Twitter Linked In

Windows Forensics Registry
Sorry there are currently no sessions scheduled for Windows Forensics Registry.
Please let us know you are interested in this course.

Fulcrum Training Vendors
Windows Forensics Registry
In the continually evolving Windows Forensics series, the Windows registry continues to be a major source of Windows related artifact and information storage. Having the proper knowledge of registry based artifacts can make or break an investigation.

This advanced Syntricate training course provides the knowledge and skills necessary to use AccessData® products to conduct forensic investigations on the Microsoft® Windows® registry. Participants will learn where and how to locate registry artifacts using Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer® and Password Recovery Toolkit® (PRTK®).


This hands-on course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK, FTK Imager, Registry Viewer, and PRTK. Prior familiarity with the Microsoft Regedit utility is also helpful.

To obtain the maximum benefit from this course, you should meet the following requirements: Able to understand course curriculum presented in English

Attendance at the AccessData Forensic BootCamp and Windows Forensics course or equivalent experience with FTK and PRTK

Previous investigative experience in forensic case work Knowledge of Microsoft Windows environment

Class Materials and Software:

You will receive the associated materials prior to the course.

During this three-day course, participants will review the following:

Use FTK Imager to obtain a clean copy of the Windows registry
• Backup individual registry keys, registry files, and whole registry sets
• Use a Regular Expression to carve registry key names from unallocated space
• Identify and locate potential trace evidence in the regf and hbin blocks
• Use the SAM file to identify system user accounts, user information and properties, user logon password

information, user profiles, and group membership
• Use the SYSTEM file to identify computer name, time zone, last shutdown time, network connections,

and hardware information

  • Use the SECURITY file to identify current and archived system passwords, if present.

  • Break the SECURITY file passwords in PRTK

  • Use the SOFTWARE file to identify USB volume serial numbers in Windows Vista, recycle bin settings,

    user profiles, wireless connections, printer information, evidence of uninstalled software, application

    restrictions, autologon settings, and cached password settings

  • Identify individual application settings such as Internet Explorer (IE) main settings; IE use count; Internet

    Account Manager; URL history; IE5 history settings; MSN accounts; mount points and mapped drives; and FTP site settings 


Windows Forensics Registry
Sorry - there are no sessions available to book.
Contact us
Australia:+61 (0)2 8012 9810
Singapore:+65 9297 1289
Customer Service:
Technical Support:
Training Bookings:
Register For the Fulcrum Newsletter HERE

© Fulcrum Management 2012
Verification Code:
Verification Code: