Scribd
Upload
21 views

Forensics 1

This document provides an overview of Windows forensics. It discusses fundamentals like Windows registries, file structures, and common file paths. It also covers tools for forensic investigations and browser forensics. Specific topics include recovering passwords, understanding how saved passwords work using DPAPI, and comparing forensic tools like Autopsy and X-Ways. The document concludes with contact information for the author.

Uploaded by

net chucky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

Forensics 1

This document provides an overview of Windows forensics. It discusses fundamentals like Windows registries, file structures, and common file paths. It also covers tools for forensic investigations and browser forensics. Specific topics include recovering passwords, understanding how saved passwords work using DPAPI, and comparing forensic tools like Autopsy and X-Ways. The document concludes with contact information for the author.

Uploaded by

net chucky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

AN OVERVIEW OF WINDOWS

FORENSICS

Things to look out for when investigating a windows machine

-by 4dsec
AGENDA

~ Fundamentals of Windows Forensics


~ Registries and File paths
~ Browser forensics
~ Tools to support forensic investigations
~ Conclusion
~ Contact and About
BASICS OF WINDOWS FORENSICS

• Understanding of windows registries aka registry hives.


• Understanding the default file structure of the operating system.
• Default locations of files and common file paths.
• Using tools to parse information.
FILE FORMAT REVERSE ENGINEERING

• Reading through hex dumps


• Understanding magic bytes
• Being able to detect broken files and recover them
• And so on…..
WINDOWS REGISTRY

HKCU

HKLM
WINDOWS REGISTRY

• Information that could be possibly recovered


* System configuration
* Devices on the system
* Usernames, Personal settings and Browser preferences
* Files opened
* Programs Executed
* Passwords
STRUCTURE OF WINDOWS REGISTRY
CHEAT SHEET
BROWSER FORENSICS

• Data from browsers constitute a sizeable wealth of valuable information.


BROWSER FORENSICS
HOW DO SAVED PASSWORDS WORK

• Windows data protection API aka DPAPI


• Commonly used by offensive tools such as mimikatz
• Usually symmetric encryption
• Now lets see how the key and password blob is retrieved
SANS POSTER
TOOLS FOR FORENSIC INVESTIGATIONS

Image Forensics Memory Forensics


AUTOPSY VS X-WAYS

• Advanced functionality • Relatively older


• Lesser support for file system forensics • Well supported for file system forensics
• Ingest modules can take a lot of time to • Faster in preprocessing data
load
• Fully licensed
• Mostly open source
WHY RED TEAMERS NEED TO KNOW
ABOUT FORENSICS
CONTACT AND ABOUT

• Abishek M
• Ex Blue teamer at Scottish Government
• Data Science/Anything cyber

• Linkedin.com/abishekmani
[email protected]
• Discord: 4dsec#4966

• Ask your questions

You might also like