We may earn an affiliate commission when you visit our partners.
Denise Duffy
The Windows Registry Forensics course shows you how to examine the live registry, the location of the registry files on the forensic image, and how to extract files.
Register for this course and see more details by visiting:
OpenCourser.com/course/hbjz50/windows
Three deals to help you save
We found three deals and offers that may be relevant to this course.
Save money when you learn.
All coupon codes, vouchers, and discounts are applied automatically unless otherwise noted.
Valid until December 12
Annual Subscription Savings
Unlock programs from Google, Microsoft, and IBM and join 77% of learners who reported positive career outcomes.
Only $239!
Valid for a limited time only
Future-proof your career
Access O'Reilly books, live events, courses, and more. Save with an annual subscription.
Take
15%
off
What's inside
Syllabus
Introduction to the Windows Registry
Discover what the Windows Registry is and why it is important in digital forensic investigations. This module will explore the location and structure of the registry hives in a live and non-live environment, as well as the types of forensic evidence found in the Windows Registry. This will include: user account information, system-wide and user-specific settings, file access, program installation and execution, search terms, auto-start locations and devices attached to the system. Please use the links and tools provided in the two reading sections to get the URLs and other downloads you will need for the course.
Read more
Syllabus
Introduction to the Windows Registry
Discover what the Windows Registry is and why it is important in digital forensic investigations. This module will explore the location and structure of the registry hives in a live and non-live environment, as well as the types of forensic evidence found in the Windows Registry. This will include: user account information, system-wide and user-specific settings, file access, program installation and execution, search terms, auto-start locations and devices attached to the system. Please use the links and tools provided in the two reading sections to get the URLs and other downloads you will need for the course.
Read more
Preparing to Examine the Windows Registry
Learn how to set up a forensic workstation to properly examine the Windows Registry. This module takes a look at the location of the Registry files within the Windows OS and the many tools freely available to view the file structure and artifacts contained within the Windows Registry. It includes instruction on the installation, proper use and validation of your forensic software, showing how to get the most out of your automated tools while maintaining an understanding of what the tool is doing behind the scenes.
NTUser.Dat Hive File Analysis
This module demonstrates an in-depth analysis of the artifacts contained within the NTUser.Dat hive file. This module will show examiners how to locate programs and applications, mounted volumes and connected devices specific to a user, user search terms and typed URLs. Examiners will also be able to locate and identify opened and saved files, typed URLs, user-specific programs set to run at startup and application installation and execution. Examiners will be able to locate, examine and interpret MRU lists (Most Recently Used), UserAssist, user system settings and recently used files.
SAM Hive File
This module explains forensic artifacts found in the SAM (Security Account Manager) file, which stores and organizes information about each user on a system. This module demonstrates how to identify each user account on a local machine using the relative identifier. Examiners can also learn to interpret username information including the users’ login dates, times and login count. The module will show how to identify the machine that the user account was created on, by interpreting a users’ SIDs (machine/domain identifiers) and recovering user password hashes.
Software Hive File
This module will show examiners how to locate information of forensic value relating to application execution and installation contained within the software hive file. The module will provide an overview of the forensic artifacts found in the software hive file, such as installed programs and applications, operating system type, install date and time, wireless network information, file association, domain logon information, the last logged-on user, programs set to run at startup and tracking USB devices that were attached to the system.
System Hive File
This module will demonstrate evidence of forensic value contained within the system hive file. This module explores the system hive file showing how to determine the current control set, computer name, last shutdown date and time, crash dump settings and location, services set to run at startup, page file settings, prefetch settings, last access file time settings, AppCompat Cache, BAM (background activities monitor) and USB device connections and disconnections with dates and times.
USRClass.dat Hive File
This module identifies and explains forensic artifacts found in the UsrClass.dat hive file. This module will look at the UsrClass.dat hive. The examiner will learn to explain Windows ShellBags, which track user-specific zip files and folder access and settings, including dates and times even on deleted folders and removable media. The examiner will also learn to interpret the sub-key MuiCache, to include installed applications. The Microsoft Photo App, showing recently accessed image files, will also be explored.
AmCache Hive File
This module will examine the AmCache hive file, which stores information relating to the execution of applications. A forensic examination of the AmCache hive file showing the following: application installation, application first run date and time, a file path to the executable file, the source of the application, a SHA-1 hash value of the executable file, plug-and-play connected devices, GUIDs of mounted volumes and system hardware information.
