When a Windows host is compromised, the investigator reconstructs what happened. This module trains you in forensic investigation: evidence acquisition, artefacts, memory, timeline and admissible report.
• Acquire evidence while preserving its integrity • Reconstruct execution and persistence • Analyse memory (Volatility) • Build a timeline and an admissible report
