Hands-On Windows artifacts: Mastery
RCCE students will learn Windows forensic artifacts including registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT), event logs, prefetch files, shimcache, amcache, jump lists, LNK files, and browser artifacts. RCCE students will learn to extract and analyze Windows registry data for evidence of attacker activity, parse Windows event logs for security-relevant events, interpret prefetch data to determine program execution history, analyze shimcache and amcache for evidence of deleted executables, reconstruct user activity from jump lists and recent files, and correlate multiple artifact sources to build comprehensive investigation timelines. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. At an expert level, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On Windows artifacts: Mastery
- Execute hands-on tasks for hands-on windows artifacts: mastery
- Execute hands-on tasks for knowledge goals
- Execute hands-on tasks for skills goals — covering Extract and parse registry hives.
- Execute hands-on tasks for windows forensic artifact landscape
- Execute hands-on tasks for registry hives
- Execute hands-on tasks for event logs
- Execute hands-on tasks for execution artifacts — covering SAM, SYSTEM, SOFTWARE.
- Execute hands-on tasks for recent docs, shellbags — covering Security, System, Application.
- Execute hands-on tasks for artifact evidence value matrix
- Execute hands-on tasks for proves execution
- Execute hands-on tasks for user attribution
- Execute hands-on tasks for survives delete
| Module 01 | Hands-On Windows Artifacts: Mastery |
| Module 02 | Knowledge Goals |
| Module 03 | Skills Goals |
| Module 04 | Windows Forensic Artifact Landscape |
| Module 05 | Registry Hives |
| Module 06 | Event Logs |
| Module 07 | Execution Artifacts |
| Module 08 | Recent docs, Shellbags |
| Module 09 | Artifact Evidence Value Matrix |
| Module 10 | Proves Execution |
| Module 11 | User Attribution |
| Module 12 | Survives Delete |
| Module 13 | Registry Hives Architecture |
| Module 14 | Windows Registry |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on windows artifacts: mastery by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for hands-on windows artifacts: mastery
- Lab 2: Execute hands-on tasks for knowledge goals
- Lab 3: Execute hands-on tasks for skills goals
- Lab 4: Execute hands-on tasks for windows forensic artifact landscape
- Lab 5: Execute hands-on tasks for registry hives
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On Windows artifacts: Mastery, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI