This 24-hour intermediate course is the second of three in the series. It strengthens skills for new and experienced investigators by connecting traditional host-based forensics with network-based evidence. The course starts with a focused refresher on host and network fundamentals, then reinforces how to identify normal behavior in Windows so investigators can spot malicious activity. Participants build hands on skills to examine filesystem and memory artifacts and use open-source tools to investigate malware and intrusion activity. The course then applies these methods within an incident response framework, with a focus on capturing volatile evidence across the network and analyzing common attacker techniques using open-source tooling. Next, participants learn to collect and assess logs as part of incident response, both on scene and remotely, and develop practical log analysis skills using open-source tools. The course closes with guidance on strengthening investigative capability, sustaining continuous learning, and tracking emerging trends in network forensics.

Prerequisite: Computer Crimes/LAN Investigations (Basic Forensic Network Analysis

Who Should Attend:

Law enforcement personnel who have an interest in cybercrimes, white collar crime units, fraud, or forgery units, sex and vice crimes units, and patrol. Students should have the ability to effectively operate a computer in the Windows environment.

Class Objectives:

After completing this course, students will be able to do the following: 1. Identify normal activity in a Windows environment. 2. Explain core Windows operating system architecture. 3. Acquire volatile evidence on scene and through remote collection. 4. Analyze volatile data to support investigations. 5. Collect and analyze logs for investigative and incident response purposes.

Class Outline:

1. Recognize Evil

2. Threats, Vulnerabilities, and Mitigations

3. Credential Theft

4. Malware and Malware Persistence

5. Memory Acquisition

6. Memory Analysis

7. Timeline Creation and Analysis

8. Incident Response and Hunting

9. Event Logs

10. Understanding Lateral Movement