This course is funded through OJJDP. To register, you must be affiliated with an ICAC Task Force. Furthermore, you must agree to comply with the ICAC Operational and Investigative Standards. Please contact your ICAC task force commander if you have any questions about these standards.

Course description
This course covers the identification and extraction of artifacts associated with the Microsoft® Windows® operating system. Topics include the change journal, BitLocker® , and a detailed examination of the various artifacts found in each of the Registry hive files. Students also examine Event Logs, Volume Shadow Copies, link files, and jump lists. This course uses a mixture of lecture, discussion, demonstration, and hands-on exercises.

Key concepts covered in this course include:
     • The registry
     • Shellbags
     • Mounted devices
     • Change journal
     • Prefetch

Excel Office 365 recommended, versions 2010 and newer will be functional.

Recommended skills
This is an advanced course, intended for experienced digital forensic examiners with a solid understanding of digital forensic principles.

NW3C recommends that students complete the following courses before registering for Advanced Digital Forensic Analysis: Windows:

• Introduction to Previewing (online course)
• Encryption (online course)
• How Computers Work & Store Data (online course)
• Basic Digital Forensic Analysis: Windows Acquisition   (classroom or live online course)
• Intermediate Digital Forensic Analysis: Automated Forensic Tools (classroom or live online course)

Cancellation
All classes are subject to cancellation up to 45 days before the start of class if the minimum class registration threshold is not met.

BYOD Course
This is a BYOD (bring your own device) course. You will use your own laptop computer for all in-class exercises.

Computer Requirements
The hands-on practical exercises are intensive, critical to understanding the material being taught, and required to successfully complete the class. If your computer hardware does not meet the mandatory requirements listed below, your experience in taking the class will be less than ideal and may also impact other students while the instructors take time to troubleshoot hardware and software problems.

Mandatory Operating System Requirements
•Operating system.Your computer must be running Microsoft Windows 10 or macOS v10.12 or later. Make sure your operating system is fully updated prior to class.
•Smartphones and tablets are prohibited.
• Local administrator access is required. If you do not have administrative rights, you will not be able to successfully complete the class. Prior to class, please check with your IT department to install the required software.
• Disconnect your VPN . Disconnect your work virtual private network (VPN). Being connected to the Internet through a VPN can block access to the virtual lab environment.

Mandatory Software Requirements
• Citrix Workspace App. Required to access our virtual lab environment and to complete the required hands-on practical exercises.
• Google Chrome. The recommended browser to launch our virtual lab environment.
• Webex Meetings. Required to enter our live online training environment, Webex Training Center.
• Webex Chrome Extension. Required to launch our live online training environment, Webex Training Center, and works hand-in-hand with the Webex Meetings application.

*Your attendance at this course is conditional upon your compliance with CDC, state, and local guidance regarding COVID-19 prevention. While CDC, state, and local guidance is designed to reduce the rate of COVID-19 infections, nothing can eliminate your risk of contracting COVID-19 or one of its variants. By attending this class, you acknowledge that you understand and are assuming the risk of contracting COVID-19. Due to the rapidly changing nature of COVID-19 guidance, infection rates, and safety standards, this class may be rescheduled or cancelled on short notice.