Infosec

Windows Registry Forensics

This course is part of Computer Forensics Specialization

Denise Duffy

Instructor: Denise Duffy

4,578 already enrolled

Included with Coursera Plus

Gain insight into a topic and learn the fundamentals.
4.8

(49 reviews)

Intermediate level
Some related experience required
8 hours to complete
3 weeks at 2 hours a week
Flexible schedule
Learn at your own pace
Gain insight into a topic and learn the fundamentals.
4.8

(49 reviews)

Intermediate level
Some related experience required
8 hours to complete
3 weeks at 2 hours a week
Flexible schedule
Learn at your own pace

Details to know

Shareable certificate

Add to your LinkedIn profile

Assessments

1 assignment

Taught in English

See how employees at top companies are mastering in-demand skills

Placeholder

Build your subject-matter expertise

This course is part of the Computer Forensics Specialization
When you enroll in this course, you'll also be enrolled in this Specialization.
  • Learn new concepts from industry experts
  • Gain a foundational understanding of a subject or tool
  • Develop job-relevant skills with hands-on projects
  • Earn a shareable career certificate
Placeholder
Placeholder

Earn a career certificate

Add this credential to your LinkedIn profile, resume, or CV

Share it on social media and in your performance review

Placeholder

There are 8 modules in this course

Discover what the Windows Registry is and why it is important in digital forensic investigations. This module will explore the location and structure of the registry hives in a live and non-live environment, as well as the types of forensic evidence found in the Windows Registry. This will include: user account information, system-wide and user-specific settings, file access, program installation and execution, search terms, auto-start locations and devices attached to the system. Please use the links and tools provided in the two reading sections to get the URLs and other downloads you will need for the course.

What's included

2 videos3 readings

Learn how to set up a forensic workstation to properly examine the Windows Registry. This module takes a look at the location of the Registry files within the Windows OS and the many tools freely available to view the file structure and artifacts contained within the Windows Registry. It includes instruction on the installation, proper use and validation of your forensic software, showing how to get the most out of your automated tools while maintaining an understanding of what the tool is doing behind the scenes.

What's included

4 videos

This module demonstrates an in-depth analysis of the artifacts contained within the NTUser.Dat hive file. This module will show examiners how to locate programs and applications, mounted volumes and connected devices specific to a user, user search terms and typed URLs. Examiners will also be able to locate and identify opened and saved files, typed URLs, user-specific programs set to run at startup and application installation and execution. Examiners will be able to locate, examine and interpret MRU lists (Most Recently Used), UserAssist, user system settings and recently used files.

What's included

9 videos

This module explains forensic artifacts found in the SAM (Security Account Manager) file, which stores and organizes information about each user on a system. This module demonstrates how to identify each user account on a local machine using the relative identifier. Examiners can also learn to interpret username information including the users’ login dates, times and login count. The module will show how to identify the machine that the user account was created on, by interpreting a users’ SIDs (machine/domain identifiers) and recovering user password hashes.

What's included

5 videos

This module will show examiners how to locate information of forensic value relating to application execution and installation contained within the software hive file. The module will provide an overview of the forensic artifacts found in the software hive file, such as installed programs and applications, operating system type, install date and time, wireless network information, file association, domain logon information, the last logged-on user, programs set to run at startup and tracking USB devices that were attached to the system.

What's included

3 videos

This module will demonstrate evidence of forensic value contained within the system hive file. This module explores the system hive file showing how to determine the current control set, computer name, last shutdown date and time, crash dump settings and location, services set to run at startup, page file settings, prefetch settings, last access file time settings, AppCompat Cache, BAM (background activities monitor) and USB device connections and disconnections with dates and times.

What's included

3 videos

This module identifies and explains forensic artifacts found in the UsrClass.dat hive file. This module will look at the UsrClass.dat hive. The examiner will learn to explain Windows ShellBags, which track user-specific zip files and folder access and settings, including dates and times even on deleted folders and removable media. The examiner will also learn to interpret the sub-key MuiCache, to include installed applications. The Microsoft Photo App, showing recently accessed image files, will also be explored.

What's included

2 videos

This module will examine the AmCache hive file, which stores information relating to the execution of applications. A forensic examination of the AmCache hive file showing the following: application installation, application first run date and time, a file path to the executable file, the source of the application, a SHA-1 hash value of the executable file, plug-and-play connected devices, GUIDs of mounted volumes and system hardware information.

What's included

2 videos1 assignment

Instructor

Instructor ratings
4.6 (16 ratings)
Denise Duffy
Infosec
3 Courses15,386 learners

Offered by

Infosec

Recommended if you're interested in Security

Why people choose Coursera for their career

Felipe M.
Learner since 2018
"To be able to take courses at my own pace and rhythm has been an amazing experience. I can learn whenever it fits my schedule and mood."
Jennifer J.
Learner since 2020
"I directly applied the concepts and skills I learned from my courses to an exciting new project at work."
Larry W.
Learner since 2021
"When I need courses on topics that my university doesn't offer, Coursera is one of the best places to go."
Chaitanya A.
"Learning isn't just about being better at your job: it's so much more than that. Coursera allows me to learn without limits."

Learner reviews

4.8

49 reviews

  • 5 stars

    77.55%

  • 4 stars

    20.40%

  • 3 stars

    2.04%

  • 2 stars

    0%

  • 1 star

    0%

Showing 3 of 49

RI
5

Reviewed on Apr 19, 2022

YP
5

Reviewed on Nov 26, 2021

MA
5

Reviewed on Sep 10, 2021

New to Security? Start here.

Placeholder

Open new doors with Coursera Plus

Unlimited access to 10,000+ world-class courses, hands-on projects, and job-ready certificate programs - all included in your subscription

Advance your career with an online degree

Earn a degree from world-class universities - 100% online

Join over 3,400 global companies that choose Coursera for Business

Upskill your employees to excel in the digital economy

Frequently asked questions