Course Curriculum

  • 01

    Introduction to Investigating Windows User Registry Artifacts

    • Before We Start

    • Windows Registry User Artifacts Introduction

    • NTUSER.DAT and USRCLASS.DAT File Extraction

    • View Files Through RegEdit – Live System

    • Extract Files Through RegEdit – Live System

    • Extract Files Through FTK Imager – Live System

    • Extract Files Through FTK Imager – Disk Image

    • Last Write Timestamps

    • Check Your Knowledge

  • 02

    Investigating Windows Registry Hives: User Artifacts

    • Application Usage - Part 1

    • Application Usage - Part 2

    • Application Usage - Part 3

    • Application Usage - Part 4

    • Check Your Knowledge

  • 03

    Internet Browsing

    • Internet Browsing

  • 04

    Search Queries

    • Search Queries

  • 05

    Other Artifacts

    • Other Artifacts

    • Check Your Knowledge

  • 06

    Exercises

    • Check Your Knowledge

    • Exercises 1 and 2

    • Exercises 1 and 2 Solutions

Learning Outcomes

After completing this course, you will learn the following:

  •  The ability to extract the NTUSER.DAT and USRCLASS.DAT files from the registry

  •  Learning locations of various important forensic artifacts

Technical Requirements

For the hands-on labs in this course

  • Windows operating system (recommended Windows 10)

  • Internet connection

  • Installation of Registry Explorer/recmd

  • Installation of RegRipper

  • Installation of FTK Imager

What is next at Cyber 5W?

Add your email to the mailing list to get the latest updates