Investigating Windows Endpoints

$795

Investigating Windows Endpoints

Course
41 Lessons
365-day access

Discover the world of Windows forensic investigation through professional, in-depth training crafted from the expertise behind the 13Cubed YouTube channel. This course delivers affordable and comprehensive content, tailored to help newcomers, experienced professionals looking to sharpen their skills, and anyone fascinated by digital forensics.

Buy now

Frequently Asked Questions

How long is this course?

Approximately 11 hours for the video content; however, there are three (3) included disk images. The total time required to complete all modules/lessons and perform image analysis is estimated at 20-40 hours.

How long will I have access once I purchase the course?

365-day access is included for all courses. Enjoy a 25% discount if you re-enroll after your initial access period.

🏅 Is there a certification associated with this course?

Yes! You can earn a certification by passing the Knowledge Assessment included with every course purchase. See training.13cubed.com/certifications for details.

Are there any prerequisites?

Just a basic understanding of Windows 10/11, and a willingness to learn!

Isn't this the same as what's on the 13Cubed YouTube Channel?

No! This is entirely new content recorded exclusively for this course. The average 13Cubed Episode is less than 20 minutes, whereas this is a comprehensive ~10 hour syllabus designed to help you master the topics you need to know to be a successful investigator!

I already work in the DFIR field. Why should I take this course?

While this course has been designed to be beginner-friendly, make no mistake, this is a deep dive into Windows forensics. Even if you already think you know a particular topic, I think the chances are very high that you'll learn something new.

What's NOT covered?

This course covers nearly all Windows forensic artifacts used throughout the DFIR community; however, it does NOT cover disk image or memory acquisition, memory forensics, or cloud forensics.

Will new content be added?

Yes! In fact, the "Additional Content" module/section was technically added after the course was announced. New content has already been added there!

Can I suggest new topics for potential inclusion in future modules/lessons?

Yes! Contact us at info@13cubed.com.

Can I obtain a certificate of completion at the end of the course?

Yes! Upon completion of the course, you will automatically receive an email with a link to download your personalized certificate.

🛒 Are bulk purchase discounts available for companies?

Yes! See training.13cubed.com/bulk-purchases for details.

Course Contents

Welcome and Introduction

Initial Setup

Windows Event Logs

Fundamentals

In-depth Analysis

Tools and Best Practices

The Registry

Fundamentals

NTUSER.DAT

UsrClass.dat and ShellBags

USB Forensics, Networks, and More

Scalable Analysis

Evidence of Execution

Introduction

Prefetch

Shimcache/AppCompatCache

AmCache

PCA

MUICache

UserAssist

SRUM

Persistence, Privilege Escalation, and Lateral Movement

Services and Scheduled Tasks

LSASS, NTDS.dit, WDigest

SMB, RDP, WMI, PsExec, UAL

Anatomy of NTFS

Introduction

Metafiles, MFT, Journaling, ADS

MACB Timestamps

Parsing the MFT and USN Journal

$I30 Index Attributes

File Deletion and Recovery

The Recycle Bin

"Permanent" Deletion

File Carving with PhotoRec

LNK Files and Jump Lists

LNK Files

Jump Lists

Timelining

The Sleuth Kit (TSK) fls and mactime

Plaso/Log2Timeline

MFTECmd

Additional Content

Web Browser Forensics

Thumbs.db and Thumbcache

Windows Activity Timeline

Windows Search Index

Trouble at ACME

Continue Your Learning