Cellebrite Windows® Forensic Investigations (WFI)


5 days
Intermediate-level course

Cellebrite Windows Forensic Investigations (CWFI) is a four (4) day intermediate level training course designed to teach and improve practitioners Windows forensic analysis skills. Students will receive detailed instruction about Windows-based file systems, operating systems, user data, and application artifacts, including Windows 10 artifacts. Emphasis is placed on teaching file system functions and where critical information is stored for insightful, expedited investigations.




Course Content


The solid curriculum also features analysis techniques of Windows Registry, system data, log files, journals, Windows Users, link and jump files, prefetch, volume shadow copies, compressed archives, volatile data, and much more.

This course is open to all levels of forensic examiners. It is comprehensive and in-depth with the curriculum guiding the analysts from hands-on analysis to practical assessments involving the investigative analysis of Windows-based evidence.

Attendees will learn to:

  • Recover evidence pertaining to user actions attached devices, files and folders accessed, application utilized, user settings, amongst many other things.
  • Learn how BlackLight’s powerful evidence parsing and artifact support works to provide efficiency and a comprehensive evidence assessment.
  • Excel your examinations to an investigative interrogation of your evidence to drive your cases to new distances.


By the end of this course, students will have navigated through practical assessments requiring hands-on analysis of Windows-based evidence. Students will develop a strong familiarity with Windows evidence including file systems, operating systems, user, and application artifacts. Students will be knowledgeable with where evidence is located, the values stored in data structures and what this data indicates.


Last modified: Thursday, March 4, 2021, 2:22 PM