By skyforbes 
Table of Contents
· Introduction
· PWF Course Review
· FOR200 Lab Review
· Exam Experience & Review
· Exam Tips and Key takeaway
Introduction
Hello everyone, It’s me Chicken0248 with the first ever forensics certification exam from Blue Cape Security which is Practical Windows Forensic Analyst (PWFA). this exam was announced in August 2025, and the exam format is very unique, but it required you to utilize your Windows Forensics methodologies to the fullest to be able to pass it.
Blue Cape Security is another known blue team training and consulting company and it offers various of packages for their customer to choose which are
- Analyst I with the price of $697: Come with 201 Practical Windows Forensic (PWF) Course, 4 Forensic Investigation scenarios (which they called it FOR200) and lastly 2 attempts of PWFA certification
- Analyst II with the price of $997: Come with 301 Advanced DFIR course and 3 Advanced DFIR Investigation Scenarios (which they called it IR300). This package does not include the PWFA exam but its possible that Blue Cape Security will cook the certification exam for advanced DFIR later but that’s just my guess ¯_(ツ)_/¯
- Hero Bundle with the price of $1297: This package have everything in Analyst I and Analyst II and also come with 101 Enterprise Security Fundamentals course
I only purchased Analyst I package when it was discounted so I will only review PWF courses, Labs and the exam so if you’re in. let’s see what this package have to offer.
Analyst I also have another name which is Core Forensic Track, and it come with 12 months of on-demand access to the course and 150 hours for lab access and once you purchased it, 12 months access will trigger right away.
Here is the pathway Blue Cape Security decided it for you, you start with PWF course to learn the fundamental and then apply your knowledge with FOR200 investigation scenarios and lastly validate your skill and methodologies in PWFA exam. the step is very simply so I’ll start from my review from this order as well.
R U READY? LET’S GO
PWF Course Review
The PWF course is the course designed to teach the fundamental of Windows Forensics which they will start teaching you from the data collection process, how to parse Disk Image and triage it with KAPE, Getting to know each key windows forensics artifacts, Timelining and a little bit of briefing about how to write a report which you can read the whole Syllabus of this course here
The majority of this course have video which is recorded by Markus Schober, The CEO of Blue Cape Security and will likely be the one that you most familiar with from this company as well.
The course is great for absolute beginner who want to start to learn Windows Forensics. it covers what each key Windows artifact does without digging too deep into each one and also teach you how to parse them with free industry-recognized tools and understand the result from these tools.
The some of the topics also give you extra resource at the bottom of each video as well as “Further reading” for those who want to understand more about each artifact and learn their background which I recommend anyone who has a chance to give them a good read. they are great!
This course also has Lab for you to follow along each topic as well, and you can access the lab with your browser, no need extra tool or VM for that. just use their lab instance but one thing I do not like about this is time limit where you have to extend 1 hour in every hour if you did not finish it in time then you will have to launch your instance again. (Idk if the instance will completely terminate or not. I did not test it yet)
But what I like about their lab is about Stop feature where I can choose to stop my lab while it was running and all files and artifacts result, I parsed are still preserved until I launched the lab instance again.
Oh, and I forgot to mention that the course also gives you Windows Forensics cheat sheet as well in case you do not remember all key common Windows artifacts that was taught in this course and this cheat sheet will also help you in the PWFA exam as well 😀
About the course. I had to admit that I did learn a little bit of fundamental that I kept ignoring while going though this course but then it got boring pretty quicky for me since I already familiar with most of artifacts and tools and the report module is very vague. I expected to see some of industrial-recognized forensics kind of report but the course does not dig deep into this one. only a brief section of it.
Another thing to mention here is about evidence acquisition part of the course, it does not dig too deep in this part as well and it only mention taking full memory image and disk forensics image using tool like FTK Imager, and data acquisition from the VM. the course does not mention alternative options or tools so you need to do more research on this topic yourselves.
