Windows Registry and Log Analysis with Freeware Tools
In this course you will deepen your knowledge of the Windows registry and log analysis through the use of the main free tools of computer forensics in order to reconstruct the user's activities in detail. You will gain a new level of knowledge of the very principles of both Windows Registry and Logging.
The very practical approach can be used both for understanding the principles behind the automated analysis carried out by the industry's most popular forensics suite, both to deepen the level of detail, thanks to the gained knowledge, and interpretation of the artifacts generated by the system.
Why take this course now?
No matter what stage of your career you're at, the skills learned here will serve you well in the future. At the end of the course, you will be able to conduct a fully valid and thorough expert forensic investigation in a Windows environment through the use of only freeware tools.
Who is this course for?
- The topics covered in the course are the basis of the Windows forensics. Therefore it is possible to approach both the most expert subjects who will find useful insights in relation to the information contained in the system registry and in the logs, and the neophytes who, through the use of simple but absolutely professional tools, can understand the Windows OS mechanisms.
- Computer forensics consultants, system administrators, but also computer security experts can find useful information among the topics covered in the course. In particular, the examples provided with the course are taken from real cases, which makes the topics and techniques illustrated immediately applicable, especially in the Incident Response area.
What will you learn?
- Windows Forensics concepts
- Windows Event Logging
- Log Analysis
- Choosing the most useful logs for computer forensics
- Windows Registry Analysis
- How Windows Registry works
Particular attention will be paid to the System, Security and Application log such as:
Application: ID 11707 - Product installed, ID 11708 - Product installed failed
Security: ID 4608 - Windows is starting up, ID 4726 - A user account was deleted, ID 4728 - A member was added to a security-enabled global group, ID 4738 - A user account was changed
System: ID 6008 - Unexpected Shutdown, ID 6009 - System boot, ID 1074 - Shutdown
With regard to the registry, we will use the entries under the keys HKEY_LOCAL_MACHINE, ControlSet001, SAM to acquire information related to the owner, registered users, time zone, network cards, number of logins and statistic access for each user.
What skills will you gain?
- Extracting useful information from the Windows Registry
- Combining PowerShell and Log Parser for log collecting and analysis
- Correlating logs to reconstruct machine’s activity
- Combining logs and registry information to track users’ activities
- Tracking DHCP and Remote Desktop connections
- Parsing Windows Artifacts
What tools will you use?
Consideration will be given to the main analytical tools freely available and universally recognized in the world of computer forensics and in international courts, such as:
- FTK Imager,
- FTK Registry Viewer (demo version),
- Microsoft Log Parser,
- Power Shell.
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
Course eBook included!
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What should you know before you join?
- Intermediate use of the Windows operating system
- Intermediate understanding of the Windows operating system
- Basic concepts of Computer Forensics (imaging, hashing)
- Basic understanding of networking (TCP/IP, IP addressing, routing, DNS, DHCP)
- Basic concepts of IT security
What will you need?
- A Workstation running Windows 7, 8 or 10.
- FTK Imager 4.1.1 http://accessdata.com/product-download/ftk-imager-version-4.1.1
- Log Parser 2.2 https://www.microsoft.com/en-us/download/details.aspx?id=24659
- Registry Viewer 126.96.36.199 (demo version) http://accessdata.com/product-download/registry-viewer-188.8.131.52
- PowerShell 5.0 https://docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
Your Instructor: Luca Cadonici
Member of the Italian National Observatory for Computer Forensics (ONIF), International Information Systems Forensics Association (IISFA), Luca Cadonici graduated from the University of Pisa in 2010, moving closer to Computer Security and obtaining the European Qualification as an Expert in Service Management and Network Security - liv.4 EQF (European Qualification Framework). During his career, he has obtained several Computer Security and Computer forensics certifications (among others: CDFE, OSFCE, eNDP, eJPT, CompTIA Linux +, ITIL v3) and worked at the Intesa Sanpaolo Development and Security Office taking care of the activities related to the ISO27001 and PCI-DSS standards.
He’s the author of articles and courses for “eForensics Magazine” and “Il Giornale dell’Ingegnere” - official magazine of the CNI – Italian National Council of Engineers.
He’s the owner of the Digital Forensics laboratory Nova Era and works as a forensic consultant for prosecutors, law enforcement agencies and law firms.
Module 1: Keeping track of it all - the Windows Event Logging
Windows Log System provides a wealth of information from different sources. In this first module, we’ll see a selection of the most useful logs for forensic purposes and how to correlate them using PowerShell.
Module 1 covered topics:
1.1 An introduction to Windows Logging
1.2 The EVTX files
1.3 Getting started with PowerShell
1.4 Using PowerShell for Log Analysis
1.5 Useful logs in computer forensics
1.6 Using PowerShell to combine logs from different channels
Module 1 exercises:
- Tracking system boot and shutdown phases
- Reconstructing recent activity on the computer
Module 2: At the heart of Windows OS - the Registry
Defined as a collection of databases of configuration settings, the Windows Registry stores information and settings for software programs, hardware devices, user preferences and operating system configurations. Here we’ll see its structure in detail, and learn how to extract it and use it for forensic analysis.
Module 2 covered topics:
2.1 An introduction to the Windows Registry
2.2 How the Registry works: keys and values
2.3 The hives
2.4 Windows Registry extraction with FTK Imager
2.5 Parsing the Registry with FTK Imager
2.6 Registry parsing with PowerShell: Get-ChildItem and Get-ItemProperty cmdlet
Module 2 exercises:
- Registry Key Cell analysis with FTK Imager
- Retrieving information with PowerShell
Module 3: Taking advantage of the Windows Registry
The Windows registry provides a lot of information about the system, the machine and the users. Now we will work to select and extract the most useful elements for the purposes of our analysis.
Module 3 covered topics:
3.1 Registry Analysis with Registry Viewer
3.2 Machine and Operating System
3.3 USB devices
3.6 Network activity
Module 3 exercises:
- Investigating through Registry Analysis
- Parsing Registry Keys to collect network information
Module 4: Tracking User Activities - Combining information from Logs and Registry
In the final part of the course, we show how to put together information acquired from different sources, such as hives from Registry and System and Security logs, to reconstruct all the activities performed by the users during a session or a specific timeframe.
Module 4 covered topics:
4.1 Combining PowerShell with Log Parser
4.2 Tracking Remote Desktop Sessions
4.3 Tracking Network Connections
4.4 A practical example - Unauthorized access from a corporate network
Module 4 exercises:
- Reconstructing a Remote Desktop session
- Putting it all together - simulation of a real forensics expertise in a Windows Environment
Questions? Contact our course coordinator Marta at [email protected]