FOR500: Windows Forensic Analysis | SANS Institute

FOR500: Windows Forensic Analysis | SANS Institute
UPDATED
FOR500: Windows Forensic Analysis
FOR500
Digital Forensics and Incident Response
6 Days (Instructor-Led)
36 Hours (Self-Paced)
Course authored by:
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob T. Lee
Register Now
Course Preview
Course authored by:
Heather Barnhart, Ovie Carroll, Mattia Epifani & Rob T. Lee
Register Now
Course Preview
GIAC Certified Forensic Examiner (GCFE)
Learn about certification
36 CPEs
Apply your credits to renew your certifications
In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Essential Skill Level
Course material is for individuals with an understanding of IT or cyber security concepts
22 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Jump to:
Overview
Syllabus
FAQs
Schedule & Pricing
Laptop Requirements
Gain an essential understanding of Windows artifacts and learn to perform digital forensics in Microsoft Windows operating systems to recover, analyze, and authenticate data and solve a forensic case.
Featured Quote
This is a very high-intensity course with extremely current course material that is not available anywhere else in my experience.
Course Overview
FOR500 builds comprehensive Microsoft Windows forensics knowledge of , providing the means to recover, analyze, and authenticate forensic data, track user activity on the network, and organize findings for use in incident response, internal investigations, intellectual property theft inquiries, and civil or criminal litigation. Use this knowledge to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Detailed and real-world exercises teach the tools and techniques that every investigator should employ step-by-step to solve a forensic case. Newly updated to cover all Windows versions through Windows 11! It’s also the foundational course for those pursuing the GCFE certification (GIAC Certified Forensic Examiner), one of the most respected credentials in the digital forensics community.
What You’ll Learn
Conduct in-depth forensic analysis of Windows operating systems and media exploitation
Identify artifact and evidence locations to answer crucial questions
Become tool-agnostic by focusing your capabilities on analysis
Extract critical findings and build an in-house forensic capability
Establish structured analytical techniques to be successful in any security role
Business Takeaways
Build an in-house digital forensic capability that can rapidly answer important business questions and investigate crimes
Use deep-dive digital forensics to help solve Windows data breach cases
Understand the wealth of telemetry available in the Windows Enterprise
Identify forensic artifact and evidence locations to answer crucial questions
Receive a pre-built forensic lab setup via a variety of free, open-source, and commercial tools
Build tool-agnostic investigative capabilities by focusing on analysis techniques
Meet Your Authors
Slide 1 of 4
Heather Barnhart
Fellow
Heather brings 24+ years of experience supporting government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her extensive case experience spans fraud investigations, crimes against children, counterterrorism, and more.
Read more about Heather Barnhart
Slide 2 of 4
Ovie Carroll
Principal Instructor
For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove.
Read more about Ovie Carroll
Slide 3 of 4
Mattia Epifani
Certified Instructor
Mattia Epifani pioneered methodologies for extracting critical evidence from encrypted mobile ecosystems, including iOS and Apple Watch. His groundbreaking work has become foundational for law enforcement and forensic analysts worldwide.
Read more about Mattia Epifani
Slide 4 of 4
Rob T. Lee
Fellow
Rob T. Lee is Chief AI Officer and Chief of Research at SANS Institute, where he leads research, mentors faculty, and helps cybersecurity teams and executive leaders prepare for AI and emerging threats.
Read more about Rob T. Lee
Slide 1 of 0
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR500: Windows Forensic Analysis.
Syllabus Overview
Download full syllabus
Justify Training to Your Manager
Use this justification letter template to share the key details of this training and certification opportunity with your boss.
Download the letter
Section 1
Digital Forensics and Advanced Data Triage
Section 1 examines digital forensics in today’s interconnected environments and discusses challenges associated with mobile devices, tablets, cloud storage, and modern Windows operating systems.
Topics covered
Windows Operating System Components
Core Forensic Principles
Live Response and Triage-Based Acquisition Techniques
Labs
Carving Important Files from Free Space
Recovering Critical User Data
Parse Metadata Information in NTFS Master File Table and USN Journal
Section 2
Registry Analysis, Application Execution, and Cloud Storage Forensics
In this section, digital forensic investigators will learn how to discover critical user and system information in Windows Registry that’s pertinent to almost any investigation.
Topics covered
Registry Core and Forensics In-Depth
Profile Users and Groups
Core System Information
Labs
Examining Which Applications a User Executed
Examining Recently Opened Files
Perform Cloud Storage Forensics
Section 3
Shell Items and Removable Device Profiling
In this section, students will learn how to perform in-depth USB device examinations on all modern Windows versions. You will learn how to determine when a storage device was first and last plugged in, its vendor/make/model, drive capacity, and even the unique serial number of the device used.
