Harlan Carvey, CISSP Windows System Forensics and Registry Analysis
Please join us in Sp-321 on 25 July, 1500-1550. Please join us in Sp-421 on 17 November 2005, 1500-1550.

Abstract: When conducting a forensic investigation of a Windows system image, there is much more information available to the investigator beyond simple searches for keywords and images. Delving into the Windows Registry will reveal a great deal of information that can be correlated with information from within the file system. This presentation makes use of a notional investigation to demonstrate this. A VMWare session was imaged using ProDiscover to provide the image, and the presentation outlines the steps taken to correlate information from various areas of the system to develop as complete a picture as possible.

Bio: Harlan Carvey, CISSP, is a security professional in the Virginia and DC area. After serving eight years as an officer in the United States Marine Corps, he embarked upon a career as an information security engineer, focusing on policy creation, penetration testing, vulnerability assessments, incident response, and forensic analysis. He has used a variety of security products, including CyberCop, ISS Internet Scanner, ISS RealSecure, EnCase, ProDiscover, etc, freeware and open source tools, and several of his own development. Mr. Carvey is a published author, with articles appearing in the Information Security Bulletin, SecurityFocus.com, and the Digital Investigation Journal. He is also the author of "Windows Forensics and Incident Recovery". He has presented at Usenix, BlackHat, DefCon9, MISTI, HTCIA2004, and GMU2003/2005.