Essentials of Windows artifacts: Workshop
RCCE students will learn Windows forensic artifacts including registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT), event logs, prefetch files, shimcache, amcache, jump lists, LNK files, and browser artifacts. RCCE students will learn to extract and analyze Windows registry data for evidence of attacker activity, parse Windows event logs for security-relevant events, interpret prefetch data to determine program execution history, analyze shimcache and amcache for evidence of deleted executables, reconstruct user activity from jump lists and recent files, and correlate multiple artifact sources to build comprehensive investigation timelines. This essentials course covers the core knowledge needed to operate competently in this domain. Starting from foundational concepts, RCCE students will learn the fundamental concepts, terminology, risks, and defenses that form the foundation for all further study and professional practice. Students build a solid knowledge base that prepares them for more advanced courses and real-world security responsibilities.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Essentials of Windows artifacts: Workshop
- Execute hands-on tasks for advanced cyber defense mastery
- Explain Executive Overview fundamentals
- Execute hands-on tasks for why windows artifacts matter
- Build detections and response workflows for privilege escalation
- Build detections and response workflows for privilege escalation, including Timeline Reconstruction.
- Execute hands-on tasks for core definitions
- Execute hands-on tasks for forensic artifact
- Execute hands-on tasks for registry hive
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for artifact landscape
- Execute hands-on tasks for registry hives
- Execute hands-on tasks for execution artifacts
| Module 01 | Advanced Cyber Defense Mastery |
| Module 02 | Executive Overview |
| Module 03 | Why Windows Artifacts Matter |
| Module 04 | Threat Detection |
| Module 05 | Incident Response |
| Module 06 | Core Definitions |
| Module 07 | Forensic Artifact |
| Module 08 | Registry Hive |
| Module 09 | Windows Artifact Architecture |
| Module 10 | Artifact Landscape |
| Module 11 | Registry Hives |
| Module 12 | Execution Artifacts |
| Module 13 | Prefetch, Shimcache, Amcache |
| Module 14 | User Activity |
All hands-on labs run on Rocheston Rose X OS. Students practice essentials of windows artifacts: workshop by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for advanced cyber defense mastery
- Lab 2: Explain Executive Overview fundamentals
- Lab 3: Execute hands-on tasks for why windows artifacts matter
- Lab 4: Build detections and response workflows for privilege escalation
- Lab 5: Build detections and response workflows for privilege escalation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Essentials of Windows artifacts: Workshop, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI