Windows Registry Forensics

Discover what the Windows Registry is and why it is important in digital forensic investigations. This module will explore the location and structure of the registry hives in a live and non-live environment, as well as the types of forensic evidence found in the Windows Registry. This will include: user account information, system-wide and user-specific settings, file access, program installation and execution, search terms, auto-start locations and devices attached to the system.

Learn how to set up a forensic workstation to properly examine the Windows Registry. This module takes a look at the location of the Registry files within the Windows OS and the many tools freely available to view the file structure and artifacts contained within the Windows Registry. It includes instruction on the installation, proper use and validation of your forensic software, showing how to get the most out of your automated tools while maintaining an understanding of what the tool is doing behind the scenes.

This module demonstrates an in-depth analysis of the artifacts contained within the NTUser.Dat hive file. This module will show examiners how to locate programs and applications, mounted volumes and connected devices specific to a user, user search terms and typed URLs. Examiners will also be able to locate and identify opened and saved files, typed URLs, user-specific programs set to run at startup and application installation and execution. Examiners will be able to locate, examine and interpret MRU lists (Most Recently Used), UserAssist, user system settings and recently used files.

This module explains forensic artifacts found in the SAM (Security Account Manager) file, which stores and organizes information about each user on a system. This module demonstrates how to identify each user account on a local machine using the relative identifier. Examiners can also learn to interpret username information including the users’ login dates, times and login count. The module will show how to identify the machine that the user account was created on, by interpreting a users’ SIDs (machine/domain identifiers) and recovering user password hashes.