Windows Malware Forensics
A practical workshop focusing on the forensic investigation of Windows-based operating systems.
40 Hours
Blue Team
40 Hours
Blue Team


Windows-based operating systems are proving grounds for forensic evidence. They generate vast amounts of information and by-products indicate the actions and events of each system. Every file run in the system produces an abundance of listings and documentation in various operating system logs. Whether a user is browsing the web, filling out a form, opening documents, or deleting files; the activity and the exact location of the user interface window are documented thanks to the operating system’s built-in automated mechanisms.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Digital forensics in rapid-changing space
  • Post-mortem (forensics) vs. real time (incident response)
  • What is host forensics?
  • The order of volatility and evidence types
  • The methodology of running an investigation
  • Open source: Yes we can!
  • Building your own examination platform
Disk and filesystem analysis
  • Media analysis concepts
  • The Sleuth Toolkit
  • Partitioning and disk layouts
  • Special containers
  • Hashing
  • File carving
  • Forensic RAW Imaging with dd
  • Converting virtual storage to RAW images
Generating filesystem timelines
  • Filesystem MACB timestamps
  • Generating body files from images and mounted media
  • Timeline generation and analysis with fls and autopsy
  • Indexing modifications, access, and creation with Linux shell
  • Timeline generation and analysis
Windows system artifacts
  • Windows file systems (FAT32, NTFS)
  • Registry forensics
  • Event logs
  • Prefetch files
  • Shortcut files
  • Windows executables
Internet-related artifacts
  • Browser artifacts (history, stored passwords, and forms, auto complete)
  • Mail client artifacts
  • File-sharing artifacts
  • Messaging and VoIP client artifacts
  • IDE and other DevTools
Super timeline all the things
  • Super timelines: What and why
  • Getting started with Plaso
  • Creating timelines
  • Using collection filters
  • Event filters
  • Analysis plugins
  • Analyzing Plaso output with Elasticsearch and Kibana
Memory forensics
  • Memory acquisition
  • Memory dump formats
  • sys, swap files and Windows crush dumps
  • Virtual machine memory files
  • The Volatility Framework
  • Processes, handles, and tokens
  • File objects in memory
  • Network artifacts in memory
  • Command history
Hunting windows malware in memory
  • PE files in memory
  • Packing and compression
  • Code injections
  • Event logs in memory
  • MFT extraction and filesystem timeline from memory
  • Extracting files
  • Windows Registry analysis in memory (UserAssist, ShimCache, ShellBags)
  • Dumping password hashes, LSA secrets
Digging deeper (Windows memory)
  • Hidden network connections
  • Raw sockets and sniffers
  • Internet History
  • DNS and ARP cache recovery
  • Investigating service activity
  • Generating “Super” timelines and Registry Timestamping
  • (Re)constructing attack flows
  • Volatility strings
The Windows forensic challenge
  • Enterprise-scale multi-machine Windows Breach CTF (1 Day)
  • Multi-step “targeted” attack
  • Analysis reports
  • Challenge walkthrough and investigative conclusions
Don't touch this tab

About CYBERPRO was founded in cooperation with international information security and instruction authorities who bring to Israel world-leading cyber training technologies and a learning experience of the highest standard available today.

The partners include the IITC group which has been training graduates for the high tech industry for over 20 years, and was selected as the training center for the Cisco Company in Israel.

CYBERPRO’s advanced, sought-after training courses in the areas of infrastructures, information security and cyber are world famous. These training courses were developed by some of the best cyber experts in the world, for international security organizations that emphasize the high training capabilities, the professional learning methods and the unique training and practice technologies. Our connection with international groups allows our students to be exposed to unique employment opportunities in Israel and abroad.

The training and learning tracks are all based much hands-on practice and preparation for the industry and profession requirements, so they include technological labs and practice sessions using one of the most advanced simulators in the world.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • User-level knowledge of Windows operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods
    • Prior experience working with Linux and bash is advantageous
    • Perform forensic analysis on disk and file system
    • Perform forensic analysis on Windows and Linux OS
    • Perform a complete and well managed forensic investigation
    • Investigate web-based artifacts
    • Finding evidence using memory forensics