Centre For Cybersecurity Institute Centre For Cybersecurity Institute
For institutions
For businesses Book a free info session
Menu
Courses
Free info sessionExperiential workshopCybersecurity Career Kickstart+Cyber Safety for teamsSOC Analyst
Outcomes About Blog Toolkit Contact us For businesses For institutions TERAS — license our platform · terascyber.com Book a free info session
For business

Windows Forensics

Your team learns to investigate Windows endpoints and reconstruct attacker activity from registry, log and memory artefacts — using Hex Editors, FTK, Volatility and more across a five-day, hands-on programme.

What your team will learn

Over five intensive days, your team learns to examine Windows endpoints and reconstruct attacker activity from disk, registry, log and memory artefacts. Working through realistic intrusion scenarios, participants use Hex Editors, FTK and Registry Viewers to uncover file-system and registry evidence, then apply Volatility to extract artefacts from memory captures that never touched disk. By the end, the team can produce a defensible forensic timeline from a compromised Windows machine.

Learning outcomes

Participants will be able to:

  • Examine digital data at the byte level — encoding, number systems, disk structures, and hidden files using Hex Editors and FTK
  • Identify, manipulate and extract hidden data, and understand steganography and data-hiding techniques in Windows environments
  • Collect and analyse digital artefacts, including registry hives, NTUSER.DAT, browser artefacts, shadow copies and MFT records
  • Perform advanced memory, event log, network traffic and basic malware analysis for cyber-threat assessment and evidence collection
  • Apply structured investigative methodology — from evidence acquisition through to documented findings — across a range of Windows attack scenarios

Who this programme is for

This course suits incident responders, SOC analysts and IT staff who investigate Windows endpoints after an alert. It is a strong fit for teams formalising how they handle, document and preserve digital evidence from Windows systems, and for organisations that want a dependable internal forensics capability.

How you will learn

Training is delivered on-site at your organisation using a demonstration-led apprenticeship model — “showing over telling” with minimal reliance on slides. Participants work on virtual and host machines, alternating between guided demonstrations, repeated practice labs, challenge questions that promote critical thinking, and capstone scenarios drawn from realistic corporate attack cases. The class size is capped at 30 participants per trainer, ensuring each participant receives direct attention throughout the labs.

Entry requirements

Participants should be comfortable using Windows at a technical level. Prior forensics experience is not required — the programme develops investigative skills from first principles. Basic familiarity with networking concepts is helpful for the network and malware analysis modules.

Duration and delivery

  • Duration: 5 days, 40 hours (8 hours per day)
  • Delivery: On-site at your premises
  • Schedule: Tailored to your organisation’s calendar — contact us to arrange dates
  • Class size: Up to 30 participants per trainer (1:30 ratio)

Fees and funding

The full course fee is S$19,500 (before GST). Singapore Citizens and Permanent Residents may be eligible for SSG subsidies that significantly reduce the cost. Additional offsets are available through SkillsFuture Credits, UTAP and PSEA.

Learner typeNett fee (after subsidy)Total payable (incl. 9% GST)
SG Citizen 21–39 / PR (70% subsidy)S$5,850S$6,376.50
SG Citizen 40+ (90% subsidy)S$1,950S$2,125.50
Self-funded / standardS$19,500S$21,255.00

SkillsFuture Credits (up to S$500), UTAP (S$200–S$500) and PSEA may be applied to offset the nett fee further after subsidy.

Course syllabus

What you will cover

Module 01 Chapter 01: Digital Data
  • Files and disks — encoding, number systems, digital sizes, SSD features
  • Hex Editor — offsets, viewing files, viewing disks
  • Automatic carving — carving methods, automatic carvers, Windows system files
  • Metadata — viewing Modified/Accessed/Created dates, Exif data editing
  • Steganography — identifying, extracting and creating hidden files
  • Hard disk analysis — system files, MFT analysis, FTK
Module 02 Chapter 02: File Forensics
  • Artefacts — directories, browsers, shadow copies
  • Registry analysis — data extraction, NTUSER.DAT, general search
  • Registry viewers and tooling
Module 03 Chapter 03: Collecting Evidence
  • Memory analysis — image creation, Volatility, RAM data carving
  • Events analysis — Event Viewer, audit policy, custom search
  • Network analysis — service protocol analysis, darknet connection identification
  • Malware analysis — basic static and dynamic analysis
Module 04 Chapter 04: Advanced Investigation
  • Advanced memory forensics with Volatility
  • Threat assessment using memory and event artefacts
  • Web application security and vulnerability identification
  • Data transaction security strategies
Module 05 Chapter 05: Capstone & Assessment
  • Corporate network navigation exercise
  • Comprehensive cyber-attack scenario analysis
  • End-to-end attack reconstruction across chapters
  • Findings documentation and evidence reporting
Course fee

Fees and funding

SG Citizen 21–39 / PRSG Citizen 40+Self-funded / Standard
Full course fee S$19,500S$19,500S$19,500
SSG subsidy 70%90%
Nett fee (after subsidy) S$5,850S$1,950S$19,500
9% GST on nett fee S$526.50S$175.50S$1,755.00
Total payable S$6,376.50S$2,125.50S$21,255.00

SkillsFuture Credits (up to S$500), UTAP (S$200–S$500) and PSEA may be used to offset the nett fee after subsidy. Fees shown include 9% GST where applicable.

Frequently asked questions

Does this reflect the Windows versions we run?

Yes. We scope the artefacts and scenarios to the Windows client and server versions in your environment, so the techniques transfer directly to your estate.

Is this relevant if we already use an EDR product?

It is. The programme helps your team interpret what an endpoint detection tool surfaces and dig deeper when an alert needs manual investigation.

Do participants need prior forensics experience?

No prior forensics experience is required. Participants should be comfortable using Windows at a technical level. The programme builds investigative skills from first principles using structured, hands-on labs.

What tools will participants work with?

The course is hands-on with Hex Editors, FTK, Volatility, Registry Viewers, Event Viewer, and network and malware analysis tooling — the same tools used in real Windows endpoint investigations.

Is this course eligible for SkillsFuture funding?

Yes. Eligible Singapore Citizens and PRs may access SSG subsidies of 70% or 90% depending on age. SkillsFuture Credits, UTAP and PSEA may also be used to offset the remaining nett fee.

Can the schedule be tailored to our team?

Yes. The five-day schedule is arranged directly with your organisation and can be adapted to suit your team's availability.

Ready to secure your workforce?

Book a 30-minute consultation to scope the right training for your team and your regulatory context.

Book a consultation Talk to our team
Chat with us