0845 450 6120

CFIS Forensic Investigation Specialist

This specialist-level technical course is designed to practically develop a cyber investigator’s skills and extend their knowledge to reveal potential ‘smoking gun’ evidence from a system.


Investigators need to be capable of collecting and analysing data from a constantly evolving range of disk technologies, file and operating systems. The course is continually updated, based on our experiences, knowledge and client requirements to provide delegates with answers to the ‘How can I collect that data or find evidence of that activity?’

This five day course, updated in 2016 to include Windows 10, provides theory and scenario-based practical exercises and expanding data collection to include ‘live’ and volatile data.

Delegates will investigate artefacts buried in common file systems and ‘recorded’ by Windows of both system and user activity.


Primarily aimed at practising digital forensic investigators and cyber security practitioners who have computer forensic experience and wish to dig deeper and broaden their skills. A natural progression from the CFIP course.


Learning Objectives


Using practical scenarios based primarily on Windows environments and artefacts, you will:

    • Understand the digital investigation process and best practice
    • Build a bootable USB data collection device
    • Collect data from Live, Remote and Virtual systems
    • Understand the underlying structures associated with NTFS, FAT32 and ExFAT file systems
    • Collect and process volatile data
    • Capture a mailbox from a live Microsoft exchange server
    • Investigate a Windows domain controller to identify systems and users
    • Understand RAID storage and rebuild data
    • Test data ‘wiping’ software

    • Understand types of ‘User’ account

    • Investigate Windows Event Logs and USB device activity

    • Examine user activity for program execution, file activity and system navigation

    • Investigate log files

    • Query Chrome web-browser SQLite databases and extract stored passwords

    • Explore and extract data from Volume

    • Shadow Copies

  • Parse and interpret the USN / Change Log


This course will enable you to:

  • Develop your forensic investigation skills to an advanced level
  • Practice new techniques suitable for evidence identification, capture and analysis in a ‘live’ environment
  • Acquire an industry-recognised qualification to support your career progress


Principles and general guidelines surrounding forensic investigations

  • Experience of carrying out forensic investigations
  • A basic computer forensic course, e.g. the CFIP course

Course Content

1. Digital Forensic Investigations

• A review of the investigation process, best practice and equipment

2. Data Theft

• How can data be stolen, investigated and possibly mitigated?

3. Data Acquisition

• Images and Clones; Static, Booted and Live; Physical and selective

• Solid State devices

• Considerations and associated problems

4. Windows Domains

• Gathering information from Domain Controllers

• Capturing File Shares and inaccessible systems

5. RAID’s and Virtualisation

• Identifying and rebuilding RAID’s

• Capturing and examining virtualised systems

6. Volatile Data

• Memory capture and volatile data collection from ‘live’ systems

• Investigating memory using volatility

7. Data Collection – Other Sources

• Exchange servers and web-mail

• Facebook, Websites, Linux and Macs

8. File Systems Revisited

• Understanding FAT32, NTFS and ExFAT data structures from a forensic perspective

9. Data Deletion and Wiping

• Windows Recycle Bins

• Testing wiping software

10. Tracing System Activity

• Investigating the Windows Registry, User Accounts, Event Logs and USB connected devices

11. Tracing User Activity

• Identifying Program execution, Files opened and Folder navigation

• Windows Object ID’s and file tracking

12. Log File Analysis

• Web and FTP logs

• Examination using Cygwin

13. Databases

• SQLite and Chrome browser artefacts

14. Volume Shadow Copies and File History

• Approaches to extracting data from VSC’s

• Windows File History

15. NTFS Journals

• Understand the value of the NTFS journal in investigations

Exams & Certification


CFIS is accredited by CREST and is ideal preparation for the CREST Certified Host Intrusion Analyst qualification.

CFIS has been assessed and accredited by IISP at Level 1: A2, A6 and Level 1+: F2 and F3, enabling you to build knowledge, competency and gain hands-on experience in the areas of the Institute’s Skills Framework.

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the request service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


Our Customers Include