The Forensic Artifact Landscape

What this course is

This is an advanced Windows forensic artifact analysis course — the deep, structure-level understanding of every artifact category that separates an examiner who reads tool output from one who understands what the artifact means at the binary level. Fifteen modules take you from the NTFS architecture that generates forensic evidence through super-timeline construction and complete investigation scenarios.

Every investigation depends on artifacts. The detection rule that fires, the timeline that reconstructs the attack, the report that survives cross-examination — all of it traces back to artifacts the operating system created, modified, or failed to delete. The examiner who understands what created the artifact, what it proves, what it cannot prove, and what the attacker can do to manipulate it produces defensible conclusions. The examiner who reads tool output without understanding the underlying data produces reports that collapse under cross-examination.

This course goes deeper than tool proficiency. You'll examine the MFT at the hex level, understand why $FILE_NAME timestamps are forensically more reliable than $STANDARD_INFORMATION timestamps, trace how Prefetch files record execution counts and loaded DLLs, and reconstruct user activity from ShellBags, LNK files, and Jump Lists. Every artifact is examined at the binary structure level — the bytes, the offsets, the parsing logic — so you can explain not just what the artifact says but how you know it's accurate.

The course uses Northgate Engineering investigation scenarios that thread through every module. Three complete investigations — insider threat (INC-NE-2026-0915), ransomware attack (INC-NE-2026-1022), and a third scenario in the capstone — apply every artifact analysis technique to realistic evidence. If you've completed the Practical IR course, you'll recognize the NE environment and investigate new incidents within it.

What this course teaches

Fifteen modules across four phases. WF0 and WF1 are free — no account required.

Phase 1 — Foundations (WF0, WF1). You are here now. WF0 maps the complete taxonomy of Windows forensic artifacts, the NTFS architecture that generates them, the four NTFS timestamps and their forensic significance, evidence reliability assessment, collection priority order, and the five-step analysis methodology (Identify → Extract → Parse → Correlate → Conclude). WF1 is the Master File Table deep analysis — MFT structure, record layout, attribute types, resident vs. non-resident data, $SI vs. $FN timestamps at the hex level, deleted file MFT entries, and MFTECmd analysis with raw verification.

Phase 2 — Filesystem and System Artifacts (WF2–WF8). Seven modules covering every major artifact category at the binary level. USN Journal — the filesystem changelog that records every file operation, including operations the attacker tried to hide (WF2). Prefetch, Amcache, and Shimcache — three overlapping execution artifacts with different persistence, different timestamps, and different evasion profiles (WF3). ShellBags, LNK files, and Jump Lists — user activity evidence that reconstructs what the user (or attacker using the user's session) accessed, opened, and navigated (WF4). SRUM, network artifacts, and browser forensics — application resource usage, network connection history, and browser evidence (WF5). Windows Event Logs — deep forensic analysis beyond the standard event IDs, including log file structure, carving from unallocated space, and event log manipulation detection (WF6). Windows Registry — deep forensic analysis of hive structure, key forensic keys, last-write timestamps, deleted key recovery, and transaction log reconstruction (WF7). Volume Shadow Copies and deleted data recovery — previous versions, shadow copy mounting, carving techniques, and evidence that survives deletion (WF8).

Phase 3 — Advanced Analysis and Correlation (WF9–WF12). Four modules building the advanced skills. Super timeline construction and multi-artifact correlation — plaso/log2timeline configuration, timeline filtering, pivoting across artifact types, and the timeline analysis methodology that turns thousands of entries into a coherent narrative (WF9). Anti-forensics detection and evidence integrity — timestomping detection ($SI vs. $FN comparison), log clearing indicators, artifact destruction traces, and how to prove the evidence hasn't been tampered with (WF10). Artifact collection at scale — KAPE, Velociraptor, and enterprise collection strategies for fleet-wide forensic triage (WF11). Forensic reporting and court testimony — technical report writing, evidence presentation, Daubert standard, and how to explain binary-level artifact analysis to a non-technical audience (WF12).

