Sign In
Specialist · DFIR

For IR Practitioners, DFIR Examiners, and Detection Engineers Who Need Artifact-Level Forensic Depth Beyond Tool Output

Aligned to NIST SP 800-86ISO/IEC 27037MITRE ATT&CKSigma rules

Advanced Windows Forensic Analysis

Analyze Windows artifacts at the level that survives cross-examination.

Learn to perform deep forensic analysis of Windows systems — MFT parsing, USN Journal analysis, Prefetch and Amcache interpretation, ShellBags and LNK file examination, registry forensics, event log deep analysis, volume shadow copy recovery, and timeline construction. Every artifact is taught at the structural level: understand the raw data, validate tool output, detect anti-forensics, and produce findings you can defend in court.

Start Free — No Account Needed View Pricing
Content last updated: April 2026
FORENSIC ARTIFACT ANALYSIS — THE RAW-FIRST METHOD STEP 1 Identify — What creates this artifact and what does its presence prove? STEP 2 Extract — Raw collection preserving evidence integrity STEP 3 Parse — Binary structure analysis before tool output STEP 4 Correlate — Multi-artifact cross-validation for confidence STEP 5 Conclude — Court-defensible findings with confidence assessment ARTIFACT CATEGORIES FILESYSTEM MFT · USN · LogFile EXECUTION Prefetch · Amcache · Shim USER ACTIVITY ShellBags · LNK · Jumps SYSTEM EventLog · Registry · SRUM 15 modules · 225 subsections · 3 investigation scenarios — Northgate Engineering

The Raw-First Method — every artifact examined at the binary level before tool output, correlated across sources, tested for anti-forensic manipulation.

View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Parse MFT, USN Journal, Prefetch, Amcache, ShellBags, and registry at the structural level
Detect timestomping and anti-forensic techniques using multi-artifact correlation
Construct super timelines from multiple forensic artifact sources
Validate and challenge tool output using raw artifact analysis
Produce forensic findings that survive cross-examination

The Artifact Analysis Framework

Every artifact analysis in this course follows three questions:

1. What creates this artifact? The specific Windows component, API call, or user action that generates the record. If you don't know what creates it, you can't assess what its absence means.

2. What does it prove? The specific forensic conclusion the artifact supports. Not "the file existed" but "the file was created at this time by this process with this parent process." Precision matters in testimony.

3. What can the attacker do to it? How the artifact can be manipulated, deleted, or fabricated. Every artifact has an anti-forensic threat model. Knowing it is the difference between evidence and assumption.

Who this course is for

IR practitioners who have completed Practical IR (or equivalent) and want to move from "I can run KAPE and read EZ Tools output" to "I understand what the artifact means at the binary level."

DFIR examiners preparing for court testimony who need to explain artifact provenance and reliability beyond "the tool said so."

Detection engineers who want to understand what artifacts their detections should target and what anti-forensic techniques could evade them.

Security engineers building forensic readiness programs who need to understand which artifacts exist, how long they persist, and what collection preserves them.

Anyone serious about Windows forensics. Whatever your background — whether you're an analyst moving into DFIR, a consultant building forensic capability, or a practitioner deepening your expertise — if the subject interests you and you're willing to put in the work, this course is for you.

Built on Northgate Engineering — not abstract examples

Three investigation scenarios thread through the entire course, each using NE's infrastructure:

INC-NE-2026-0915 — Insider Data Exfiltration. A departing engineer copied proprietary manufacturing specifications to USB and cloud storage over 6 weeks. Legal hold in effect. Evidence must be court-admissible.

INC-NE-2026-1022 — Ransomware Attack. Attacker gained access via phishing, moved laterally over 72 hours before deploying ransomware across 12 hosts.

INC-NE-2026-1130 — Unauthorized Access Dispute. Employee claims they never accessed a restricted file share. HR legal proceeding.

Why take this course

For DFIR practitioners moving from basic triage into deep Windows forensic analysis. You finish able to reconstruct full attacker timelines from NTFS artifacts, registry hives, event logs, and amcache — the forensic depth that stands up in legal proceedings and employment tribunals, not just incident reports.

What you will be able to do

1. Interpret every forensic artifact at the binary level. MFT record structures, USN Journal entries, ShellBag shell items, Prefetch file headers, EVTX record format, registry hive cells — you understand what the bytes mean, not just what the tool reports.

2. Detect anti-forensic manipulation. Timestomping through $SI/$FN timestamp comparison. Event log clearing through record ID gap analysis. Prefetch deletion through absence pattern analysis. Registry manipulation through transaction log recovery.

3. Build court-defensible forensic timelines. Multi-artifact super timelines with timestamp correlation, clock skew detection, confidence assessment, and evidence attribution that survives cross-examination.

4. Validate and challenge tool output. When MFTECmd, PECmd, or AmcacheParser produces output, you know what it parsed and whether it parsed it correctly.

5. Produce forensic examination reports. Complete reports with methodology documentation, finding attribution, confidence assessment, and limitation acknowledgment — to the standard required for legal proceedings.

