top of page

Registry Forensics

The Windows Registry is a goldmine of forensics artifacts that can be utilized during investigations, incident response handling, and malware analysis. Depending on the scenario, entire investigations can be solved using only the registry due its storing of system and user activity such as:


  • Removable Device Activity (name, serial number, and model of all attached devices)

  • Network Share Interactions

  • Recently Accessed Documents (Word, Powerpoint, Excel, etc.)

  • Malware installation

  • Anti-Forensics Tampering

  • Software Installation

  • Printer Usage

  • Wireless Network Connections (ESSID, first and last time of connect, and more)


In our Registry Forensics class you learn how to perform complete registry forensics analysis, including:


  • Acquiring hives from both disk images and memory samples

  • Understanding the raw artifacts contained in the variety of hives

  • Analyzing the artifacts using a number of popular forensics tools

  • Scripting registry forensics tools for automated and repeatable analysis

  • Timelining registry contents

  • Baselining hives to determine activities caused by malware and user actions

  • Incorporating Windows backup facilities into registry analysis

  • Investigating the registry in volatile memory (RAM)

  • Analyzing malware in the registry Defeating anti-forensics

The registry course is a self-paced, online course that contains 21 learning modules. Each module includes a pre-recorded lecture followed by exercises that give students hands-on experience with the information taught in the lecture. As described in the Requirements section, all that is needed to take the course is a web browser capable of running Java.


A detailed review of the course by Ken Pryor can be found here.


The course includes:


  • 21 video lectures and associated hands-on exercises

  • A lab guide that contains full answers to all hands-on exercises, including screenshots and command line output

  • PDF copies of all slides

  • Access to course instructors

  • Analysis virtual machines that can be accessed from all web browsers with Java installed




This course assumes no previous registry forensics experience. It takes you from the basics through advanced techniques and concepts only used by the industry's best analysts.




The Hacker Academy HACKS environment is fully virtualized and online. All exercises can be completed in the pre-configured Windows and Ubuntu virtual machines. Each student is given their own virtual machine that can be accessed through any web browser with Java installed.




This course is taught by Andrew Case along with Joe Sylve, Vico Marziale, and Jerry Stormo of 504ENSICS.


Course Availability


As the course is self-paced and online, it is available 24/7. Once you register you are then given unlimited time and access to the lectures, labs, and associated materials. In order to register, please visit the Hacker Academy page here.


If you would like a private, in-person offering of the course then please contact or




bottom of page