Phase 4 — Applied Investigation and Capstone (WF13–WF14). Two complete investigation scenarios applying every technique from the course. Insider threat investigation — a departing employee data exfiltration case with artifacts planted across the full evidence spectrum (WF13, INC-NE-2026-0915). Ransomware attack investigation — a complete ransomware timeline from initial access through encryption, reconstructed entirely from forensic artifacts (WF14, INC-NE-2026-1022).

You can study the course linearly (WF0 → WF14) or selectively once Phase 1 is complete. WF1 (MFT) is foundational — complete it before any Phase 2 module. Phase 2 modules can be reordered based on your investigation focus, but WF2 (USN Journal) pairs tightly with WF1 (MFT) and is best completed second. Phase 3 requires Phase 2 concepts — WF9 (super timeline) references every artifact from Phase 2. Phase 4 requires everything before it.

Who this course is for

This is a specialist course for practitioners who already have forensic investigation experience and want to go deeper — from tool proficiency to artifact understanding.

IR practitioner who has completed Practical IR (or equivalent). You can run KAPE, parse with EZ Tools, and produce an investigation timeline. You want to move from "the tool said so" to "I can explain what the artifact means at the binary level, why it's reliable, and what the attacker could have done to manipulate it." This course provides the depth.

DFIR examiner preparing for court testimony. You need to explain artifact provenance and reliability beyond tool output. When the defense counsel asks how you know the timestamp is accurate, you need to explain $SI vs. $FN timestamps at the attribute level, not cite a tool's output. This course builds that explanatory capability.

Detection engineer who wants to understand target artifacts. You write detection rules for endpoint telemetry. Understanding what artifacts your detections target — and what anti-forensic techniques could evade them — makes your rules more robust. WF10 (anti-forensics) and WF3 (execution evidence) are particularly relevant.

Security engineer building forensic readiness programs. You need to understand which artifacts exist by default, which require configuration to enable, how long they persist, and what collection preserves them. WF11 (collection at scale) and WF0 (evidence reliability) provide the architecture context.

Anyone serious about Windows forensics. Whether you're an analyst moving into DFIR, a consultant building forensic capability, or a practitioner deepening your expertise — if you're willing to examine hex dumps and MFT record structures, this course is for you.

Prerequisites

Two required, one strongly recommended.

Windows forensic investigation experience. You should have completed the Practical IR (Windows) course or have equivalent experience — you can collect evidence with KAPE, parse artifacts with EZ Tools (PECmd, MFTECmd, EvtxECmd), construct a basic timeline, and write an investigation report. This course assumes you can already investigate. It teaches you to investigate at the artifact-structure level.

Comfort with hex and binary data. You'll read hex dumps of MFT records, USN Journal entries, and registry hive structures. You need to be comfortable with hexadecimal notation, byte ordering (little-endian), and offset calculations. If you've examined raw data in a hex editor before, you're ready. If hex is entirely new, spend an evening with HxD (free hex editor) examining a few file headers before starting WF1.

Strongly recommended: Practical IR (Windows) course. The investigation methodology, the NE environment, and the tool proficiency from Practical IR are assumed throughout. Learners who skip Practical IR and start here will spend extra time on tool mechanics that this course treats as background knowledge.

Nothing else is required. No programming, no kernel development, no formal forensic certification. The course teaches the binary-level artifact analysis using the same free tools (EZ Tools, Sleuth Kit, Volatility 3, plaso) you already have from Practical IR.

Lab setup

A Windows forensic workstation with the EZ Tools suite and supporting analysis tools. The same setup from Practical IR works — if you completed that course, your workstation is ready.

Forensic workstation. Windows 11 with administrator access. A dedicated VM is recommended for clean analysis. 16 GB RAM recommended (some modules involve memory images and large timeline files). 100 GB free storage for evidence sets.

EZ Tools suite (free). MFTECmd, PECmd, EvtxECmd, Registry Explorer, RECmd, Timeline Explorer, AmcacheParser, AppCompatCacheParser, ShellBagsExplorer, JLECmd, LECmd. Download from ericzimmerman.github.io. If you completed Practical IR, you already have these installed.

