Registry Analysis for Digital Forensics and Incident Response Master Class: NOW LIVE

November 25, 2013

Digital forensics experts Vico Marziale, Joe T. Sylve , Jerry Stormo of 504ensics, and Andrew Case are instructors in Hacker Academy’s  Registry Analysis for Digital Forensics and Incident Response Master Class.

The Registry Analysis Master Class is a self paced course that teaches investigators how to use and understand registry forensics during their own investigations, incident response handling, and malware analysis.

The course starts by explaining the structure of the registry followed by an exhaustive look into all of the contained artifacts. During this time students will learn how to determine applications that ran on the computer, removable devices that were inserted, files accessed by the user, malware that leveraged registry, and much more.

Backup facilities of the Windows operating system will be discussed and instructors will show how backup registry hives can be leveraged to understand user activity going back many months and also to defeat anti-forensics techniques.

The course will also cover analysis techniques such as building timelines, creating baselines, and correlating multiple registry artifacts to determine high-level events of a user or application.

For each topic introduced, students will gain real-world experience analyzing sample evidence with the most common registry forensics tools. After each exercise the students will be given access to an answer guide that walks them through how to answer each question. This serves as a great reference for future investigate efforts.

Vico Marziale, PhD, is Co-founder and Managing Partner of 504ENSICS Labs, where he is responsible for research and development, and digital forensics investigations. He is a GIAC Certified Forensic Analyst with 10 years of experience in DFIR. Vico is a developer on several open source forensics projects, including Registry Decoder and Scalpel.

Joe Sylve, M.S. is Co-Founder and Managing Partner of 504ENSICS Labs where in addition to research and development, he is responsible for incident response, penetration tests, and malware analysis. He holds the GCFA certification and is a contributor to the Volatility Framework and the developer of the Lime tool for Android memory acquisition.

Andrew Case is a core developer of the Volatility Framework, and co-developer of Registry Decoder. He has taught in-depth digital forensics courses at BlackHat and is a frequent speaker and instructor at security conferences around the world.

For more information or to sign up for the course, visit:

If you have a group of 10 or more and would like to schedule an in-person class, please contact the 504ENSICS Labs Digital Forensics Team.