The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.

• Security operation center staff
• Incident responders
• Reverse engineers
• Software engineers
• System Administrators
• Site Reliability Engineers

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

1. Install a Hypervisor that supports x64 Windows

• We recommend current VMWare products such as Workstation Pro or Workstation Player for Windows and Linux or VMWare Fusion for macOS.
• VirtualBox may work, but you may be limited on advanced virtual machine functionality and may encounter issues

1. Download CyberFire Host Forensics Virtual Machine .ova file

• The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)

1. Import into hypervisor

• VMWare Workstation Instructions
• VMWare Player Instructions
• VMWare Fusion Instructions

1. Turn on virtual machine to ensure that it imported properly
2. Turn off the virtual machine
3. Delete the cyberfire ova file that was downloaded

• Virtual machine has been imported and there is no need to keep the original ova