Course at a glance

Modules: 15 (WF0–WF14) across 4 phases

Subsections per module: 15

Free content: WF0–WF1 — no account required

Specialist content: WF2–WF14 — Specialist subscription required

Prerequisites: Practical Incident Response (IR0–IR5 minimum)

Typical pace: ~18-22 weeks at 5 hrs/week

MITRE ATT&CK coverage: 22 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience — including forensic investigations that required artifact-level analysis for legal proceedings, insurance claims, and regulatory notifications.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Tools covered

KAPE, EZ Tools (MFTECmd, PECmd, AmcacheParser, ShimCacheParser, JLECmd, LECmd, SBECmd, RECmd, EvtxECmd, SrumECmd, RBCmd), Arsenal Image Mounter, FTK Imager, Registry Explorer, Timeline Explorer, HxD, Plaso/Log2Timeline, Velociraptor. All primary tools are free.

Technical requirements

Windows 11 VM: VMware Workstation Pro (free) with Windows 11 Evaluation ISO (free, 90-day).

Lab evidence: Forensic image files and pre-collected artifact packages provided with each module.

KQL: Basic KQL recommended for Event Log correlation modules.

No paid tools required. All forensic tools are free.

Course Syllabus

Four phases. Fifteen modules. WF0–WF1 are free — no account required.

Free Phase 1 — Foundations

WF0
The Forensic Artifact Landscape — Why artifacts matter more than tools, Windows artifact taxonomy, NTFS architecture, four NTFS timestamps, registry as forensic source, evidence reliability assessment, collection order, tool validation, anti-forensics overview, and the five-step analysis methodology.
 WF1
The Master File Table — Deep Analysis — MFT record structure at binary level, $STANDARD_INFORMATION and $FILE_NAME attributes, $DATA (resident/non-resident, ADS), $INDEX_ROOT/$INDEX_ALLOCATION (directory analysis, $I30 slack), MFT entry allocation and sequence numbers, extracting and parsing with MFTECmd, timeline construction, timestomping detection, deleted file recovery, and advanced edge cases.

Phase 2 — Filesystem and System Artifacts

WF2
USN Journal — The Filesystem Changelog — $UsnJrnl architecture, USN_RECORD binary structure, reason code analysis, file operation reconstruction, exfiltration detection, ransomware patterns, timestamp correlation, journal deletion detection, $LogFile analysis, and three-source correlation.
 WF3
Prefetch, Amcache and Shimcache — Program Execution Evidence — Prefetch file structure, execution timestamps, Amcache.hve analysis, Shimcache (AppCompatCache), critical differences between sources, execution artifact correlation, anti-forensics, BAM/DAM, and execution timeline construction.
 WF4
ShellBags, LNK Files and Jump Lists — User Activity Evidence — ShellBag registry structure, LNK binary format, Jump Lists analysis, correlating user activity sources, insider threat reconstruction, and access dispute resolution.
 WF5
SRUM, Network Artifacts and Browser Forensics — SRUM database, network connectivity analysis, browser artifacts, DNS cache, cloud storage forensics, USB device history, email artifacts, and multi-source exfiltration analysis.
 WF6
Windows Event Logs — Deep Forensic Analysis — EVTX binary format, critical Security events, PowerShell and WMI logs, Sysmon analysis, record recovery, manipulation detection, cross-log correlation, and event log timelines.
 WF7
Windows Registry — Deep Forensic Analysis — Hive binary internals, SYSTEM/SOFTWARE/SAM/NTUSER.DAT/UsrClass.dat forensics, persistence mechanisms, deleted key recovery, timeline analysis, and anti-forensics detection.

Phase 3 — Advanced Analysis and Correlation

WF8
Volume Shadow Copies and Deleted Data Recovery — VSS architecture, shadow copy analysis, registry and event log recovery from shadows, $Recycle.Bin forensics, deleted file recovery, slack space analysis, anti-forensic destruction detection, and evidence confidence assessment.
 WF9
Super Timeline Construction and Multi-Artifact Correlation — Plaso/Log2Timeline, targeted timelines, Timeline Explorer, timestamp conflict resolution, pattern recognition, multi-host correlation, session reconstruction, KQL timeline analysis, and legal documentation.
 WF10
Anti-Forensics Detection and Evidence Integrity — Timestomping detection (5 methods), event log manipulation, execution artifact manipulation, registry anti-forensics, filesystem anti-forensics, secure deletion detection, data hiding, live system anti-forensics, evidence integrity verification, and legal documentation of anti-forensic findings.

