Reddit mentions of Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

There are a ton of different things you can do on the defensive side. The path here is a bit less defined because you can specialize in each of these areas with out ever really touching the other ones. But I think these are the most important skills as a defender, so I’ll break it up into three smaller chunks. For the most part, defender/Blue-team concepts draw from these skills, I’ve setup the courses in order, as some of these skills may feed into other areas.


IR:

• Computer Forensics and IR - This is the hole grail of IR. Written by the best in the business, a great start to the world of IR and Forensics
  
  
• Network Analysis. SOC-based 1-day course (Includes slides and labs)
  
  
• Hacking Techniques and Intrusion Detection - 5-6 day course
  
  
• PCAP analysis and Network Hunting - 2 day course
  
  
• Blue Team Field Manual
  
  
  Forensics:
  
  
• Network Forensics - 2 day course
  
  
• File System Forensics
  
  
• Windows 8 Forensics
  
  
• Registry Forensics
  
  
• Memory Forensics
  
  
• 13 Cubed Youtube Series
  
  
• Advanced Network Forensics - SANS ( meaning If you can get someone else to pay for it, SANS courses are expensive)
  
  
• Overall Cheatsheet/Forensics knowledge dump
  
  
• Now, you’re ready for the CHFI Certification
  
  Reverse Engineering (Dynamic and Static):
  
  
• Practical Malware Analysis
  
  
• Malware Unicorn (Awesome RE, has an awesome blog and some good intro training)
  
  
• Malware Analyst’s cookbook
  
  
• IDA Pro Book
  
  
• Intro to Reverse Engineering - 2 day course
  
  
• Malware Dynamic Analysis - 3 day course
  
  
• SANS*** GREM Certification
  
  I know there’s not a lot of certs here, and unfortunately, that’s how it is across the blue team. Certs here are usually very vendor-specific, and not applicable to defense as a whole. Those certifications exist, but I’m not listing them here.
  
  If people are interested, I can also do a similar write-up on Mobile Forensics and Cloud Forensics (which is my direct background).
  
  Lastly, here are some of my favorite news sources across the InfoSec community -
  
  News Sources
  
  
• Ars Technica
  
  
• InfoSecurity Magazine
  
  
• Security Weekly
  
  
• Iron Geek
  
  
• Krebs on Security
  
  
• reddit.com/r/netsec
  
  
• reddit.com/r/netsecstudents
  
  
• reddit.com/r/asknetsec
  
  
• reddit.com/r/computerforensics

I don't think there are really an prerequisites to get a good amount of learning out of the class. Understanding the types of attacks is a great start. In 2004 (at least I think it was that year), they only had one class (508) and on day 3, after we had gone over the bulk of how filesystems and computers work, we were doing an exercise based on hand rebuilding a usb thumb drives filesystem (it had been tampered with). A guy raises his hands as says "You keep using the words rootkit, what is that"? The instructor thought he was being trolled at first. So having a pentesting cert will certainly help you (both as a pentester and with learning forensics since you will learn that there is always evidence of some sort left behind).

All that being said though, you should at least be a little familiar with the following (though they do a great job of explaining these in the class):

• windows registry
  
• different filesystems (exfat, ntfs, fat*)
  
• a general understanding of how windows works
  
  Right now (well as of last year when I took the cert/class) the books are titled:
  
  
• Windows Digital Forensics and Advanced Data Triage
  
• Core Windows Forensics Part 1 - Registry and USB Device Analysis
  
• Core Windows Forensics Part 2 - Email Forensics
  
• Core Windows Forensics Part 3 - Window Artifact and Log File Analysis
  
• Core Windows Forensics Part 4 - Web Browser Forensics (Firefox, IE & Chrome)
  
  
  Harlan Carvey's books are an excellent resource.
  
  Windows Registry Forensics, 2nd
  
  Windows Forensic Analysis Toolkit 4th
  
  My first time using the formatting features, so hopefully I didn't screw that up. Feel free to PM me if you have more questions. I have a bunch of SANS certs and have been doing this for ages. I am always happy to help someone who's learning!
  
  Edit: the 2nd book link isn't showing up, so fixed that.