Windows Registry and Log Analysis Workshop eBook

This eBook is only available for course participants and eForensics Magazine subscribers. 

---

About the author: Luca Cadonici

Member of the International Information Systems Forensics Association (IISFA), Luca Cadonici graduated from the University of Pisa in 2010, moving closer to Computer Security and obtaining the European Qualification as an Expert in Service Management and Network Security – liv.4 EQF (European Qualification Framework). During his career, he has obtained several Computer Security and Computer forensics certifications (among others: CDFE, OSFCE, eNDP, eJPT, CompTIA Linux +, ITIL v3) and worked at the Intesa Sanpaolo Development and Security Office taking care of the activities related to the ISO27001 and PCI-DSS standards.

He lives in Italy and works as a forensic consultant for prosecutors, law enforcement agencies and law firms.

---

About this eBook

This eBook contains the reading material from the course “Windows Registry and Log Analysis”, available on eForensics Magazine’s website. It does not contain the whole course content - we skipped on several appendices, videos, and exercises. If you’re interested in these, or in getting a certificate proving what you have learned with this eBook, consider joining the course (eBook is included in the course materials). 

VIEW THE COURSE =>

---

Table of Contents

---

Introduction

1. About the course
2. Setting up the lab
3. References

---

Chapter 1: Keeping track of it all - the Windows Event Logging

1. An introduction to Windows Logging
2. The EVTX files
3. Live Acquisition: wevtutil
4. Post-mortem acquisition: FTK Imager
5. Getting started with PowerShell
6. Using PowerShell for log analysis
7. Useful logs in computer forensics
8. Logs from different channels

---

Chapter 2: At the heart of Windows OS - the Registry

1. An introduction to Windows registry
2. How the Registry works - keys and values
3. The hives
4. Windows Registry extraction with FTK Imager
5. Parsing the Registry with FTK Imager
6. Registry parsing with PowerShell - Get-ChildItem and Get-ItemProperty cmdlet

---

Chapter 3: Taking advantage of the Windows Registry

1. Registry analysis with Registry ViewerMachine and operating system
2. USB devices
3. Users
4. Applications
5. Network

---

Chapter 4: Tracking user activities - combining information from logs and Registry

1. Combining PowerShell with LogParser
2. Tracking remote desktop sessions
3. Tracking network connections
4. A practical example: unauthorized access from a corporate network