It’s been a while since my last post! Life and work got in the way, but I’m back and hoping to put out many more posts this year!
Now, let’s dive into this amazing course—ractical Windows Forensics from TCM Security, taught by Markus Schober. If you’re interested in Windows forensics, digital investigations, and incident response, this course is a must. Before we dive in, shout-out to Blue Cape Security and Markus Schober for creating this fantastic course! If you’re interested in Windows forensics, digital investigations, and incident response, this course is a must.
Now, let’s get into it!
The Practical Windows Forensics course from TCM Security, taught by Markus Schober, is one of the best resources for mastering forensic investigations on Windows systems. While the course officially states 11 hours of content, be prepared to put in many more hours of hands-on practice to truly grasp the material.
Who Should Take This Course?
This course is ideal for:
- Cybersecurity professionals looking to enhance their forensic skills.
- Digital forensics & incident response (DFIR) analysts who work on Windows investigations.
- Ethical hackers & penetration testers who want to understand forensic traces left behind.
- IT administrators & SOC analysts dealing with security incidents.
No prior forensics experience is required, but a solid understanding of Windows systems and cybersecurity basics will help.
What’s in the Course?
The course provides a deep dive into Windows forensic techniques, covering:
Disk forensics File system analysis, deleted file recovery, and metadata extraction.
Memory forensics Investigating volatile memory dumps for malware, credentials, and system activity.
Windows artifacts Event logs, registry hives, prefetch files, and more.
Incident response Identifying suspicious activity and reconstructing attacks.
Forensic tools Hands-on with Autopsy, Volatility, Plaso, KAPE, Evtx Explorer, and more.
What is in the Course?
1) Welcome to Practical Windows Forensics (PWF)
Welcome and course introduction (4:25 )
Resources and Materials Overview (4:32 )
Course Links
PWF Course Roadmap (1:54 )
2) Lab Requirements
Lab Setup Overview (3:15 )
3) Setting up your forensic workstation
Build your forensic workstation tutorial and downloads (7:06 )
VirtualBox and Windows 2019 VM installation (8:46 )
WSL and Ubuntu installation on Windows 2019 Server (7:56 )
WSL and Ubuntu installation on Windows 10 (alternative) (4:03 )
Forensic workstation Windows configuration (5:37 )
Downloading and installing forensic tools (12:04 )
4) Prepare your target system
Download and install the Windows 10 VM (9:58 )
Target system configuration and attack script preparation (8:04 )
Execute the attack script on the target system (4:38 )
5) Data collection process
Forensic process overview (3:16 )
Target system containment (2:35 )
Memory acquisition of the target system (8:01 )
Disk acquisition of the target system (9:04 )
6) Examination of the forensic data
Data examination process overview (1:04 )
Mounting the disk image with Arsenal Image Mounter (8:32 )
Overview of Windows files and forensic artifacts (5:46 )
Creating a triage data collection with KAPE (12:51 )
7) Disk analysis introduction
Sources of evidence and disk analysis process overview (3:10 )
Notes taking and course materials (2:07 )
7.1) Windows registry analysis
Windows registry overview (17:07 )
Exploring the registry with Registry Explorer (9:34 )
Gathering system information with RegRipper (9:25 )
RegRipper analysis continued (10:04 )
Parsing registry hives in bulk with RegRipper (8:52 )
User accounts and SIDs Overview (11:27 )
Analysis of user accounts, groups and profiles (14:22 )
7.2) User behavior analysis
User behavior analysis overview (3:39 )
UserAssist analysis (5:50 )
RecentDocs analysis (2:53 )
ShellBags analysis (13:57 )
7.3) Overview of disk structures, partitions and file systems
What is a file system? (1:44 )
Exploring disk structures and the NTFS (8:01 )
7.4) Analysis of the Master File Table (MFT)
Overview of MFT Records (4:16 )
Analysis of MFT Records with MFTECmd (10:10 )
MFT parsing and in-depth analysis with MFTECmd (12:46 )
File timestamps and the MACB timestamp format (8:56 )
Investigating file timestomping (3:29 )
7.5) Finding evidence of deleted files with USN Journal analysis
How can we find evidence of deleted files? (10:24 )
Analyzing the USN Journal for deleted files (16:57 )
7.6) Analyzing evidence of program execution on Windows systems
Execution artifacts introduction (1:23 )
Analyzing the Background Activity Moderator (BAM) (7:50 )
Analysis of the Application Compatibility Cache (ShimCache) (12:03 )
Overview of the Amcache (5:38 )
Analyzing the Amcache with AmcacheParser (9:47 )
BONUS: Amcache in-depth analysis and why scheduled tasks matter (14:37 )
Windows Prefetch analysis with PECmd (9:52 )
Windows Prefetch timeline analysis (11:27 )
7.7) Finding evidence of persistence mechanisms
Analyzing Windows run keys with Registry Explorer and RegRipper (10:02 )
How to find evidence of persistence in startup folders (8:38 )
Windows Services overview and analysis (6:47 )
Detecting and analyzing malicious scheduled tasks (14:18 )
Persistence mechanisms analysis with Sysinternals Autoruns (5:30 )
7.8) Uncover malicious activity with Windows event log analysis
Windows event logs overview (11:00 )
Analyzing Windows event logs with EventLogExplorer and EvtxECmd (16:44 )
Windows Defender event log analysis (6:45 )
Analyzing service installs using the System event log (4:54 )
Security event log and authentication events (10:11 )
Authentication events and logon IDs (8:20 )
PowerShell event logs overview (9:28 )
Analyzing malicious PowerShell events (15:55 )
Overview of the Sysmon event log and relevant event IDs (2:19 )
Detecting malicious events in Sysmon event logs (12:59 )
8) Windows memory forensic analysis
Setting up Volatility3 in the Ubuntu environment (7:42 )
Important files for memory analysis (8:40 )
Gathering Windows system information with Volatility3 (7:40 )
Update: If you ran the ART-attack script before July 9th!!
Detecting suspicious Windows processes (10:40 )
Dumping processes from the memory (5:53 )
Detecting and analyzing injected DLLs (13:46 )
Identifying process owners and associated SIDs (4:37 )
Detecting and analyzing malicious registry key entries from memory (7:47 )
9) Kitchen-Sink analysis with Super Timelines
Super timeline analysis process and important requirements (4:43 )
Preparing tools and converting the disk image with QEMU (5:18 )
Memory timeline creation with Volatility3 (5:08 )
Creating a timeline of the disk image with Plaso tools and Log2Timeline (5:55 )
Merging timelines with mactime parser and creating a Super Timeline (5:54 )
Super Timeline overview with Timeline Explorer (5:32 )
Analyzing malicious activity using the Super Timeline (17:28 )
10) Reporting
Considerations and reporting types (5:33 )
11) Final
Wrap up and next steps (2:59 )
Conclusion
The Practical Windows Forensics course by Markus Schober is one of the best ways to learn Windows forensics. It’s not just about watching videos—you need to invest extra hours in practice to truly understand the tools and techniques.
While the course is challenging, the knowledge gained is invaluable for cybersecurity professionals, DFIR analysts, SOC teams, and ethical hackers. If you’re serious about forensics, this course is a must.
🔥 Highly recommended! 🔥
// Roger
Keep Hacking!
Tips and Tricks 
Leave a comment