For direct assistance contact us! +91-9999508202 [email protected]

Incident response and Windows forensics

Incident Response and windows forensics training is highly detailed training for corporate incident responders and forensics investigators.

Corporate windows forensics plays a prime role in the threat hunting and incident response. Many windows forensics training courses focus on the techniques and methods used in this field, but very often those trainings do not address the real segments of knowledge . we need to question ourself that why enterprise forensic required  & how to correlate incident response with forensics . Also how to perform digital investigations and collecting digital evidence for an APT attack.

Incident Response and Windows forensics training serves to educate the users about windows forensics correlation with incident response so that they better understand workflow in SOC environments .

The Incident Response and windows forensic training starts with the procedure of investigation and analysis techniques to gather and preserve evidence. We have included almost every sub division of DFIR including Live response ,Dead forensics , Live forensics , Network Forensics , Email Forensics , Browser forensics , Disk Forensics , Memory forensics , malware hunting and investigating  the advance persistent threats tools , techniques and procedures  in an organization .Incident response and  windows forensics has become its own area of scientific expertise, get an APT use case oriented training  with accompanying coursework and certification.


Incident Response and Windows forensics training | AWF-112 1









Incident Response and Windows forensics training | AWF-112 2
MODULE 1 : WIndows FORENSICS for incident response
  • What is corporate digital forensics 
  • why corporate digital forensics is different from criminal investigations
  • The forensics correlation with incident response
  • why we need deep forensics in APT hunting
  • Understating the APT and attacks
  • What is MITRE & AT framework for investigations
Incident Response and Windows forensics training | AWF-112 3
MODULE 2 : Standard FORENSICS Investigation PROCESS
  • Basic Forensic Process
  • Forensics 6A’s
  • Physical Protection of Evidence
  • Chain of custody
  • Forensic Investigator roles
  • Investigation Methods in breached environments
  • Understanding the complexity of investigation case
  • Case study with threat hunting , threat intelligence and IR team 
Incident Response and Windows forensics training | AWF-112 4
MODULE 3.1 : Windows Registries and internals investigation
  • Registry Forensics In-Depth
  • Registry Core
    • Hives, Keys, and Values
    • Registry Last Write Time
    • MRU Lists
    • Deleted Registry Key Recovery
    • Identify Dirty Registry Hives and Recover Missing Data
    • Rapidly Search and Timeline Multiple Hives
  • System Analysis
    • Identify the Current Control Set
    • System Name and Version
    • Document the System Timezone
    • Wireless, Wired, VPN, and Broadband Network Auditing
    • Perform Device Geolocation via Network Profiling
    • Identify System Updates and Last Shutdown Time
    • Registry-Based Malware Persistence Mechanisms 
Incident Response and Windows forensics training | AWF-112 4
MODULE 3.2 : Investigating Advanced internals
  • Shellbag Forensics
    • Shortcut Files (.lnk) – Evidence of File Opening
    • Windows 7-10 Jumplists – Evidence of File Opening and Program Execution
    • Shellbag Analysis – Evidence of Folder Access
  • Forensicating Additional Windows OS Artifacts
    • Windows Search Index Forensics
    • Extensible Storage Engine Database Recovery and Repair
    • Thumbs.db and Thumbcache Files
    • Windows Recycle Bin Analysis (XP, Windows 7-10)
    • Windows 10 Timeline Activities Database
    • Evidence of File Downloads
    • Office and Microsoft 365 File History Analysis
    • Windows 7, Windows 8/8.1, Windows 10 Search History changes
    • Typed Paths and Directories
    • Recent Documents (RecentDocs)
    • Open Save/Run Dialog Boxes Evidence
    • Application Execution History via UserAssist, Prefetch, Windows 10 Timeline, System Resource Usage Monitor (SRUM), and BAM/DAM
  • USB and BYOD Forensic Examinations
    • Vendor/Make/Version
    • Unique Serial Number
    • Last Drive Letter
    • MountPoints2  Last Drive Mapping Per User (Including Mapped Shares)
    • Volume Name and Serial Number
    • Username that Used the USB Device
    • Time of First USB Device Connection
    • Time of Last USB Device Connection
    • Time of Last USB Device Removal
    • Auditing BYOD Devices at Scale
Incident Response and Windows forensics training | AWF-112 4
MODULE 3.3 : Email Forensics in depth
  • Email Forensics
    • Evidence of User Communication
    • How Email Works
    • Email Header Examination
    • Email Authenticity
    • Determining a Sender’s Geographic Location
    • Extended MAPI Headers
    • Host-Based Email Forensics
    • Exchange Recoverable Items
    • Exchange Evidence Acquisition and Mail Export
    • Exchange Compliance Search and eDiscovery
    • Unified Audit Logs in Office 365
    • Google Workspace (G Suite) Logging
    • Recovering Data from the Google Workspace (G Suite)
    • Web and Cloud-Based Email
    • Webmail Acquisition
    • Email Searching and Examination
    • Mobile Email Remnants
    • Business Email Compromise
    Incident Response and Windows forensics training | AWF-112 4
    MODULE 3.4 : Advanced browser forensics
    • Browser Forensics
      • History
      • Cache
      • Searches
      • Downloads
      • Understanding Browser Timestamps
      • Private Browsing and Browser Artifact Recovery
      • IE and EdgeHTML InPrivate Browsing analysis
      • Chrome, Edge, and Firefox Private Browsing analysis
      • Investigating the Tor Browser
      • SQLite and ESE Database Carving and Examination of Additional Browser Artifacts
      • Identifying Selective Database Deletion
      • DOM and Web Storage Objects analysis
      • Rebuilding Cached Web Pages for investigations
      Incident Response and Windows forensics training | AWF-112 8
      MODULE 4 : data triage for DFIR operations
      • Windows operation systems anatomy for forensics point of view
      • NTFS file system overview 
      • Documents and File metadata understanding
      • File and stream carving tools and techniques
      • Web browsers private search Artifact recovery and examination
      • Email artifacts recovery and examination
      Incident Response and Windows forensics training | AWF-112 9
      MODULE 5 : APT attacks investigations AND incident RESPONSE
      • Live memory forensics vs Dead forensics
      • Detecting the System hacking events with prefetch , shimcache .
      • Identify the insecurities in machine with amcache
      • Windows Log Parsing and environment setup
      • Windows Events in depth
      • Understanding the attacks and techniques for privilege escalation
      • Identify privilege escalation vectors with windows event ID
      • Powershell for forensics and live detection of active directory attacks
      • Network forensics and evidence detection in corporate networks
      • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
      • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
      • Reverse engineer custom network protocols to identify an attacker’s command-and-control abilities and actions
      • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
      • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
      • Prepare an report for system hacking


