Windows 11 Forensic Exploitation

32 Hours / 4-Day

The Advanced Windows® 11 Forensic Exploitation Analysis course offers expert-level training over the span of a week, tailored for digital examiners already well-versed in the fundamentals of digital forensics. This intensive program delves into advanced forensic techniques using an array of third-party tools, specifically honing in on the latest features of Microsoft’s operating system.


Throughout the course, participants will master the utilization of various applications and utilities crucial for the identification, processing, comprehension, and documentation of the latest Windows® 11 artifacts essential for comprehensive digital investigations. Topics covered include navigating the intricacies of chromium-based browsers, decrypting BitLocker encryption, analyzing newly-introduced Windows® apps, dissecting obscured application data, leveraging the Windows Subsystem for Linux and Sandbox environments, and scrutinizing other Windows® 11 specific artifacts. Additionally, students will explore methodologies for reviewing data distributed across multiple locations.


This comprehensive curriculum extends beyond surface-level understanding, offering deep insights into Windows 11 virtualized security measures, alongside comprehensive exploration of new Registry file functionalities and transaction logging. Core Windows artifacts will undergo thorough examination and analysis. The course culminates with an extensive exploration of OneDrive offline storage and synchronization processes across authenticated devices, shedding light on critical aspects of data management.


Of particular importance is the emphasis on SQLite forensics, which is pivotal in data analysis. Students will acquire proficiency in scripting and data exploitation, enhancing their investigative capabilities. By the end of the course, participants will have acquired advanced skills and a nuanced understanding of Windows® 11 forensic exploitation, empowering them to tackle complex digital investigations with confidence and precision.


Students will use a variety of open source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.

InquireRegister for an upcoming class

Windows Operating Systems Overview

  • What is new in the Microsoft Operating Systems
  • Learn of the default security processes deployed in Windows 11
  • Walkthrough Windows 11 from a user perspective
  • First Responder considerations
    • Operating System Access
    • Shut down options
    • Dealing with mounted encrypted volumes (BitLocker)

    Handling BitLocker Encryption

    • Learn how BitLocker is implemented on system partitions and removable media
    • Locate and read the metadata objects located in the encrypted volume
    • Describe BitLocker ToGo
    • Review recovery options when BitLocker fails
    • Handing the OneDrive BitLocked Vault file
    • Workflows in the analysis of a BitLocked volume
      • Event Log analysis
      • Physical device carving

      Windows 11 sub-system Analysis

      • Overview of virtualization technology
      • Explore Windows Sandbox usage and analysis techniques
      • Examine remote Desktop cached data using PowerShell 
      • Explore the uses of Linux Sub-systems (WSL) built into Windows 11
      • Examine user options for WSL installation
      • Examine host-based artifacts through the use of WSL

      Explore Registry analysis on a Windows 11 systems

      • Review the forensic importance of the Windows registry
      • Learn how transaction logging functions and its impact on forensic analysis
      • Explore Windows 11 Account types and reporting techniques
      • Examine hardware tracking in the Windows 11 Registry and Event log files
      • Explore software registrations and how it can be exploited in digital examinations

      User Activity Analysis

      • Review of Windows Shell Links
      • Examination of the new Windows 11 Jump List function
      • Gain an understanding of the function of Automatic Vs. Custom jumplist
      • Learn how cloud-based files are tracked in Jumplists
      • Deep dive into Jump List Analysis and timelining of user activity
      • Examination of backend JumpList databases
      • Learn of the new Windows Search function on Windows 11
        • Explore techniques in extraction of data from the new SQLite search database files
      • Microsoft CoPilot interactions and forensic analysis

      Handing Helium Based Immersive Applications

      • Overview of Immersive application folder structures
      • Explore typical forensic artifacts associated with a Helium based application
      •  Review application Tab cached data
      • Review the function of core Helium based Windows apps
      •  Examining new registry data
      •  Handing corrupted registry files
      •  Learn how to combine MRU data between different registry files
      • Introduction to the Examine the SQLite databases
      • Exploiting stored data using SQLite Scripts

      OneDrive Forensic Analysis

      • Microsoft OneDrive cloud based solution overview
      • Locate key folders of interest
      •  User files
      •  Synchronization log files
      •  User settings
        • Learn the interpretation of stored settings files
        • Exploitation of SQLite databases containing file deletion records and synchronization data
        • Workflows in the identification of files hosted in the cloud vs. locally stored data

          Working with Chromium Based Browser Artifacts

          • Review the Chromium Edge Browser application
          • Locate key folders of interest within the user profile
          • Extract browsing artifacts from various SQLite databases
          • Introduction to LevelDBs and Analysis
          • Extraction of the new Outlook chromium based email client data
          •  Examination of the new Edge Browser WebCache View folder structure
          • Review other applications using the new EBWebView process


          To get the most out of this class, you should:

          • Have 6 months of experience in forensic examinations.

          Request the Syllabus

          Contact Spyder Forensics for more details of the course.

          Hosting Courses

          If you are interested in hosting this, or any of our courses at your facility, contact us.

          Ready to get started?

          No event found!

          CONTACT US