If I would give a score on this course, I would say “4.5 ⭐ / 5 ⭐ for complete beginner” and “2 ⭐ / 5 ⭐ for seasoned analyst”, yeah in my opinion seasoned analyst should skip this course and go with more advanced course or they already do not need these kinds of courses anymore 😵
Now it is the time to talk about FOR200 Investigation Scenarios.
FOR200 Lab Review
FOR200 Investigation Scenarios are the lab-based forensic scenarios to practice Windows forensics skills and methodologies, and it has total of 4 scenarios as shown in the image above.
The difficulty of these labs is also varying from Beginner to Advanced and the lab could be accessed via Browser just like lab from PWF course
What do I mean by “the lab”, well you have all artifacts from all 4 scenarios can be accessed from the same shared directory so essentially, you can pretty much do all scenarios from the same VM instance (and you just have to keep extend your instance every hour)
I got to say that the lab instance run pretty smooth and I don’t experience any lag or freeze at all, so you just need to have a stable internet to enjoy the labs and practice your timeline crafting skills.
Now let’s talk about the lab, as you already see that even though they have 4 scenarios from FOR001 to FOR004, but the difficulty does reflect on the number at all. for those who want to enjoy beginner lab first before doing intermediate and hard lab then I recommended doing FOR004 first then follow with FOR001, FOR002 and then FOR003
And since PWF course only taught about Windows Forensics with disk image and memory image, that’s mean you will provided with Full Disk Image and Full Memory dump but not all scenario provides both, some only Disk, some only Memory and some have both from multiple systems and ultimately you will need to be familiar with them in order to pass the PWFA exam!
Here is the structure of the course that created for FOR200 (Blue Cape Security made a website started with the course so everything including the exam will be created with separated course), you can see that you will also be provided with the information about each scenario/case and then you will have to complete the quiz to complete the investigation
Additionally Blue Cape Security encouraged you to build your own timeline and perform analysis. They also provide their own reference timeline and summary report for comparison, which is a valuable learning resource. However, don’t treat their version as absolute truth — some artifacts may be intentionally omitted to make their timeline easier to read.
I recommend downloading the timeline provided in FOR004, keeping only the header row, and using that file as the template for building your own timeline and once you done, compare to their version and see what you might miss to reinforce your learning experience.
For real life incident that can involves multiple analysts, go for the tracker made by Crowdstrike here
At the end of the course, Blue Cape Security also provides you with the walkthrough videos made by Markus himself so that is also a great resource to validate your finding and methodologies before taking the exam!
I made a grave mistake here which you should not follow which is I only did 1 lab and not practice with the timeline at all which than made me have to learn how to create a timeline that Blue Cape Security preferred in the actual exam which I think it make my exam experience whose than other candidates haha…
Before going to the exam, you will be awarded with a badge and certificate if you passed the quiz of each scenario. do it and boast them on your LinkedIn to show what you’re capable of!
Exam Experience & Review
After you purchased Analyst I package, you will have 3 courses added to your account. PWF course, FOR200 and Analyst I Training Track course which serve as a checklist for you before taking the exam and it is also a gateway to the exam itself which you can read about the Exam Overview and Requirement and Grading & Retake Policy from the Section 3 of this course before Start the PWFA Exam.
Originally, I wanted to take the exam in the same month as I purchased the exam since I thought I have to submit the report just like HTB CDSA exam but after I realized that I have to submit a timeline in xlsx file (you can technically submit docx but xlsx is preferred). I postponed it until late September and started the exam.
At launch of the exam, you had to book an exam slot to be able to take an exam but now you can start the exam anytime which is good and once you started the exam. you will be enrolled to the new course for the exam, and you will be provided with the core logistic, tools list presented in the exam, submission requirement, technical requirement, how your exam is graded, Lab VM and of course the scenario and the exam objective.
Additionally, an email will be sent to you as well to remind what you have to do. As you can see that I started the exam at lunch break on Monday (30 Sept) which I read though everything to make sure I know what I have to deliver and all exam objective which I started the lab VM right away and started parsing artifacts as I created an hypothesis and parsed each artifacts according to it. after that I ended my lunch break to resume my work which I had to analyze those artifacts in the evening of that day.
