Digging Up the Past: Windows Registry Forensics Revisited
David Via from FireEye has written a very good article focused on the following known sources of historical registry data: R…
Join our Telegram DFIR group!
Guys, we have created a Telegram group, where we will do our best to answer all your questions. We will be very happy if you…
Exploring Registry Explorer
This webinar covers Registry Explorer version 1.0 including features such as searching multiple hives, transaction log repla…
Comments on “Windows Registry Forensic Tool Specification”
Maxim Suhanov has published his comments on NIST’s “Windows Registry Forensic Tool Specification”. You can find&n…
Forensic Lunch with Maxim Suhanov
This time the “Forensic Lunch” with David Cowen meets Maxim Suhanov – digital forensics analyst, researche…
Carving Fragmented Registry Files
Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp…
Shellbag Forensics
As a continuation of the “Introduction to Windows Forensics” series, this video by Richard Davis introduces Shel…
In-Depth Forensic Analysis of Windows Registry Files
The Windows registry is an essential source of evidence when performing a wide range of examinations. In a recent talk (Zero…
Amcache and USB Device Tracking
Jason Hale has published an interesting post on how to use the amcache to track USB devices. You can find device serial…
Investigating Malware Using Registry Forensics
Here is Jason Hale’s talk from Louisville Infosec 2017 titled “Investigating Malware Using Registry Forensi…
