DF320 - Advanced Analysis of Windows Artifacts with EnCase

Have questions about training?   Contact us

Duration: 4 Days

**Formerly EnCase Advanced Computer Forensics

This hands-on course is designed for examiners with solid computer skills, seeking to learn advanced concepts in analyzing Windows artifacts. The participants will be provided instruction that includes parsing and analysis techniques on registry data, volume shadow service, random access memory, zip file structures, prefetch, and SQLite content.

Delivery method: Group-Live. NASBA defined level: advanced.

CPE Credits - 32

This course provides in-depth coverage on topics, including:

  • Understanding SQLite databases and querying their data
  • Recovering deleted SQLite data
  • The use of block-based file hash analysis for file recovery
  • Examination of the Microsoft Windows Registry
  • Analyzing Userassist and ShellBag registry data
  • The purpose and function of prefetch files and how to analyze them
  • Analyzing Windows system databases
  • Understanding and examination of the Windows timeline
  • Understanding and examining of the System Resource Usage Monitor Database
  • Identifying Windows notifications and how they can be customized
  • Understanding how the system resource usage monitor is implemented
  • Examination and recovery of Windows event logs
  • Examination of Volume Shadow Copy (VSC) and File History data
  • Identification and recovery of encrypted data
  • Understanding how BitLocker is implemented and the options for recovery and searching
  • Examination RAM using MemProcFS
  • Low-level data recovery from Zip files and the latest version of Microsoft Word documents
  • Hardware and software RAID technology, acquisition, and examination

Course Syllabus


This course is intended for law enforcement officers, corporate and private investigators, computer forensic examiners, and network security personnel. A basic understanding of the concepts of computer forensics is required. The class curriculum builds upon the curriculum included in the DF210-Building an Investigation course, continuing with a focus on file and operating system examinations.


DF210 - Building an Investigation with EnCase or EnCE Certification.


Format Currency Price
Per Student at OpenText Site 2,800.00
Per Student at OpenText Site GBP 2,200.00
Per Student at OpenText Site USD 3,200.00

Taxes: All prices exclude VAT or other taxes where applicable (all currencies).

Extra expenses: Customer site course prices do not include instructor travel expenses, which are billed separately.

Reservations: Please provide a minimum of 3 weeks advance notice when arranging courses at customer sites.

Course and workshop calendar

Below is a listing of all the currently available dates and locations for this course or workshop from OpenText.

Start Date End Date Start Time TimeZone Session Duration Language Location Price Currency Guaranteed To Run Add
May 16, 2023 May 19, 2023 08:00 (UTC+01:00) Europe/London (BST) Full Day English GSI-Reading, UK 2,200.00 GBP Add to cart
May 16, 2023 May 19, 2023 08:00 (UTC+01:00) Europe/London (BST) Full Day English Virtual Classroom - Europe GSI UK Time 2,200.00 GBP Add to cart
Jun 13, 2023 Jun 16, 2023 08:00 (UTC-07:00) America/Los_Angeles (PDT) Full Day English GSI-Pasadena, CA 3,200.00 USD Add to cart
Jun 13, 2023 Jun 16, 2023 08:00 (UTC-08:00) America/Los_Angeles (PST) Full Day English Virtual Classroom - North America GSI Pacific Time 3,200.00 USD Add to cart