Topics covered
Shell Item Forensics
ShellBag Analysis
USB and BYOD Forensic Exams
Labs
Understand MSC, HID, and MTP Device Differences
Track USB and BYOD Device Data
Track Bluetooth and Printers
Section 4
Email Analysis, Windows Search, SRUM, and Event Logs
Section four arms investigators with the core email analysis knowledge and capabilities to maintain and build upon this skill for many years to come.
Topics covered
Email Forensics
Forensicating Additional Windows OS Artifacts
Windows Event Log Analysis
Labs
Search for Email and File Attachments with Forensic Tools
Analyze Message Headers and Gauge Email Authenticity
Collect Evidence from Microsoft and Google Tools
Section 5
Web Browser Forensics
During this section, students will comprehensively explore web browser evidence created during the use of Google Chrome, Microsoft Edge, Internet Explorer, and Firefox. The hands-on skills taught here, such as SQLite, LevelDB, and ESE database parsing, allow investigators to extend these methods to nearly any browser they encounter.
Topics covered
Browser Forensics
Private Browsing and Browser Artifact Recovery
SQLite and ESE Database Carving
Labs
Parse Automatic Crash Recovery Files
Identify Anti-Forensics Activity
Recover Microsoft Teams and Slack Chats
Section 6
Windows Forensic Challenge
Nothing will prepare you more as an investigator than a complete hands-on challenge requiring you to use all the skills and knowledge presented throughout the course.
Things You Need To Know
Relevant Job Roles
Forensics Analyst (DCWF 211)
DoD 8140: Cyber Enablers
Investigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.
Explore learning path
Insider Threat Analysis
NICE: Protection and Defense
Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning path
Digital Forensic Analyst Training, Salary, and Career Path
Digital Forensics and Incident Response
This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning path
Digital Forensics (OPM 212)
NICE: Protection and Defense
Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning path
Cybercrime Investigator Training, Salary, and Career Path (OPM 221)
NICE: Investigation
Cybercrime Investigators navigate dark web forums, trace cybercriminal activity, and conduct covert investigations. They follow forensic and legal standards to gather evidence and respond to cybercrimes.
Explore learning path
Military Operations / Law Enforcement Agents
Digital Forensics and Incident Response
Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning path
Media Exploitation Analyst
Digital Forensics and Incident Response
This expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.
Explore learning path
Intrusion Detection/SOC Analysts
Digital Forensics and Incident Response
Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning path
Course Schedule and Pricing
Have Questions?
GIAC Certification Attempt
Add a GIAC certification attempt and receive two free practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Contact Sales
Location & instructor
Date & Time
Course price
Registration Options
Location & instructor
Virtual (OnDemand)
Instructed by
Heather Barnhart
Date & Time
OnDemand (Anytime)
Self-Paced, 4 months access
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
Self-Paced
Location & instructor
SANS Rocky Mountain 2026
Denver, CO, US & Virtual (live)
Instructed by
Lee Whitfield
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Security Central 2026
New Orleans, LA, US & Virtual (live)
Instructed by
Lee Whitfield
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Security West 2026
San Diego, CA, US & Virtual (live)
Instructed by
Ovie Carroll
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Madrid June 2026
Madrid, ES
Instructed by
Kathryn Hedley
Date & Time
Fetching schedule..
Course price
€8,230 EUR
*Prices exclude applicable local taxes
Registration Options
In-Person
Location & instructor
SANS Cyber Defence Singapore 2026
Singapore, SG & Virtual (live)
Instructed by
Phill Moore
Date & Time
Fetching schedule..
Course price
S$11,390 SGD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANSFIRE 2026
Washington, DC, US & Virtual (live)
Instructed by
Ovie Carroll
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Nashville Summer 2026
Nashville, TN, US & Virtual (live)
Instructed by
Mari DeGrazia
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Virginia Beach 2026
Virginia Beach, VA, US & Virtual (live)
Instructed by
Lee Whitfield
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Japan September 2026
Tokyo, JP & Virtual (live)
Instructed by
Phill Moore
Date & Time
Fetching schedule..
Course price
¥1,335,000 JPY
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Showing
10
of
19
Learn Alongside Leading Cybersecurity Professionals From Around The World
Slide 1 of 2
As a member of the IR team, this course will aid in investigating compromised hosts.
Slide 2 of 2
Best forensics class I have had yet (and pretty much the only one that gives you some sort of framework on HOW to attack an exam).
Slide 1 of 0
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources
Filter by: