Windows artifacts Monitoring and Detection: Bootcamp Unit
RCCE students will learn Windows forensic artifacts including registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT), event logs, prefetch files, shimcache, amcache, jump lists, LNK files, and browser artifacts. RCCE students will learn to extract and analyze Windows registry data for evidence of attacker activity, parse Windows event logs for security-relevant events, interpret prefetch data to determine program execution history, analyze shimcache and amcache for evidence of deleted executables, reconstruct user activity from jump lists and recent files, and correlate multiple artifact sources to build comprehensive investigation timelines. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. At an expert level, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Windows artifacts Monitoring and Detection: Bootcamp Unit
- Execute hands-on tasks for windows artifacts
- Monitor and audit privilege usage; detect escalation attempts
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for forensic artifact mastery — covering Extract data from all major registry hives.
- Monitor and audit privilege usage; detect escalation attempts, including Build detection pipelines for telemetry.
- Explain Windows Forensic Artifacts Overview fundamentals
- Execute hands-on tasks for jump lists
- Execute hands-on tasks for artifact locations — covering Volatile: RAM, network connections, processes.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for key evidence — covering Local user account creation timestamps.
- Execute hands-on tasks for investigative value — covering unauthorized account creation.
- Execute hands-on tasks for critical keys
| Module 01 | Windows Artifacts |
| Module 02 | Monitoring and Detection |
| Module 03 | Learning Objectives |
| Module 04 | Forensic Artifact Mastery |
| Module 05 | Detection & Monitoring |
| Module 06 | Windows Forensic Artifacts Overview |
| Module 07 | Jump Lists |
| Module 08 | Artifact Locations |
| Module 09 | Registry Hives — Architecture |
| Module 10 | Key Evidence |
| Module 11 | Investigative Value |
| Module 12 | Critical Keys |
| Module 13 | Detection Focus |
| Module 14 | Installed Programs |
All hands-on labs run on Rocheston Rose X OS. Students practice windows artifacts monitoring and detection: bootcamp unit by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for windows artifacts
- Lab 2: Monitor and audit privilege usage; detect escalation attempts
- Lab 3: Execute hands-on tasks for learning objectives
- Lab 4: Execute hands-on tasks for forensic artifact mastery
- Lab 5: Monitor and audit privilege usage; detect escalation attempts
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Windows artifacts Monitoring and Detection: Bootcamp Unit, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI