Registry Analysis Master Class

Registry Analysis for Digital Forensics and Incident Response

Registry Analysis for Digital Forensics and Incident Response

The Registry Analysis Master Class teaches investigators how to use and understand registry forensics during their own investigations, incident response handling, and malware analysis. The course starts by explaining the structure of the registry followed by an exhaustive look into all of the contained artifacts. During this time students will learn how to determine applications that ran on the computer, removable devices that were inserted, files accessed by the user, malware that leveraged registry, and much more.

Backup facilities of the Windows operating system will be discussed and we will show how backup registry hives can be leveraged to understand user activity going back many months and also to defeat anti-forensics techniques. Throughout the course we will also discuss analysis techniques such as building timelines, creating baselines, and correlating multiple registry artifacts to determine high-level events of a user or application. For each topic introduced, students will gain real-world experience analyzing sample evidence with the most common registry forensics tools. After each exercise the students will be given access to an answer guide that walks them through how to answer each question. This serves as a great reference for future investigate efforts.

What You'll Learn

  • Understanding Forensics Artifacts Stored in the Registry
  • Developing Processes to Use Registry Forensics in all Investigations
  • Applying Common Analysis Techniques to the Registry
  • Finding Malware in the Registry
  • Tracking User Activity throughout the Registry

Course Outline

  • 1) Introduction
  • 2) Registry Structure & Terminology
  • 3a) The Software Hive
  • 3b) The System Hive
  • 3c) The NTuser Hive
  • 3d) The Other Registry Hives
  • 4) Windows Backup Facilities
  • 5a) Analysis Tools
  • more...
  • 5b) RegRipper
  • 5c) Registry Decoder
  • 6a) Scripting Registry Forensics - RegRipper
  • 6b) Scripting Registry Forensics – Registry Decoder
  • 7a) Deleted Hive Recovery
  • 7b) Deleted Hive Data Recovery
  • 8) Registry in Memory
  • 9) Registry Timelining
  • 10) Registry Baselining
  • 11) Malware Detection
  • 12) Anti & Anti-Anti Registry Forensics
  • 13) Registry Analysis during Digital Forensics & Incident Response
  • 14) End of Class Wrap-up