Windows Forensics-Registry

Forensic Toolkit, FTK Imager, Password Recovery Toolkit and Registry Viewer

This advanced AccessData training course provides the knowledge and skills necessary to use AccessData® products to conduct forensic investigations on the Microsoft® Windows® registry. Participants will learn where and how to locate registry artifacts using Forensic Toolkit® (FTK ®), FTK Imager, Registry Viewer® and Password Recovery Toolkit® (PRTK®).

During this three-day hands-on course, participants perform the following tasks:
• Use FTK Imager to obtain a clean copy of the Windows registry.

• Backup individual registry keys, registry files, and whole registry sets.

• Use a Regular Expression to carve registry key names from unallocated space.

• Identify and locate potential trace evidence in the regf and hbin blocks.

• Use the SAM file to identify system user accounts, user information and properties, user logon password information, user profiles, and group membership.

• Use the SYSTEM file to identify computer name, time zone, last shutdown time, network connections, and hardware information.

• Use the SECURITY file to identify current and archived system passwords, if present.

• Break the SECURITY file passwords in PRTK.

• Use the SOFTWARE file to identify USB volume serial numbers in Windows Vista, recycle bin settings, user profiles, wireless connections, printer information, evidence of uninstalled software, application restrictions, autologon settings, and cached password settings.

• Identify individual application settings such as Internet Explorer (IE) main settings; IE use count; Internet Account Manager; URL history; IE5 history settings; MSN accounts; mount points and mapped drives; and FTP site settings.

Prerequisites

This hands-on course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK. Prior familiarity with the Microsoft Regedit utility is also helpful.

To obtain the maximum benefit from this course, you should meet the following requirements:
• Read and understand the English language.

• Attend the AccessData Forensic BootCamp and Windows Forensics or have equivalent experience with FTK and PRTK.

• Have previous investigative experience in forensic case work.

• Be familiar with the Microsoft Windows environment.