The H-11 Windows Forensics Training Course was designed specifically for military and law enforcement digital forensic response team members, investigators and analysts to address critical mission requirements in an ever changing digital information, evidence, and intelligence environment.

This intensive, hands-on course provides in-depth forensic skills focused on the Microsoft Windows registry and other various operating system artifacts as they relate to computer forensic investigations. The majority of computers in the world utilize a Windows Operating System; this course is a must for all military and law enforcement digital forensic response team members, investigators and analysts.

Military and Law Enforcement personnel will learn the knowledge and skills necessary to conduct effective Windows-based forensic investigations. (Candidates for this course should be familiar with digital forensic fundamentals and should also have a basic knowledge of digital forensic analytical software programs. The perfect prerequisite is the H-11 Digital / Computer Forensics Fundamentals course.)

Students will learn how to identify, find, and use Microsoft Windows artifacts in their investigations and to support their case or mission findings. Students will use computer system and digital forensic software programs and forensic hardware to find artifacts from the following:

• Microsoft Registry components and files from: Windows 95, 98, Me, 2000, XP and Vista
  • NTUSER.DAT, USER.DAT, NTUSER.MAN, and other.DAT or.MAN files
  • SAM
  • SECURITY
  • SOFTWARE
  • SYSTEM
• Thumbs.db database
• Print Spools Remnants
• MetaData and related OLE items
• Compressed and Encrypted files
• Event Logs & Link files
• SWAP, Page, and Paging files
• System Volume and Restore Information
• The Recycled / Recycler Bins
• Deleted files, File Slack, Unallocated Space and INFO2 databases

The course also provides training on how to gain access to files that have been encrypted using the NTFS attribute EFS (Microsoft’s Encrypted File System).

Every module of this training course includes the academic knowledge and hands-on experience necessary to produce competent and proficient digital forensic investigators and practitioners.

The following digital forensic systems and equipment will be introduced and used during the hands-on portions of this course:

• Forensic Imaging Software
• Handheld Field Unit Imaging Device
• CD-DVD Imaging System
• Cell Phone Acquisition and Image System
• Write-Blocking Devices
• Portable Forensic Workstation
• Forensic Analysis Software
• Password Cracking Software
• Forensic Reporting Tool
• CD-DVD Reporting Tool
• Cell Phone Reporting Tool

Each H-11 Digital Forensics course includes a Hands-on Practical Exam to help the student’s retention of skills learned and to reinforce the knowledge attained during the training period.