GCFE study guide

Book
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3

Page Topic
5 allocated/unallocated
6 slack space
7 FileSystem Metadata
8 Deleted Files
9 Fat and NTFS file systems
10 FAT file deletion
11 NTFS file deletion
12 Timestamps
12 Timestamps
Evidence of Categories
FTK processing options
FTK Evidence Refinement
FTK RAM acquisition
FTK Memory Analysis
FTK searching
Registry analysis
Hives
Backup Hives

408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3
408.2‐.3

19
33
37
110
112
124
143
144
145

408.2‐.3

144 User Registry Hives

408.2‐.3

144 usrclass.dat

408.2‐.3

149 Registry Hives

408.2‐.3
408.2‐.3

150 KEYS AND VALUES
151 last write time reg key

408.2‐.3

152 MRU LISTS

408.2‐.3
408.2‐.3

154 offline vs online reg viewing
155 deleted reg keys

408.2‐.3

161 reg keys review

408.2‐.3

163 Registry Key Analysis

408.2‐.3

164 system hives

408.2‐.3

164 user hives

408.2‐.3
408.2‐.3
408.2‐.3

170 SAM
171 Sam ‐ local users
173 Password policy

408.2‐.3

177 SYSTEM config

408.2‐.3

178 SYSTEM OS

408.2‐.3

181 System control set

408.2‐.3

183 SYSTEM computer name

408.2‐.3

185 SYSTEM timezone

408.2‐.3

187 Last Access Time on/Off

408.2‐.3

188 Network Interfaces

408.2‐.3

Vista/7/8 Historical
190 Networks

408.2‐.3

Vista/7/8 Historical
191 Networks

408.2‐.3

193 Network Types XP

408.2‐.3

197 File Shares

408.2‐.3

System Boot
199 Autostart Programs

408.2‐.3

201 shutdown info

408.2‐.3

218 analyzing ntuser.dat

408.2‐.3

220 xp search history

408.2‐.3

222 Win 7 search history

408.2‐.3

224 Win 8 search history

408.2‐.3

226 Typed Paths

408.2‐.3

228 Recent Docs

408.2‐.3

230 Office Recent Docs

408.2‐.3

232 Open Save MRU

408.2‐.3

235 Last Visited MRU

408.2‐.3

241 Last Commands Executed