Windows Registry and Log Analysis with Freeware Tools
In this course you will deepen your knowledge of the Windows registry and Log Analysis through the use of the main free tools of computer forensics in order to reconstruct in detail the user’s activities. You will gain a new level of knowledge of the very principles of the functioning of both Windows Registry and Logging.
18 CPE points
Particular attention will be paid to the System, Security and Application log such as:
- ID 11707 – Product installed
- ID 11708 – Product installed failed
- ID 4608 – Windows is starting up
- ID 4726 – A user account was deleted
- ID 4728 – A member was added to a security-enabled global group
- ID 4738 – A user account was changed
- ID 6008 – Unexpected Shutdown
- ID 6009 – System boot
- ID 1074 – Shutdown
With regard to the registry, we will use the entries under the keys HKEY_LOCAL_MACHINE, ControlSet001, SAM to acquire information related to the owner, registered users, time zone, network cards, number of logins and statistic access for each user.
Consideration will be given to the main analytical tools freely available and universally recognized in the world of computer forensics and in international courts, such as FTK Imager, FTK Registry Viewer (demo version), Autopsy and Microsoft Log Parser tool and Power Shell.
At the end of the course, the trainee will be able to make a fully valid and thorough forensic expertise in a Windows environment through the use of only freeware tools.
The very practical approach can be used both for understanding the principles behind the automated analysis carried out by the industry’s most popular forensics suite, both to deepen the level of detail, thanks to the gained knowledge, and interpretation of the artifacts generated by the system.
What will you learn?
- Windows Forensics concepts
- Windows Event Logging
- Log Analysis
- Choosing the most useful logs for computer forensics
- Windows Registry Analysis
- How Windows Registry works
What skills will you gain?
- Extracting useful information from the Windows Registry
- Combining PowerShell and Log Parser for log collecting and analysis
- Correlating logs to reconstruct machine’s activity
- Combining logs and registry information to track users’ activities
- Tracking DHCP and Remote Desktop connections
- Parsing Windows Artifacts
What will you need?
- A Workstation running Windows 7, 8 or 10.
- FTK Imager 4.1.1 http://accessdata.com/product-download/ftk-imager-version-4.1.1
- Log Parser 2.2 https://www.microsoft.com/en-us/download/details.aspx?id=24659
- Registry Viewer 220.127.116.11 (demo version) http://accessdata.com/product-download/registry-viewer-18.104.22.168
- PowerShell 5.0 https://docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
What should you know before you join?
- Intermediate use of the Windows operating system
- Intermediate understanding of the Windows operating system
- Basic concepts of Computer Forensics (imaging, hashing)
- Basic understanding of networking (TCP/IP, IP addressing, routing, DNS, DHCP)
- Basic concepts of IT security
Your Instructor: Luca Cadonici
Member of the International Information Systems Forensics Association (IISFA), Luca Cadonici graduated from the University of Pisa in 2010, moving closer to Computer Security and obtaining the European Qualification as an Expert in Service Management and Network Security – liv.4 EQF (European Qualification Framework). During his career, he has obtained several Computer Security and Computer forensics certifications (among others: CDFE, OSFCE, eNDP, eJPT, CompTIA Linux +, ITIL v3) and worked at the Intesa Sanpaolo Development and Security Office taking care of the activities related to the ISO27001 and PCI-DSS standards.
He lives in Italy and works as a forensic consultant for prosecutors, law enforcement agencies and law firms.
Module 1: Keeping track of it all – the Windows Event Logging
Windows Log System provides a wealth of information from different sources. In this first module, we’ll see a selection of the most useful logs for forensic purposes and how to correlate them using PowerShell.
Module 1 covered topics:
1.1 An introduction to Windows Logging
1.2 The EVTX files
- Getting started with PowerShell
- Using PowerShell for Log Analysis
- Useful logs in computer forensics
- Using PowerShell to combine logs from different channels
Module 1 exercises:
- Tracking system boot and shutdown phases
- Reconstructing recent activity on the computer
Module 2: At the heart of Windows OS – the Registry
Defined as a collection of databases of configuration settings, the Windows Registry stores information and settings for software programs, hardware devices, user preferences and operating system configurations. Here we’ll see its structure in detail deep and how to extract it and use it for forensic analysis.
Module 2 covered topics:
2.1 An introduction to the Windows Registry
2.2 How the Registry works: keys and values
2.3 The hives
2.4 Windows Registry extraction with FTK Imager
2.5 Parsing the Registry with FTK Imager
2.6 Registry parsing with PowerShell: Get-ChildItem and Get-ItemProperty cmdlet
Module 2 exercises:
- Registry Key Cell analysis with FTK Imager
- Retrieving information with PowerShell
Module 3: Taking advantage of the Windows Registry
The Windows registry provides a lot of information about the system, the machine and the users. Now we will work to select and extract the most useful elements for the purposes of our analysis.
Module 3 covered topics:
3.1 Registry Analysis with Registry Viewer
3.2 Machine and Operating System
3.3 USB devices
3.6 Network activity
Module 3 exercises:
- Investigating through Registry Analysis
- Parsing Registry Keys to collect network information
Module 4: Tracking User Activities – Combining information from Logs and Registry
In the final part of the course, we show how to put together information acquired from different sources, such as hives from Registry and System and Security logs, to reconstruct all the activities performed by the users during a session or a specific timeframe.
Module 4 covered topics:
4.1 Combining PowerShell with Log Parser
4.2 Tracking Remote Desktop Sessions
4.3 Tracking Network Connections
4.4 A practical example – Unauthorized access from a corporate network
Module 4 exercises:
- Reconstructing a Remote Desktop session
- Putting it all together – simulation of a real forensics expertise in a Windows Environment
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.
Questions? Contact our course coordinator Marta at [email protected]