Good to know
Good to know
Know what's good ,
what to watch for , and
possible dealbreakers
Examines ethical issues of forensic science, which is highly relevant to digital investigators in today's legal climates
Taught by Denise Duffy, who is recognized for their work in the field of digital forensics
Provides a detailed understanding of Windows Registry forensics, which is a core skill for digital forensic analysts
Develops an understanding of the structure and organization of the Windows Registry, which is crucial for forensic investigations
Emphasizes the importance of setting up a proper forensic workstation, which is essential for conducting thorough digital investigations
Covers various types of forensic evidence found in the Windows Registry, which is critical for digital forensic analysts to master
Save this course
Save Windows Registry Forensics to your list so you can find it easily later:
Save
Save
Reviews summary
Detailed registry forensics
According to students, Windows Registry Forensics is a high-quality course that thoroughly covers important registry topics. The lectures are engaging and the instructor is knowledgeable and helpful. Students also appreciate the hands-on, practical aspects of the course and feel confident in their ability to apply what they have learned.
Well-structured and informative lessons.
"awesome course"
"really detailed course"
"learns indepth of windows registry"
Facilitator provides quality instruction.
"great learning"
"thank you to my learning instructor"
"knowledgeable and helpful"
Applicable skills in real-world scenarios.
"a real practising"
"infosec"
"forensic investigations"
Activities
Be better prepared
before
your course. Deepen your understanding
during
and
after
it. Supplement your coursework and achieve mastery of the topics covered
in Windows Registry Forensics with these
activities:
Introduction to Basic Concepts
Show steps
Complete this activity to develop a strong foundation for the Windows Registry Forensics course.
Show steps
-
Review the course syllabus and learning objectives.
-
Read the assigned textbook chapters and complete any practice exercises.
-
Install the necessary software tools for the course.
Review System Root File Structure
Show steps
Reviewing systems root files structure will help you better understand the location and structure of the registry hives.
Show steps
-
Review the location of the Registry files on a forensic image.
-
Identify the types of forensic evidence found in the Windows Registry.
-
Locate and explain the purpose of the following files: NTUser.Dat, SAM, Software, System, USRClass.dat, and AmCache.
Review Forensic Concepts
Show steps
Improves understanding of course concepts by reviewing key principles and techniques in forensic science.
Browse courses on
Forensic Science
Show steps
-
Review notes and materials from previous coursework or textbooks on forensic science.
-
Complete practice questions or exercises to test understanding of concepts.
Nine other activities
Expand to see all activities and additional details
Show all 12 activities
Registry Hive Structure
Show steps
Use this activity to refine your understanding of the structure of the Windows Registry.
Show steps
-
Follow the recommended video tutorials on the course website.
-
Practice navigating the registry using the provided tools.
Explore Registry Analysis Tools
Show steps
Enhances practical skills by providing hands-on experience with industry-standard forensic tools.
Show steps
-
Choose a reputable registry analysis tool, such as FTK Imager or RegRipper.
-
Follow online tutorials or documentation to learn how to use the tool.
-
Analyze practice images or sample registry files to familiarize yourself with the tool's capabilities.
Walkthrough Live Registry Examination
Show steps
Creating a walkthrough of a live registry examination will help you gain hands-on experience and a deeper understanding of the process.
Show steps
-
Set up a forensic workstation to properly examine the Windows Registry.
-
Use a forensic tool to view the file structure and artifacts contained within the Windows Registry.
-
Extract relevant forensic evidence from the live registry.
-
Document your findings in a report.
Discuss Registry Key Concepts
Show steps
Encourages critical thinking and collaboration by engaging in discussions with peers.
Show steps
-
Identify a peer or group of peers to collaborate with.
-
Schedule regular meetings to discuss different registry key concepts, such as hives, keys, and values.
-
Share findings and insights from individual research or tool exploration.
Registry Key Analysis
Show steps
Improve your ability to analyze registry keys and extract relevant information.
Show steps
-
Complete the practice exercises in the course textbook.
-
Download additional practice scenarios from the course website.
-
Use the provided tools to analyze the registry keys.
Registry Report
Show steps
Develop your skills in documenting and presenting your findings.
