Investigating Windows User Registry Artifacts

Windows Forensics Track

Investigating Windows User Registry Artifacts

This course builds on the knowledge attained in the System Artifacts course to enable you to analyze user artifacts and actions in order to create a timeline of events for each user.

Get Started Now

Enroll for $50

Course Curriculum

01
Introduction to Investigating Windows User Registry Artifacts
- Before We Start
- Windows Registry User Artifacts Introduction
- NTUSER.DAT and USRCLASS.DAT File Extraction
- View Files Through RegEdit – Live System
- Extract Files Through RegEdit – Live System
- Extract Files Through FTK Imager – Live System
- Extract Files Through FTK Imager – Disk Image
- Last Write Timestamps
- Check Your Knowledge
02
Investigating Windows Registry Hives: User Artifacts
- Application Usage - Part 1
- Application Usage - Part 2
- Application Usage - Part 3
- Application Usage - Part 4
- Check Your Knowledge
03
Internet Browsing
- Internet Browsing
04
Search Queries
- Search Queries
05
Other Artifacts
- Other Artifacts
- Check Your Knowledge
06
Exercises
- Check Your Knowledge
- Exercises 1 and 2
- Exercises 1 and 2 Solutions

Course Type: Theory & Hands-on

6 CPE Credits

After completing this course, you will earn:

Get Started Now

Learn the Windows User Registry Artifacts

Enroll now for $50

Learning Outcomes

After completing this course, you will learn the following:

 The ability to extract the NTUSER.DAT and USRCLASS.DAT files from the registry
 Learning locations of various important forensic artifacts

Technical Requirements

For the hands-on labs in this course

Windows operating system (recommended Windows 10)
Internet connection
Installation of Registry Explorer/recmd
Installation of RegRipper
Installation of FTK Imager

What is next at Cyber 5W?

Add your email to the mailing list to get the latest updates