NextGen Infosec Training

Windows Forensics

Windows Forensics will guide you step by step through the process of investigating a computer running Windows from a Linux forensic workstation. Everything you need to know from the moment you receive the call for assistance until the final report is written is covered. All of the tools discussed in this course are free and most are also open source. The course material is over 18 hours of HD videos and almost entirely hands-on.

– Dr. Philip Polstra
Instructor, Windows Forensics, Linux Forensics, and USB Forensics

Question?Promotional Pricing – Enroll Now!


1. What is the Windows Forensics course about?

This course will familiarize students with all aspects of Windows forensics. By the end of this course students will be able to perform live analysis, capture volatile data, make images of media, analyze filesystems, analyze network traffic, analyze files, perform memory analysis, and analyze malware all on a Linux forensic workstation with readily available free and open source tools. Linux ForensicsStudents will also gain an in-depth understanding of how Windows, FAT, and NTFS work under the covers.

The Windows Forensics course covers all the topics in the book “Windows Forensics” (Oct 2016 release) by Dr. Philip Polstra and much more. It follows the same systematic and pedantic approach towards the subject as the USB Forensics and Linux Forensics courses, and Phil’s best selling Linux Forensics book.

Dr. Philip Polstra shows how to leverage numerous tools such as Python, shell scripting, Windows command scripts, and MySQL to quickly, easily, and accurately analyze Windows systems. Windows Forensics begins by showing you how to determine if there was an incident with minimally invasive techniques. Once it appears likely that an incident has occurred, Dr. Polstra shows you how to collect data from a live system before shutting it down for the creation of filesystem images. Windows Forensics contains extensive coverage of FAT and NTFS filesystems. A large collection of Python, Windows command, and shell scripts for creating, mounting, and analyzing filesystem images are presented in this book. Dr. Polstra introduces readers to the exciting new field of memory analysis using the Volatility framework among other things. Please refer to the next section for the topics covered.

2. Course Syllabus

A non-exhaustive list of topics to be covered include:
  1. Live Response

    • Human interactions

    • Creating a live response kit

    • Transporting data across a network

    • Collecting volatile data

    • Determining if dead analysis is justified

    • Dumping RAM

  2. Acquiring filesystem images

    • Using dd

    • Using dcfldd & dc3dd

    • Write blocking

    • Software blockers

    • Udev rules

    • Forensic Linux distros

    • Hardware blockers

  3. Analyzing filesystems

    • Mounting image files

    • Finding the strange

    • Searching tools

    • Authentication related files

    • Recovering deleted files

    • Finding hidden information

  4. The Sleuth Kit (TSK) and Autopsy

    • Volume information

    • Filesystem information

    • FAT 12/16/32

    • NTFS

    • Directory entries

    • Constructing timelines

  5. Timeline Analysis

    • When was system installed, upgraded, booted, etc.

    • Newly created files (malware)

    • Changed files (trojans)

    • Files in the wrong place (exfiltration)

  6. Digging deeper into Windows filesystems

    • Disk editors

    • Active@ Disk Editor

    • Autopsy

    • FAT 12/16/32

    • NTFS

    • Searching unallocated space

  7. Network forensics

    • Using snort on packet captures

    • Using tcpstat

    • Seperating conversations with tcpflow

    • Tracing backdoors with tcpflow

  8. File forensics

    • Using file signatures

    • Searching through swap space

    • Web browsing reconstruction

    • Cookies

    • Search history

    • Browser caches

  9. Registry Forensics

    • RegRipper

    • Python

    • System information

    • Autostart programs

    • USB Devices

    • User info

  10. Memory Forensics

    • Retrieving process information

    • Windows objects

    • Looking for malware

    • Event logs

    • Registry in memory

    • Reconstructing network artifacts

    • Windows services

    • Windows GUI

    • Filesystems in memory

    • Detecting kernel rootkits

  11. Creating Timelines

  12. Reversing Windows Malware

  13. Windows Executables

    • Headers

    • Imports

    • Exports

    • Resources

    • Obfuscation

    • Dynamic linking

  14. Writing the reports

    • Autopsy

    • Dradis

    • OpenOffice


Promotional Pricing – Enroll Now!

3. Can I see some sample videos for the course? 

The total duration of the course videos is a staggering 18+ HOURS of HD content. The course is fully hands-on and you will be spending most of the time doing exercises with the instructor.

The course starts from the very basics and slowly takes you to more complicated topics, making it ideal for self-paced learning. Below are a couple of sample videos from the course:

1. Windows Forensics: Course Introduction

2. Collecting Volatile Data Part 1

3. FAT part 2: Using Active Disk Editor to view an image

4. File Forensics Part 1

5. NTFS Part 2: Volume Boot Record

6. Registry Part 7c: RegRipper

7. Memory Forensics: part 2: Volatility Basics

8. Suspicious Files: part 3: Packers

Promotional Pricing – Enroll Now!