Hex editor. HxD (free) or 010 Editor (commercial, optional). Required for raw artifact examination starting in WF1.

Sleuth Kit (free). For raw filesystem analysis — icat, istat, fls. Used alongside EZ Tools for verification.

plaso/log2timeline (free). For super timeline construction in WF9. Install when you reach that module.

Lab packs (downloaded per module). Each module includes realistic NE forensic evidence — MFT extracts, USN Journal exports, Prefetch files, registry hives, event logs, and memory images with planted attack indicators. Downloaded as you reach each module.

What you can skip: you don't need to install anything before starting WF0. The first module is the artifact taxonomy and methodology. Set up your hex editor and verify your EZ Tools installation when you reach WF1.

How the course is structured

Every module from WF1 onward follows the five-step methodology: Identify → Extract → Parse → Correlate → Conclude.

Objective header. The forensic question the subsection answers, the artifact it examines, and the time estimate.

Diagram. Every subsection has an SVG diagram — the artifact structure at the binary level, the relationship between artifact sources, the timeline correlation, or the analysis decision tree.

Binary analysis. Raw hex examination of artifact structures with annotated field offsets, byte interpretations, and the parsing logic that tools apply. You'll see what MFTECmd does at the byte level — so you can verify its output and explain it under oath.

Tool analysis. The same artifact parsed by EZ Tools or Sleuth Kit, with the output correlated to the binary examination. Every tool output is verified against the raw data.

Decision Point. Forensic judgment calls — is this timestamp reliable, has this artifact been manipulated, does this evidence support or contradict the hypothesis.

Try-it. Analyze the artifact yourself. Four components: Setup (the evidence file), Task (find the specific forensic finding), Expected Result (the correct conclusion with supporting evidence), and Debugging Branch (what to check if your analysis differs).

Compliance Myth. Forensic misconceptions — "timestamps are always reliable," "deleted means gone," "if the tool parses it the data is accurate."

Artifact footer. The operational artefact — a hex-level reference card, an analysis checklist, a verification procedure.

Module completion pattern. Each module has content subsections (eight to fourteen), a module summary, and a Check My Knowledge subsection with scenario-based questions. Phase 2 modules are the densest — WF6 (Event Logs) and WF7 (Registry) are the longest.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks. This is a Specialist-tier course — expect the pace to be slower than standard courses because the material requires deeper engagement.

Phase 1 (WF0, WF1): Two to three evenings. WF0 is the artifact landscape and methodology. WF1 (MFT deep analysis) is dense — plan a full evening for the hex-level examination.

Phase 2 (WF2–WF8): Five to seven weeks at five to eight hours per week. Seven modules covering every artifact category. WF6 (Event Logs) and WF7 (Registry) are the longest modules.

Phase 3 (WF9–WF12): Three to four weeks. Four modules covering advanced analysis. WF9 (super timeline) is the most intensive — building and filtering a timeline with thousands of entries takes practice.

Phase 4 (WF13–WF14): Two to three weeks. Two complete investigation scenarios. Each requires a full weekend or several evenings — you're applying every technique from the course to a complete evidence set with no guidance.

Full course at five to eight hours per week: twelve to eighteen weeks. This course rewards deliberate practice — examining hex dumps, verifying tool output against raw data, and building the explanatory capability that survives cross-examination.

Start here

Go to WF0.1 next. It maps the complete taxonomy of Windows forensic artifacts — the six categories (filesystem, execution, user activity, system, network, volatile), what each category proves, and where each artifact lives on the system. This taxonomy is the mental map you'll use in every investigation.

After WF0.1, the remaining WF0 subsections cover NTFS architecture, the four timestamps and their forensic significance, evidence reliability assessment, collection priority, the five-step analysis methodology, the three NE investigation scenarios, tool validation (when EZ Tools gets it wrong), anti-forensics overview, lab setup, and a scenario-based knowledge check.

Work through WF0 in order. The artifact taxonomy and analysis methodology are the framework every subsequent module applies.