I am very happy to announce that the Registry Forensics Master Class that I developed in conjunction with 504ENSICS is now live. The master class is completely focused on registry forensics, and takes students from the basics through advanced topics and analysis techniques. A few of the topics covered include:
- Acquiring hives from both disk images and memory samples
- Understanding the raw artifacts contained in the variety of hives
- Analyzing the artifacts using a number of popular forensics tools
- Scripting registry forensics tools for automated and repeatable analysis
- Timelining registry contents
- Baselining hives to determine activities caused by malware and user actions
- Incorporating Windows backup facilities into registry analysis
- Investigating the registry in volatile memory (RAM)
- Analyzing malware in the registry
- Defeating anti-forensics
The class is an online, self-paced course that mimics what would be covered in a 2-3 day in-person offering. Each lesson in the course includes a lecture that teaches a specific topic in registry forensics followed by a hands-on exercise. The exercises are completed in online Windows and Linux virtual machines that are pre-configured with all the tools and materials needed. To ensure students are learning the material, each exercise includes questions that must be answered in the quiz module. This module tracks a student’s progress, and can produce reports of the student’s grades so that course can be justified to managers and directors. Each exercise also comes with a complete lab guide that walks the student through how to answer each question as the instructors would.
The course ends with a large investigation that requires combining skills learned throughout the class. After completing the course, students will be able to immediately use the techniques learned in real-world investigations involving digital forensics, incident response handling, and malware analysis.
Leading up to our public release we asked Ken Pryor (@kdpryor), a well-known digital forensics analyst, to review the course. Upon completion, he provided the following feedback:
“The Windows Registry Master Class is a great course for new and veteran analysts alike. I entered the course expecting to learn a little something, but came out of it feeling like I got so much more than I had bargained for. Each module of the course taught me something new. The excellent labs reinforced what I learned in the modules and gave me the ability to gain firsthand knowledge of the material. I strongly recommend this course for analysts of all skill levels, as I believe everyone can gain from it.”
For more information on the course or to register, please see the Hacker Academy page where it is hosted here. If you have any questions about the course use the comment section below or email me at andrew [at] memoryanalysis.net. While the course is primarily offered online, we also have the ability to give the course to in-person groups. If you have a group that is interested in these private offerings then please contact us as well.