After completing this chapter, you should be able to
• Define volatile and nonvolatile information and describe techniques for collecting nonvolatile information, including cache, cookie, and history analysis
• Discuss various forensic tools and how to search with the Microsoft Event Viewer
• Explain various processes involved in forensic investigation of a Windows system, such as memory and registry analysis, Internet Explorer cache analysis, cookie analysis, MD5 calculation, Windows file analysis, and metadata investigation
• Explain how to parse process memory and a memory dump, and how to analyze restore point registry settings
• Discuss Windows password security issues, ...