      Incident Response and Windows forensics training | AWF-112 10
      MODULE 6 : Windows memory forensics primer
      • Windows process architecture for memory mapping
      • memory analysis vs volume shadow copies detections
      • KDBG ,VAD tree , PEB and EPRROCESS in depth for memory analysis
      • Memory blocks and hibernation internconnection analysis
      • Importance of Cache Data in memoery analysis 
      • Evidence mapping in Memory with APT detection  techniques
      • Analysing  memory for rootkits and dll hijacking ,hollowing  investigations
      • Windows process injections anatomy and investigations 
      • In-depth APT malware attacks investigations
      • Python for modern memory investigations
      • Anti-forensics techniques and evidence for investigations
      • Forensics timeline science and super-timelining for anti-forensics techniques 
      Incident Response and Windows forensics training | AWF-112 11
      MODULE 7 : Incident response and digital forensics REPORTING
      • Report Samples
      • Report writing skills
      • Common mistakes in report
      • Report submission
      who should attend this training?
      • Freshers

      • Ethical hackers

      • Forensics Analyst

      • Incident repsonder

      • Threat hunter

      why should i take this training?

      The era of the technology is now growing every day but due to dependency on the technology cyber frauds and attacks are also increased so to take defense for yourself and your business this is the best suitable training to take entry in this domain.

      prerequisite of the training ?

      The person should familiar with basic computer operations 

      what is the total duration of the training ?

      Its an Instructor-led online training and the total duration of the training is 25 hours.

      Incident Response and windows forensics  Inquiry 

      7 + 6 =

      Our clients


      Today I’ve completed my one 2 one online training by Mr Naresh sir from Certcube Labs .
      This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.
      Satyam Singh

      BCA, Delhi University

      A good place to learn every small detail in cybersecurity.Really nice and helpful teacher.


      Btech, BITS Mesra

      together Let’s Create the future

      1 + 1 =