Windows® Forensic Investigations

Take your Windows® forensic skills to the investigative level.

Delivery Options

BlackBag’s Windows Forensic Analysis course is designed to deepen your Widows digital forensics investigation skills in the format that best meets your needs. Students may attend the course through in-person classroom style training, online through a live, virtual delivery of our course from your work or home computer, or through an on-demand self-paced delivery option. Our live virtual course features access to a virtual examination system, direct access to live instructors, and a virtual course manual.

Please select “view all upcoming courses” to register.


This course is open to all levels of forensic examiners. It is comprehensive and in-depth with the curriculum guiding the analysts from hands-on analysis to practical assessments involving the investigative analysis of Windows-based evidence.

Course Description

Take your Windows forensic skills to the investigative level and sharpen your analysis skills with an in-depth understanding of Windows-based evidence. Examiners will learn detailed knowledge of Windows-based file systems, operating system, user, and application artifacts. Windows 10 artifacts will also be scrutinized along the way providing more evidence to bolster your cases. Discover how the file systems functions and what the structures of artifacts store so you can insightfully choose what to examine and be in charge of the steps you take towards a higher-level investigative analysis. The solid curriculum also features analysis techniques of Windows Registry, system data, log files, journals, Windows Users, link and jump files, prefetch, volume shadow copies, compressed archives, volatile data, and much more. Attendees will learn to recover evidence pertaining to user actions, attached devices, files and folders accessed, application utilized, user settings amongst many other things. Learn how BlackLight’s powerful evidence parsing and artifact support works to provide efficiency and a comprehensive evidence assessment. Excel your examinations to an investigative interrogation of your evidence to drive your cases to new distances. Please view the course syllabus for more information.


Course Length: 4 days

Course Credit: 32 hours – In-person classroom style and live virtual training includes built-in practical assessments for 32 hours of curriculum.  Self-paced online training includes built-in practical assessments with 60-day access to learning modules.

Course Objectives

By the end of this course, students will have navigated through practical assessments requiring hands-on analysis of Windows-based evidence. Students will develop a strong familiarity with Windows evidence including file systems, operating systems, user, and application artifacts. Students will be knowledgeable with where evidence is located, the values stored in data structures and what this data indicates.

Course Requirements

While all are welcome, strong computer skills and an understanding of basic forensic concepts (imaging, live data acquisition, and evidence handling) are highly recommended for the optimal experience in this course.

  • For live virtual trainings, students will be provided a remote virtual student analysis system. A computer with reliable internet is required to access it.
  • For self-paced online trainings, students will work through the lessons on their own systems from provided course materials. The hardware specifications for operating BlackLight for the practical analysis exercises are:  Running MacOS 10.14+ or Windows 8 or later (Windows 10 preferred), 2.8GHz Intel i7, 16GB RAM, and minimum 100GB of storage space available.


The course is fee-based. Please login to see pricing.

Please login to see pricing and book a class. Login/Signup

Add BlackBag To Your Toolkit

See how easy it is to make BlackBag part of your everyday carry with a free trial or quote.