Windows Malware Forensics
A practical workshop focusing on the forensic investigation of Windows-based operating systems.
40 Hours
Blue Team
40 Hours
Blue Team


Windows-based operating systems are proving grounds for forensic evidence. They generate vast amounts of information and by-products indicate the actions and events of each system. Every file run in the system produces an abundance of listings and documentation in various operating system logs. Whether a user is browsing the web, filling out a form, opening documents, or deleting files; the activity and the exact location of the user interface window are documented thanks to the operating system’s built-in automated mechanisms.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Digital forensics in rapid-changing space
  • Post-mortem (forensics) vs. real time (incident response)
  • What is host forensics?
  • The order of volatility and evidence types
  • The methodology of running an investigation
  • Open source: Yes we can!
  • Building your own examination platform
Disk and filesystem analysis
  • Media analysis concepts
  • The Sleuth Toolkit
  • Partitioning and disk layouts
  • Special containers
  • Hashing
  • File carving
  • Forensic RAW Imaging with dd
  • Converting virtual storage to RAW images
Generating filesystem timelines
  • Filesystem MACB timestamps
  • Generating body files from images and mounted media
  • Timeline generation and analysis with fls and autopsy
  • Indexing modifications, access, and creation with Linux shell
  • Timeline generation and analysis
Windows system artifacts
  • Windows file systems (FAT32, NTFS)
  • Registry forensics
  • Event logs
  • Prefetch files
  • Shortcut files
  • Windows executables
Internet-related artifacts
  • Browser artifacts (history, stored passwords, and forms, auto complete)
  • Mail client artifacts
  • File-sharing artifacts
  • Messaging and VoIP client artifacts
  • IDE and other DevTools
Super timeline all the things
  • Super timelines: What and why
  • Getting started with Plaso
  • Creating timelines
  • Using collection filters
  • Event filters
  • Analysis plugins
  • Analyzing Plaso output with Elasticsearch and Kibana
Memory forensics
  • Memory acquisition
  • Memory dump formats
  • sys, swap files and Windows crush dumps
  • Virtual machine memory files
  • The Volatility Framework
  • Processes, handles, and tokens
  • File objects in memory
  • Network artifacts in memory
  • Command history
Hunting windows malware in memory
  • PE files in memory
  • Packing and compression
  • Code injections
  • Event logs in memory
  • MFT extraction and filesystem timeline from memory
  • Extracting files
  • Windows Registry analysis in memory (UserAssist, ShimCache, ShellBags)
  • Dumping password hashes, LSA secrets
Digging deeper (Windows memory)
  • Hidden network connections
  • Raw sockets and sniffers
  • Internet History
  • DNS and ARP cache recovery
  • Investigating service activity
  • Generating “Super” timelines and Registry Timestamping
  • (Re)constructing attack flows
  • Volatility strings
The Windows forensic challenge
  • Enterprise-scale multi-machine Windows Breach CTF (1 Day)
  • Multi-step “targeted” attack
  • Analysis reports
  • Challenge walkthrough and investigative conclusions
Don't touch this tab

SOTERIA Global is a global leader in cyber-security training solutions and services.

The cyber world is now a part of our everyday life. New technology emerges daily, and as opportunities increase, so do cyber risks. Threats constantly evolve, and we must protect our valuable assets.

A successful cyber defense has many factors, but they all have one thing in common: dedicated, skilled individuals.

SOTERIA Global experts develop our solutions and rely on the best technological assets in the market. Our impressive global presence expands over four continents, giving us access to the best cybersecurity professionals.

Our solutions range from customized training programs to developing cyber-oriented facilities, ensuring that individuals and organizations are ready to face real-world threats. Over the years, we have worked with various organizations across many sectors, giving us the skillset to shape and adapt our solutions to meet our client’s needs.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • User-level knowledge of Windows operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods
    • Prior experience working with Linux and bash is advantageous
    • Perform forensic analysis on disk and file system
    • Perform forensic analysis on Windows and Linux OS
    • Perform a complete and well managed forensic investigation
    • Investigate web-based artifacts
    • Finding evidence using memory forensics