MCSI Certified DFIR Specialist
https://www.mosse-institute.com/certifications/mdfir-certified-dfir-specialist.html

MCSI Digital Forensics Library
https://library.mosse-institute.com/cyber-domains/digital-forensics.html

️‍️ Top 10 forensic artefacts and data sources on Windows ️‍️
https://www.youtube.com/watch?v=8D0e36gyEYw

️‍️ The Windows Forensics tools you need to learn and master ️‍️
https://www.youtube.com/watch?v=EfAhZMb4pnQ


In this video we will demonstrate how you can perform a Windows digital forensics investigation using a simple process. This primarily consists of five (5) phases:

Phase 1️⃣: Understand the Incident
Review the incident statement. An incident statement is a written account of an event that transpired. This should include who was involved, what happened, where it happened, when it happened and any other pertinent information.
Digital forensic investigations can be used to investigate a wide range of incidents, from data breaches and cyber-attacks to fraud and embezzlement. An understanding of the investigation at hand is critical before proceeding.

Phase 2️⃣: Acquire Forensic Evidence
In a digital forensics investigation, the acquisition of forensic evidence is a critical stage. This is the process of acquiring and preserving digital evidence in a forensically sound manner. This ensures that the evidence is not compromised and can be used in a court of law.
There are a number of ways to acquire forensic evidence, depending on the type of investigation. For example, in a computer forensics investigation, evidence may be acquired by imaging the hard drive of a computer. This creates an exact copy of the drive, which can be examined for evidence.
In other types of investigations, such as a mobile phone forensics investigation, evidence may be acquired by extracting data from the device.

Phase 3️⃣: Generate and Test Hypotheses
The hypothesis generation and testing phase in a digital forensics investigation is a critical step in the process. This is when the investigator forms a hypothesis about what may have happened and then tests that hypothesis to see if it is supported by the evidence. This phase can be iterative, with the investigator forming and testing multiple hypotheses until a conclusion is reached.

Phase 4️⃣: Recover Incident Timeline
The incident timeline recovery phase in a digital forensics investigation is the process of reconstructing the events that occurred on a system. This is done by examining the timestamps on files and other data to determine when they were created, modified, or accessed. This information can then be used to piece together a timeline of events. This phase is important in order to understand what happened on a system and to identify any potential evidence.

Phase 5️⃣: Briefing and Reporting
This phase can be divided into two parts: the briefing, where the investigator presents their findings to the client, and the reporting, where the investigator writes a report on their findings. The purpose of the briefing is to explain the findings of the investigation to the client, so that they can understand what has happened and make decisions about what to do next. The purpose of the reporting is to document the findings of the investigation so that the client can refer back to it later.