This course is funded
through OJJDP. To register, you must be affiliated with an ICAC Task Force. Furthermore,
you must agree to comply with the ICAC Operational and Investigative Standards. Please
contact your ICAC task force commander if you have any questions about
This course covers the identification and extraction of
artifacts associated with the Microsoft® Windows® operating system. Topics include the change journal,
and a detailed examination of the various
artifacts found in each of the Registry hive files. Students also examine
Event Logs, Volume Shadow Copies, link files, and jump lists. This
course uses a mixture of lecture, discussion, demonstration, and hands-on
Key concepts covered in this course include:
• The registry
• Mounted devices
• Change journal
Excel Office 365 recommended, versions 2010 and
newer will be functional.
This is an advanced course,
intended for experienced digital forensic examiners with a solid understanding
of digital forensic principles.
NW3C recommends that students complete the following courses before
registering for Advanced Digital Forensic Analysis: Windows:
All classes are subject to
cancellation up to 45 days before the start of class if the minimum class
registration threshold is not met.
hands-on practical exercises are intensive, critical to understanding the
material being taught, and required to successfully complete the class. If your
computer hardware does not meet the mandatory requirements listed below, your
experience in taking the class will be less than ideal and may also impact other
students while the instructors take time to troubleshoot hardware and software
Mandatory Operating System
• Operating system. Your computer must be running Microsoft Windows 10 or macOS v10.12 or
later. Make sure your operating system is fully updated prior to class.
Smartphones and tablets are prohibited.
• Local administrator access is required. If you do not have
administrative rights, you will not be able to successfully complete the class.
Prior to class, please check with your IT department to install the required
• Disconnect your VPN. Disconnect your work virtual private network (VPN).
Being connected to the Internet through a VPN can block access to the virtual
Mandatory Software Requirements
Workspace App. Required to access our virtual lab
environment and to complete the required hands-on practical exercises.
Chrome. The recommended browser to launch our virtual lab
• Webex Meetings. Required to enter our live
online training environment, Webex Training Center.
• Webex Chrome Extension. Required to launch our
live online training environment, Webex Training Center, and works hand-in-hand
with the Webex Meetings application.
• Dual monitors. You
will need one monitor to join the online classroom, view presentations, see the
instructor’s shared screen, and interact with the instructor(s). The second
monitor is needed to join and use the virtual lab environment to complete
hands-on practical exercises. Not being able to see both interfaces (the online
classroom, and virtual lab environment) simultaneously will make it difficult,
if not impossible to successfully complete hands-on practical exercises. Large
screen monitors, trying to run the two different interfaces split screen, will
NOT work. Multiple computers can also work as a substitute to having multiple
• Hard-wired, high-speed
Internet connection. A wireless Internet connection may be sufficient,
however, a wired connection will improve latency and buffering, and will also
provide better connection speeds and stability overall.
• Microphone and speakers. This is an interactive, live training class and a microphone
is required to interact with the instructor(s), ask questions, give answers, and
provide insights to help enhance the overall class experience. We recommend a
headset, headphones, or earbuds to eliminate feedback and echo when using your
If you have
any questions regarding the mandatory minimum hardware requirements, please