The Registry Analysis Master Class teaches investigators how to use and understand registry forensics during their own investigations, incident response handling, and malware analysis. The course starts by explaining the structure of the registry followed by an exhaustive look into all of the contained artifacts. During this time students will learn how to determine applications that ran on the computer, removable devices that were inserted, files accessed by the user, malware that leveraged registry, and much more.
Backup facilities of the Windows operating system will be discussed and we will show how backup registry hives can be leveraged to understand user activity going back many months and also to defeat anti-forensics techniques. Throughout the course we will also discuss analysis techniques such as building timelines, creating baselines, and correlating multiple registry artifacts to determine high-level events of a user or application. For each topic introduced, students will gain real-world experience analyzing sample evidence with the most common registry forensics tools. After each exercise the students will be given access to an answer guide that walks them through how to answer each question. This serves as a great reference for future investigate efforts.