4. What do I get as a registered student? 

A registered student will get the following:

  • HD Download of 18 hours of Course Videos
  • PDF Slides of the full course
  • All Code samples used in the course
  • Certification Exam
  • PDF copy of certificate if you pass the exam

Please note that there is no student forum associated with this low-priced course.

Promotional Pricing – Enroll Now!

5. What is the course duration? when does it start / stop ?

The Windows Forensics course is completely self-paced, self-study course. There is no duration of the course or expiry period.


6. Student Testimonials from our existing Certifications

SecurityTube Certifications are currently taken by students from over 90+ countries around the world! Here is what our students have to say about us:

I found the SecurityTube Linux Assembly Expert course to be unique as it challenges the trainee to research and write implementations himself rather than just learning a book. This is also reflected by the exam which requires the user to go hands and which, in my opinion, tests the skills of the user a lot better than a multiple choice exam can. I also liked the fact there weren’t any time constraints on when to take the exam, which made it infinitely easier to plan in with regards to my job. The fact you also get a complete GDB course as an extra is a real bonus (Vivek wants to make sure you really know how to use your basic tools). The best part of the SLAE was the price, there are little other trainings of the same quality with the same price.


– Lucas KauffmanIT
Security Advisor
Ernst & Young

After having done my homework on reviewing numerous other online courses covering the subject matter that I wanted to study, I finally chose to settle on taking the SecurityTube Linux Assembly Expert course. I can now confidently state that I was very satisfied with my choice. I was not a novice assembly programmer going into the course, but given the level of confidence and clarity that Vivek had in teaching the material I am positive that even beginners would be able to follow along just fine. I myself feel like I have now gained a deeper appreciation for the subtle nuances of assembly programming in the information security field. My warmest thanks to Vivek and the staff at SecurityTube for all their detailed time spent on teaching this course.

– Thanesh Gopal
Software Engineer
Ottawa, Canada

The SecurityTube Linux Assembly Expert course is one of the few courses that I recommend to everyone I meet. Not only is it well put together and comprehensive, the materials are expansive without degrading quality. I’ve been writing shellcode for ten years now, and Vivek still managed to teach me ways of doing things I’d never thought of before. The SLAE course and certification require proof of knowledge that other courses miss, and anyone who has passed it has my utmost respect.

– Jason Spalding
Senior Systems and Security Engineer
Education, Government



Enroll Now!


7. Why Choose SecurityTube Certifications?

Our Certifications are taken by students from over 90+ countries and are Globally recognized. The Flags in the image to the left are countries from where our students belong. In addition, SecurityTube Certifications provide:

  • High Quality Content at an Affordable Cost
  • The most Comprehensive Course Coverage in the Industry
  • Uses Open Content for Course Evaluation
  • Concept Oriented, Practical Content rather than only Theory


Promotional Pricing – Enroll Now!

8. Course Instructor

Dr. Philip Polstra (Dr. Phil) has been involved with technology since an early age. He and one of his brothers cleaned out their savings to purchase a TI-99/4a computer in the early 80’s, much to the chagrin of his parents. He has been tinkering with computers and electronics ever since. Phil is an internationally recognized hardware hacker and information security expert. He has made repeat appearances at several of the top conferences worldwide. Here are just a few of the conferences he has spoken at: DEFCON (six times in four years), Blackhat, 44CON, GrrCON, BruCon, ForenSecure, SecTOR, c0c0n, Shakacon, B-sides Detroit, and B-sides Iowa. His work on developing small affordable hacking devices is documented in the book “Hacking and Penetration Testing with Low Power Devices”. He is also known for his work on USB hacking and forensics. Phil has published several articles on USB-related topics.

Phil is an Associate Professor in the department of Math, Computer Science, and Statistics at Bloomsburg University of Pennsylvania where he teaches Digital Forensics. His current research focus is on developing ultra-low-power hacking hardware. Phil also performs security penetration tests and forensic investigations on a consulting basis. His book “Linux Forensics” is considered a must have by a number of people in the forensics and information security community.

In addition to in-person training, consulting, presenting at conferences, and running conference workshops, Phil has also produced hundreds of instructional videos. His video courses are available at, PluralSight, O’Reilly,, and elsewhere.

When not teaching, Phil enjoys spending time with his family, tinkering with electronics, attending infosec conferences, experimenting with software defined radio (SDR) and various aviation activities. Phil is an accomplished aviator with a dozen ratings, all of which are current. Phil’s ratings include Commercial Pilot, Flight Instructor, Airframe and Powerplant Mechanic, Aircraft Inspector, and Avionics Technician. His flight hours are measured in the thousands and he has been known to build aircraft.

Enroll Now!

9. Course Enrollment and Payment




Buy now with Paypal!

Student Name:
Student Email:

If you cannot use Paypal, please drop us an email at feedback @ for alternate options for payment.

10. Contact Us

We have compiled a FAQ below:

Click to Expand FAQ…

Please use the form below if you have any additional questions not answered by this page and we will get back to your ASAP:

Enroll Now!