Show steps
-
Choose a registry hive to analyze.
-
Identify and extract the relevant information.
-
Write a report summarizing your findings.
Forensic Case Study Analysis
Show steps
Provides a comprehensive and practical application of skills by conducting an in-depth forensic investigation.
Show steps
-
Obtain a sample forensic image or virtual machine with a registry available for examination.
-
Use forensic tools to analyze the registry and identify potential evidence.
-
Prepare a detailed report outlining the analysis process, findings, and conclusions.
Registry Forensics Workshop
Show steps
Engage with experts and peers to enhance your practical skills.
Show steps
-
Attend a registry forensics workshop or conference.
-
Participate in hands-on exercises and discussions.
Registry Forensics Challenge
Show steps
Test your skills and knowledge in a competitive environment.
Show steps
-
Register for a registry forensics challenge or competition.
-
Analyze the provided registry images.
-
Submit your findings and compete for recognition.
Introduction to Basic Concepts
Show steps
Complete this activity to develop a strong foundation for the Windows Registry Forensics course.
Show steps
Show steps
Show steps
- Review the course syllabus and learning objectives.
- Read the assigned textbook chapters and complete any practice exercises.
- Install the necessary software tools for the course.
Review System Root File Structure
Show steps
Reviewing systems root files structure will help you better understand the location and structure of the registry hives.
Show steps
Show steps
Show steps
- Review the location of the Registry files on a forensic image.
- Identify the types of forensic evidence found in the Windows Registry.
- Locate and explain the purpose of the following files: NTUser.Dat, SAM, Software, System, USRClass.dat, and AmCache.
Review Forensic Concepts
Show steps
Improves understanding of course concepts by reviewing key principles and techniques in forensic science.
Browse courses on
Forensic Science
Show steps
Show steps
Show steps
- Review notes and materials from previous coursework or textbooks on forensic science.
- Complete practice questions or exercises to test understanding of concepts.
Nine other activities
Expand to see all activities and additional details
Show all 12 activities
Registry Hive Structure
Show steps
Use this activity to refine your understanding of the structure of the Windows Registry.
Show steps
Show steps
Show steps
- Follow the recommended video tutorials on the course website.
- Practice navigating the registry using the provided tools.
Explore Registry Analysis Tools
Show steps
Enhances practical skills by providing hands-on experience with industry-standard forensic tools.
Show steps
Show steps
Show steps
- Choose a reputable registry analysis tool, such as FTK Imager or RegRipper.
- Follow online tutorials or documentation to learn how to use the tool.
- Analyze practice images or sample registry files to familiarize yourself with the tool's capabilities.
Walkthrough Live Registry Examination
Show steps
Creating a walkthrough of a live registry examination will help you gain hands-on experience and a deeper understanding of the process.
Show steps
Show steps
Show steps
- Set up a forensic workstation to properly examine the Windows Registry.
- Use a forensic tool to view the file structure and artifacts contained within the Windows Registry.
- Extract relevant forensic evidence from the live registry.
- Document your findings in a report.
Discuss Registry Key Concepts
Show steps
Encourages critical thinking and collaboration by engaging in discussions with peers.
Show steps
Show steps
Show steps
- Identify a peer or group of peers to collaborate with.
- Schedule regular meetings to discuss different registry key concepts, such as hives, keys, and values.
- Share findings and insights from individual research or tool exploration.
Registry Key Analysis
Show steps
Improve your ability to analyze registry keys and extract relevant information.
Show steps
Show steps
Show steps
- Complete the practice exercises in the course textbook.
- Download additional practice scenarios from the course website.
- Use the provided tools to analyze the registry keys.
Registry Report
Show steps
Develop your skills in documenting and presenting your findings.
Show steps
Show steps
Show steps
- Choose a registry hive to analyze.
- Identify and extract the relevant information.
- Write a report summarizing your findings.
Forensic Case Study Analysis
Show steps
Provides a comprehensive and practical application of skills by conducting an in-depth forensic investigation.
Show steps
Show steps
Show steps
- Obtain a sample forensic image or virtual machine with a registry available for examination.
- Use forensic tools to analyze the registry and identify potential evidence.
- Prepare a detailed report outlining the analysis process, findings, and conclusions.