Phase 4 — Applied Investigation and Capstone

WF11
Artifact Collection at Scale — KAPE target and module architecture, complete collection profiles, Velociraptor remote collection, forensic imaging, chain of custody, artifact triage, processing pipelines, fleet-wide hunting, and evidence lifecycle.
 WF12
Forensic Reporting and Court Testimony — Report standards, methodology documentation, writing findings, evidence attribution, handling uncertainty, timeline exhibits, cross-examination preparation, expert witness standards, and quality assurance.
 WF13
Investigation Scenario — Insider Threat (INC-NE-2026-0915) — Complete insider exfiltration investigation applying every artifact category. MFT, USN, ShellBags, LNK, Jump Lists, execution evidence, SRUM, registry, event logs, anti-forensic assessment, super timeline, and forensic report production.
 WF14
Investigation Scenario — Ransomware Attack (INC-NE-2026-1022) — Complete ransomware investigation across 12 hosts. Initial access, credential harvesting, lateral movement, persistence, pre-encryption recon, encryption patterns, shadow copy destruction, post-encryption anti-forensics, cross-host timeline, and insurance/regulatory reporting.

Lab Pack — Hands-On Forensic Analysis Practice

This course includes a production-grade lab pack with two complete forensic scenarios that plant realistic artifacts on your own Windows VM: an insider exfiltration case (INC-NE-2026-0915) and a 72-hour ransomware attack (INC-NE-2026-1022). You capture memory, run KAPE, parse artifacts with the EZ Tools suite, and build court-defensible findings using the same workflow the course teaches. Your VM, your tools, your investigation.

What's included: Two PowerShell artifact generators (Insider and Ransomware), two cleanup scripts, 10 HTML walkthroughs covering MFT through anti-forensics, 30+ practice exercises with hints and expected answers, 10 self-grading verification scripts, 4 court-defensible report templates (examination report, finding documentation, timeline exhibit, QA checklist).

Artifacts planted by the generators: real MFT and USN entries from file copies and mass renames, real Prefetch from implant execution, ShellBags from folder navigation, LNK and Jump Lists from document opens, UserAssist entries, SRUM network telemetry, Event Log entries (4688, 7045, 4104, 1102), USB device registry history, OneDrive personal account configuration, 10 ransomware persistence mechanisms (scheduled tasks, services, Run keys, WMI subscriptions, IFEO hijack), VSS shadow copy for WF08 recovery practice, and Hard mode anti-forensics (timestomping, log clearing, selective Prefetch deletion).

Lab environment (free): Windows 11 VM with 16 GB RAM, PowerShell 5.1+, admin privileges. KAPE and EZ Tools on your analysis workstation. Optional but recommended: Sysmon, Arsenal Image Mounter for VSS work. See the Lab Setup Guide for the complete build.

Forensic workflow covered: Memory acquisition, KAPE triage collection, MFT parsing (MFTECmd), USN Journal analysis, Prefetch (PECmd v31), Amcache, Shimcache, ShellBags (SBECmd), LNK (LECmd), Jump Lists (JLECmd), UserAssist (RECmd), SRUM (SrumECmd), EVTX parsing (EvtxECmd), registry forensics across SYSTEM/SOFTWARE/NTUSER/UsrClass/Amcache hives, VSS shadow copy mounting and recovery, super timeline construction in Timeline Explorer, anti-forensic detection ($SI/$FN mismatch, EventRecordId gap analysis, Prefetch deletion residue), and court-defensible report production.

Scenarios: Insider threat — 6-week data exfiltration by departing engineer, three USB drives, OneDrive personal account, document renaming to disguise proprietary data. Ransomware — REDSTONE affiliate attack chain across three hosts (patient zero DESKTOP-NGE-FIN01 to file server SRV-NGE-FS01), phishing-to-encryption in 72 hours, 10 persistence mechanisms, 500-file rename burst.

Advanced Windows Forensic Analysis Lab Pack v1.0
2 scenarios · 10 walkthroughs · 30+ exercises · 10 verification scripts · 4 report templates
Download Lab Pack (.zip)

What you get that you will not find elsewhere

This is not a tool tutorial. Tool tutorials show you how to run KAPE and read EZ Tools output. This course teaches you what the artifact means at the binary level — so when the tool is wrong, you know.

This is not certification preparation. This course teaches the forensic discipline at examiner depth. Certification syllabi are a separate objective; this course is built for the practitioner who needs to produce court-defensible findings, not pass a multiple-choice exam.

This is written, searchable, and self-paced. Fifteen modules you can read at the workstation, re-read during an investigation, and reference when a client asks how you reached a conclusion. No fixed schedule, no instructor dependency, no time-limited access — you subscribe, you learn at your pace, you come back to the reference when you need it.

Every artifact module includes anti-forensic detection. Other training teaches artifact analysis as if evidence is always pristine. This course teaches you to detect when evidence has been tampered with.

You leave with court-defensible methodology, not just analysis skills. Report templates, finding documentation, methodology descriptions, confidence frameworks, and cross-examination preparation guides.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Forensic evidence: All lab evidence files are fictional constructs. Validate forensic procedures against your jurisdiction's legal requirements before use in legal proceedings.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental. IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Course launch. 15 modules across 4 phases. Complete Windows forensic artifact analysis from MFT binary structures through court-defensible investigation methodology.

This course is actively maintained. Check this page for version updates.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Distinction: 90. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.