🎯 Key Takeaways for quick navigation: 00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.* 02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).* 08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.* 10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.* 11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.* 13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.* 15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.* 16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.* 18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.* 21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.* 23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.* 23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.* 25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.* 26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.* 28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.* 30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.* 32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.* 35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.* 40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.* 42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.* 43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.* 49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.* 53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.* 58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.* Made with HARPA AI

Thanks for being so great at explaining the "Why" as well as the "How"!!! Very helpful!!!

I'm new to DFIR and a coworker sent me this video! Thanks so much!! Just figured I'd put in the comments: System registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803

I love the fact that this is still viable in 2023. Thank you!

The best material about digital forensic I know by far. Thanks a lot for this great content. Please keep it up

This is best video for learning windows forensics Thankyou so much for making this video on Windows forensics

ABSOLUTELY A GEM OF A VIDEO! I learned most of this in college but needed to brush up again. thank you so much for posting this video. (I also love your last name!)

This is fantastic, man! Thank you so much!

Love your teaching style Richard! I was wondering, what do you think about the CCD cert?

This video is a lifesaver. This is very informative and very easy to understand. I am currently about taking the FOR500 course classes. DFIRDiva referred me this KZbin channel. This is really so helpful, words can express my gratitude for sharing this wealth of knowledge. Once again thank u 13cubed.

Wow, very nice. Explains things very well

Thank you for being such a great tutor on the video. I'm a total newbie in the Cybersecurity but I found this is super interesting to learn.

Thank you very much for the great video! It is very helpful for the basic forensic at the company.

I just saw your videos!! Thank you so much for this!

thank for helping me pass the gcfe and for the star trek the next generation reference

Thank you for this video! I'm doing my degree on Forensic Computing and this has just helped me understand some things better than the lectures! I've definitely subscribed and I'm really looking forward to more videos

Excellent video. I really like the way you explain and show things. Thanks a lot for taking your time. Love it :)

Hey, you should brand your PDF so I know where I borrowed it from and remember to visit you more often.

Thanks for this video. My job is more IR than DF but I'm taking FOR508 class in about 3 weeks and want to go in a better grasp of forensicating. Planning to study up a bit and play around with SIFT and the tools I got during GCIH before I go. Appreciated!

Thank you for such informative and a not boring lesson on Window Registry forensics. I definitely going to share this video with my classmates.

48:35 how do we know what IP address was assigned as there were 4 different entries under interfaces?

Very helpful... Congratulations Thank You very much.

Thanks! Excellent video. Would love to see something similar for Mac OS

At minute 25:05. Could there be a case in which current control set could be 1 but last known good other than 1. If yes , how is that possible?

Great video, things are very clear now. Thanks a lot

Great videos. They are well structured. Easy to understand, not boring and very interesting.

This video is so clear and easy to follow (while at the same time being very informative and professional) that I would like you to make something similar to the MAC OS. Meanwhile, thanks so much for sharing this.

thank you for the video it was very helpful I can't find Dcode V4 tool where can I find it

Thanks for that. It`s great!!!

Thank you.and l am a rookie and watch your videos i learning more

Nice work And great struggle 👏

Thank you so much for such detailed explanation. Can you please provide those registry data as well for importing to try handson. Or suggest sites to download such entries for analysis

Old one but great one! I am thinking about switching career paths from CTI to Digital Forensics and this was a great intro. Easy to follow. Thank you!

This. Is. Amaziiiiiiiiiiiiiiiing.

thanks for the vid! Learned a lot!

THANK YOU!!!

Great introduction.Found it very helpful,thank you.

Thanks for you contribution. This will be my guideline (initial guideline, btw) to the DFIR world.

Thank you!

Thanks - The latest version of Registry Explorer v1.4.2 gives the details in parsed format directly - no additional tool is needed - even the ROT13 decoding is done

VERY HELPFUL THANKS !!!

thanks!

Thank you ! Such an excellent intro to Registry and generic Windows forensics. Great Job!!! Do you know where on Windows 10 can we find Microsoft Egde Forensics info (such as bookmarks stored locally, History stored locally, etc ).

Thank very Much for your lecture. is very helpful forensic student.

The cheat sheet will not download, using Chrome or Firefox. Can this be fixed? Thank you.

Great, informative video - thank you! What would you recommend to watch/read next (except your channel of course which I subscribe) to widen knowlege on digital forensics topic? Also I have a chance to participate in a SANS training during DFIR Summit in Prague. What would you recommend for a newbie in Forensics? I have a strong background in networking, so I thought about Advanced Network Forensic (FOR572) but from the video and GIAC Roadmap I recon that Windows Forensic (FOR500) would be the best start

Thanks for sharing ! Really nice.

Without taking the GCFE, can I work through all these videos and work through the Windows Forensics book by PHD Philip Polstra instead, and be fine moving into the GCFA?

thank you !

Muy bueno, donde descargo Registry Explorer

Love it

I am unable to download register explorer, is it possible to get the link

Hi , I justed want to know if someone downladed a file from any of the web browser or downladed from the email what all things in the registry we need to look it out as a part of forensic investigation.

Great Videos. Can you please make a video on SSD acquisition and encrypted drive forensics?

Where can I find that dfir cheat sheet?

Thank you so much for the video series that you provided!! Helped me a lot to pass my GCFE exam! Any suggestions with regards to getting the GOLD?

7:00 How did you get copies of the files?

Hello man,, I have a small question... at 10:54 you made a zoom while recording... how did you do that? what are you using for recording ??? or you did it in the editing stage ??? please answer.. Like your work

ty for this brah

great Video! thanks a lot. can you please provide a SANS 408 Index?

Would like to see a video on Anti- forensics detection, $usnjournal etc.

interesting!

went to through the SANS video. Then came back here man make things so much simpler to understand. Just a question I googled for Broadband and VPN (For user profile)do I follow I keep seeing 243(decimal) for it and 0x17 for VPN. Is this a recent change ?

Do you run your analysis environment in a VM? I want to keep my studying of this separate from my personal system as much as possible.

Hello 13Cubed. any plans in releasing a udemy course?

Hi, Will you be doing any on the BAM/DAM and RecentApps forensic artifacts? Trying to find some info.

You might have invented a word : ) " forensicating " @ 14:50

Personal Timestamp: 21:34

Seems like Forensics Wiki is no more. What happened?

Thanks a lot for the video!! What if we delete/rename ntuser.dat file?