Registry Forensics Workshop
Show steps
Engage with experts and peers to enhance your practical skills.
Show steps
Show steps
Show steps
- Attend a registry forensics workshop or conference.
- Participate in hands-on exercises and discussions.
Registry Forensics Challenge
Show steps
Test your skills and knowledge in a competitive environment.
Show steps
Show steps
Show steps
- Register for a registry forensics challenge or competition.
- Analyze the provided registry images.
- Submit your findings and compete for recognition.
Career center
Learners who complete Windows Registry Forensics will develop knowledge and skills
that may be useful to these careers:
Forensic Investigator
Forensic Investigator
Forensic Investigators are responsible for retrieving data, examining hardware, and interpreting digital evidence. The skills and knowledge taught in this course can help you build a foundation for success as a Forensic Investigator. The Windows Registry is a treasure trove of information and this course will teach you its key portions. This will allow you to find critical information about user account information, system-wide and user-specific settings, file access, program installation and execution, and even search terms.
Digital Evidence Analyst
Digital Evidence Analyst
A Digital Evidence Analyst reviews and interprets digital evidence to reconstruct past events. Through the analysis of the Windows Registry, you will learn to recover deleted data and extract information about user activity which will be vital to your success in this role.
Cybersecurity Analyst
Cybersecurity Analyst
A Cybersecurity Analyst protects organizations from cyber threats, malicious actors, and data breaches. This course will equip you with incredible skills in threat detection and deterrence. Through the examination of hives such as USRClass.dat, you will be able to identify Windows ShellBags, which track user-specific zip files and folder access and settings. You will also learn to interpret the sub-key MuiCache, to include installed applications.
IT Auditor
IT Auditor
IT Auditors review and examine systems to analyze compliance and provide security recommendations. A deep understanding of the Windows Registry is crucial for successful IT Auditors as it is a vital source of security-related information. This course will help you build a solid background in this area.
Computer Forensics Analyst
Computer Forensics Analyst
Computer Forensics Analysts collect, analyze, and interpret digital data stored on electronic devices in the context of legal proceedings. This course can provide you with the skills you need to succeed as a Computer Forensics Analyst, such as the ability to analyze the live registry and the location of the registry files on the forensic image.
Information Security Analyst
Information Security Analyst
Information Security Analysts plan and implement security measures to protect an organization's information systems. This course can help you develop the skills and knowledge necessary to succeed as an Information Security Analyst, such as the ability to analyze the Windows Registry for security vulnerabilities.
Security Engineer
Security Engineer
Security Engineers design, implement, and maintain security systems to protect an organization's information systems. This course can help you develop the skills and knowledge necessary to succeed as a Security Engineer, such as the ability to analyze the Windows Registry for security vulnerabilities.
Software Engineer
Software Engineer
Software Engineers design, develop, and maintain software applications. This course can help you develop the skills and knowledge necessary to succeed as a Software Engineer, such as the ability to analyze the Windows Registry for potential software compatibility issues.
Systems Engineer
Systems Engineer
Systems Engineers design, implement, and maintain computer systems and networks. This course can help you develop the skills and knowledge necessary to succeed as a Systems Engineer, such as the ability to analyze the Windows Registry for performance issues.
Cybersecurity Engineer
Cybersecurity Engineer
Cybersecurity Engineers design, implement, and maintain security systems to protect an organization's information systems from cyber threats. This course can help you develop the skills and knowledge necessary to succeed as a Cybersecurity Engineer, such as the ability to analyze the Windows Registry for security vulnerabilities.
Network Administrator
Network Administrator
As a Network Administrator, the maintenance of the infrastructure supporting a company's digital functions is your responsibility. It will be your role to ensure the security and smooth operation of this infrastructure. The exploration of Windows Registry topics in this course, such as the examination of the live registry, is a valuable tool for ensuring and maintaining the efficacy of a company's infrastructure.
Incident Response Analyst
Incident Response Analyst
Incident Response Analysts respond to and investigate security incidents. They also develop and implement security measures to prevent future incidents. This course can help you develop the skills and knowledge necessary to succeed as an Incident Response Analyst, such as the ability to examine the Windows Registry for evidence of security breaches.
