DFA - Digital Forensics Advanced

DFA - Digital Forensics Advanced


This advanced three-day course will familiarize the student with the many artifacts left behind on a Windows NT platform.  Operating systems analyzed include Windows XP, Windows Vista, Windows 7, and Windows 8/10.

This course focuses on the traditional artifacts associated with normal operating system functions and user interactions.  Detailed discussions focusing on operating system processes will lead to analysis of the artifacts left behind after normal user / system interaction.


This course is designed to advance the skill set of forensic examiners by focusing on operating system artifacts analysis and forensic processing. 

Completing this course will enable forensic examiners to:

  • Find and analyze OS and user interaction artifacts
  • Understand Windows directory structures, partition tables, and GUID tables
  • Learn best practices in dealing with Windows BitLocker encryption
  • Explore and understand advanced topics in operating system data structures including log files
  • Learn proper methods to access and conduct forensic analysis of shadow files and the Windows registry


This hands-on course is geared toward forensic investigators with at least six (6) months experience in forensic casework and with a basic understanding of Microsoft data structures.

Students should meet or exceed the following:

  • Read and understand the English language
  • Have previously attended basic digital forensic training
  • Have prior investigative experience in forensic case work
  • Have familiarity with the Microsoft Windows environment and data recovery concepts


Course Outline

The course will follow adult learning principles through training aids, presentations, diagrams, and instructor led practical exercises.  Each artifact covered will be presented in either one or two 50 minute sessions followed by review questions.  Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in more detail.  At the conclusion of the course day each student will complete practical exercises that reinforce topics taught during that day's training.

The course is structured as follows:

Introduction and Tools Used During Training

  • Introductions by students and the course instructor
  • Overview of the tools used during coursework for demonstrations and student practicals.  References may be made to commercial products such as EnCase and Forensic ToolKit in addition to tools that are free and in the public domain.

Windows NT Versions and Key Features

As with most operating system upgrades, Microsoft has always incorporated features and functions from previous verions of Windows.  In this module students will compare the features of XP, Vista, and Windows 7/8/10 including the differences between Home, Media, Professional, and Ultimate editions

Windows Directory Structures

  • Identify the default locations of user data
  • Identify the default locations of system data
  • Explanation of directory junctions including their identification
  • Forensic implications of directory junctions in Windows

Partition Tables and GUID Partition Tables

  • Explanation of the master boot record (MBR) and master partition table
  • Explanation of the GUID partition tables
  • Forensic examinations of GPT's
  • Instructor led labs on parsing partition tables

Bitlocker Encryption

  • Detailed explanation of Windows BitLocker
  • Examination of BitLocked system volumes
  • Detailed examination of Windows 7 BitLocker ToGo encryption
  • Forensic recovery options and examiner's best practices

Windows 7/8/10 - Windows Libraries

  • Examination of Windows libraries
  • Examination of XML files associated with custom libraries
  • Examination of registry artifacts associated with Windows libraries
  • Forensic artifacts associated with Windows libraries

Recycle Bin Functionality Across NT Systems

  • Examination of Windows XP recycle bin functionality and structure of the recycle folder
  • Examination of Windows Vista and Windows 7/8/10 recycle bin implementation and the $R \ $l file pairs
  • Parsing of data associated with recycle bin operation
  • Forensic implications of recycled files

Link Files and Jump Files

  • Describe the function of Windows shortcut files
  • Identify the date of interest contained in a link file
  • Describe the purpose of jump lists
  • Identify data associated with automatic and custom destinations
  • Examine the forensic implications of link files and jump lists

User Account Control and Internet Explorer Key Artifacts

  • Describe the function of Microsoft's "Defense in Depth" model
  • Describe and identify artifacts left behind by Internet Explorer on Windows systems
  • Identify objects stored in lower privileged locations in the directory structure
  • Discuss the forensic implications of data found within a user profile for internet facing applications

Thumbs.db vs. ThumbesCache

  • Identify locations of thumbnails from viewed graphics on an NT system
  • Compare the data structures of Thumb.db and ThumbsCache files
  • Forensic analysis of the data contained in each database file
  • Discussion on the other types of thumbnail db's found on a Windows system

Windows Event Logs

  • Describe the location of event log files across various Windows NT systems
  • Describe the differences between XP and Windows 7/8/10 event logs
  • Instruction on using Windows event log viewer to locate items of interest in event logs
  • Forensic significance of records contained in event logs

Prefetch and Superfetch

  • Description of XP prefetch files and Vista / Windows 7/8/10 superfetch files
  • Locating and viewing data files associated with prefetching
  • Forensic significance of the layout.ini and ".pf data files

Volume Shadow Copy

  • Describe the function of volume shadow copies
  • Locating volume shadow copies
  • Examination of volume shadow copy files
  • Forensic implications of data found in shadow files
  • Forensic analysis of shadow files

Windows Registry

  • Identify key locations and forensic importance of Windows registry files
  • Definitions of key registry structures and data
  • Identification of key artifacts associated with registry files
  • Protected storage system provider vs. IntelliForms
  • Hardware device identification and analysis
  • User account activity analysis and reporting



No classes scheduled at this time.

Questions? Would you like to learn more?