenses (e.g., travel and accommodation) in the event of the training event being canceled.  Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.