In the evening, I parsed to each artifacts at ease but as you might remember what I told you from the last section, I did not practice to create a timeline before which made me struggle for quite a while until the end of the night. my resolved? just put it in, keep it only relevant one and which artifacts support each other I also included them as well then sort it to see the whole picture and keep repeating that again and again.
I spent whole night try to complete my timeline and then submit my first draft to the “assignment” section. yes since this is the “course” then Blue Cape Security utilized their “assignment” feature as a timeline submission form and then after you submitted it, another email will be sent to your inbox to remind you that your submission was received they will not grade you until the 7-day exam windows closes and we can also retract our timeline and resubmit more completed version of it if you overlooked something.
I decided to take a vacation leave to rest from the sleepless night but after I woke up I realized that staying up all night made me dull and missed many crucial piece of evidences from couple of artifacts which I retracted my timeline and fulfilled it with more events and continue my rest until the next day where I thought I could reflect more on the timeline and perform solid technical analysis.
But then! I got overwhelmed from my day-work and could not focus well on the exam at all to the point that I thought “I just want it to end, I don’t want gold coin anymore” and finally submitted my timeline with barely enough technical analysis to be evaluated.
Talking about the exam grading, you have to earn 70% at least to pass the exam and the score will come from 2 parts, your technical analysis and your timeline. your technical analysis weight 66% of the total score while your timeline only weight 33% so you have to perform a good analysis from your timeline to be able to pass it and if you nailed both of them and get higher than 85% then you will be awarded with PWFA challenge coin + swag and have additionally message appear on your certificate as well.
After submitted the report, I thought I would get the exam result on the next week after my exam period finished but I received an email regarding of my exam result on Friday… I thought they would wait until next Monday but maybe they thought I finished the exam already, so they graded it, but I’m ok with that.
And as you can see that I performed well on the Timeline part but did poorly on technical analysis (as expected) with make me missed the bar for the exclusive coin from Blue Cape Security but hey at least its end 😀 if I were in the same shoes on those exam days again, I would still decide to submit the same report nonetheless.
On the same email, I also received the link to my digital certificate, and I can order printed certificate with this service right away and my next step is to post it on my LinkedIn.
After I posted it on LinkedIn, Markus congratulated me on the Blue Cape Security discord and even told the everyone to join in as well. I really like this aspect of their community; it’s the same as CyberDefenders community where we give applaud to those who certified and also encourage other to give the exam a try as well.
Now for those who are eager to actually want to try the exam, I’ll give you my tips for the exam and I wish you all can pass the exam (with the excellency score as well)
Exam Tips and Key takeaway
- Familiarize yourselves with the timeline, use FOR200 to practice your timelining and reporting
- Do not be lazy like me 😀 explain in details what the threat actor does which is based on timeline you created and do not guess, you have to present it as fact. not a wild guess
- If possible, try writing a quick flowchart with your hand to understand what really happened and it will also help you actually see the big picture instead of keeping everything inside your head which will overload your brain.
- Read the exam objective carefully, you need to present your technical analysis and timeline according to them 😀
- Do not hurry to make a summary yet, crafting the complete timeline that relevant to the incident first and then analyze what really happened to avoid focusing only on tiny part of the picture and forget the big picture. everything will be perfectly aligned once you gathered enough evidence for your timeline
- You have 7 days. do not hurry to submit your timeline, Submit it once you think your timeline is perfect (or almost perfect) and plan your week carefully to make sure that you balanced your day-work and your exam time perfectly.
- Treat the exam like another FOR200 case, just another Monday then your state of mind will be at ease. the exam is not hard and even beginner friendly, but you need to see the whole picture to come to the right conclusion.
Thats it for today, I hope you guys enjoy it. Peace out~✌
Learn more about New Forensics Certification from Blue Cape Security? I got it, here is my review.