Vulnerability Analyst
Vulnerability Analyst
Vulnerability Analysts identify, assess, and remediate security vulnerabilities in computer systems and networks. This course can help you develop the skills and knowledge necessary to succeed as a Vulnerability Analyst, such as the ability to analyze the Windows Registry for potential vulnerabilities.
Data Analyst
Data Analyst
Data Analysts collect, analyze, and interpret data to help organizations make informed decisions. This course can help you develop the skills and knowledge necessary to succeed as a Data Analyst, such as the ability to analyze the Windows Registry for patterns and trends.
Database Administrator
Database Administrator
Database Administrators design, implement, and maintain databases. This course can help you develop the skills and knowledge necessary to succeed as a Database Administrator, such as the ability to analyze the Windows Registry for performance issues.
For more career information including salaries, visit:
OpenCourser.com/course/hbjz50/windows
Reading list
We've selected six books
that we think will supplement your
learning. Use these to
develop background knowledge, enrich your coursework, and gain a
deeper understanding of the topics covered in
Windows Registry Forensics.
Provides both a solid technical overview of digital forensics, including the Windows registry, and serves as a good foundational textbook.
Provides a broad overview of forensic imaging, including the Windows registry, and good supplemental background resource.
This textbook good resource for a broad overview of incident response and digital forensics, including registry examination.
Focuses on the examination of digital evidence from a law enforcement perspective, including the Windows registry.
Although focused on Windows security hardening, this book provides good background material on the Windows registry, especially the SYSTEM hive.
Providing a foundational understanding of Windows memory that underlays the Windows registry, this book is helpful for understanding basic principles.
For more information about how these books relate to this course, visit:
OpenCourser.com/course/hbjz50/windows
Share
Similar courses
Here are nine courses similar to
Windows Registry Forensics.
Windows 11 Troubleshooting: Registry and Windows Structure
OpenCourser.com/course/tvogdm/windows
Windows 11 Troubleshooting: Registry and Windows Structure
OS Analysis with RegRipper
OpenCourser.com/course/ci55la/os
OS Analysis with RegRipper
Specialized DFIR: Windows Registry Forensics
OpenCourser.com/course/8htsq1/specialized
Specialized DFIR: Windows Registry Forensics
Python for Windows Administrators
OpenCourser.com/course/evj65u/python
Python for Windows Administrators
File Analysis with CyberChef
OpenCourser.com/course/3w1mjb/file
File Analysis with CyberChef
Enforcing Data Contracts with Kafka Schema Registry
OpenCourser.com/course/dzqxy6/enforcing
Enforcing Data Contracts with Kafka Schema Registry
Introduction to Docker: Build Your Own Portfolio Site
OpenCourser.com/course/peqwid/introduction
Introduction to Docker: Build Your Own Portfolio Site
Security Event Triage: Analyzing Live System Process and Files
OpenCourser.com/course/oouv7q/security
Security Event Triage: Analyzing Live System Process and...
Implement a Docker Registry
OpenCourser.com/course/t9s847/implement
Implement a Docker Registry
Level
Intermediate
Via
Coursera
Institution
Infosec
Instructor
Denise Duffy
Language
English
Transcripts
Español
Français
Português
Deutsch
Italiano
中文
العربية
한국어
日本語
हिंदी
Nederlands
Svenska
Pусский
Türkçe
Polski
Ελληνικά
українська мова
Bahasa Indonesia
ไทย
қазақша
This course belongs to a
collection
called
Computer Forensics. It's comprised of three courses:
- Windows Registry Forensics (viewing)
- Digital Forensics Concepts
- Windows OS Forensics
Good to know
Examines ethical issues of forensic science, which is highly relevant to digital investigators in today's legal climates
Taught by Denise Duffy, who is recognized for their work in the field of digital forensics
Provides a detailed understanding of Windows Registry forensics, which is a core skill for digital forensic analysts
Develops an understanding of the structure and organization of the Windows Registry, which is crucial for forensic investigations
Emphasizes the importance of setting up a proper forensic workstation, which is essential for conducting thorough digital investigations
Covers various types of forensic evidence found in the Windows Registry, which is critical for digital forensic analysts to master
Our mission
OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.
Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.
Find this site helpful? Tell a friend about us.
Affiliate disclosure
We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.
Your purchases help us maintain our catalog and keep our servers humming without ads.
Thank you for supporting OpenCourser.
© 2016 - 2024 OpenCourser