Windows Registry and Log Analysis Workshop eBook

eForensics Magazine 2018 01 Windows Registry and Log Analysis

This eBook is only available for course participants and eForensics Magazine subscribers. 

About the author: Luca Cadonici

Member of the International Information Systems Forensics Association (IISFA), Luca Cadonici graduated from the University of Pisa in 2010, moving closer to Computer Security and obtaining the European Qualification as an Expert in Service Management and Network Security – liv.4 EQF (European Qualification Framework). During his career, he has obtained several Computer Security and Computer forensics certifications (among others: CDFE, OSFCE, eNDP, eJPT, CompTIA Linux +, ITIL v3) and worked at the Intesa Sanpaolo Development and Security Office taking care of the activities related to the ISO27001 and PCI-DSS standards.

He lives in Italy and works as a forensic consultant for prosecutors, law enforcement agencies and law firms.

About this eBook

This eBook contains the reading material from the course “Windows Registry and Log Analysis”, available on eForensics Magazine’s website. It does not contain the whole course content - we skipped on several appendices, videos, and exercises. If you’re interested in these, or in getting a certificate proving what you have learned with this eBook, consider joining the course (eBook is included in the course materials). 


Table of Contents


  1. About the course
  2. Setting up the lab
  3. References

Chapter 1: Keeping track of it all - the Windows Event Logging

  1. An introduction to Windows Logging
  2. The EVTX files
  3. Live Acquisition: wevtutil
  4. Post-mortem acquisition: FTK Imager
  5. Getting started with PowerShell
  6. Using PowerShell for log analysis
  7. Useful logs in computer forensics
  8. Logs from different channels

Chapter 2: At the heart of Windows OS - the Registry

  1. An introduction to Windows registry
  2. How the Registry works - keys and values
  3. The hives
  4. Windows Registry extraction with FTK Imager
  5. Parsing the Registry with FTK Imager
  6. Registry parsing with PowerShell - Get-ChildItem and Get-ItemProperty cmdlet

Chapter 3: Taking advantage of the Windows Registry

  1. Registry analysis with Registry ViewerMachine and operating system
  2. USB devices
  3. Users
  4. Applications
  5. Network

Chapter 4: Tracking user activities - combining information from logs and Registry

  1. Combining PowerShell with LogParser
  2. Tracking remote desktop sessions
  3. Tracking network connections
  4. A practical example: unauthorized access from a corporate network

eForensics Magazine 2018 01 Windows Registry and Log Analysis

July 30, 2021
Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023