Hackers of India

Mining Digital Evidence in Microsoft Windows – Answering Who, When, Why and How?

By Chetan Gupta on 09 Dec 2007 @ Clubhack
📊 Presentation 🔗 Link
#forensics #windows #data-loss-prevention #data-protection #digital-currency #encryption #incident-management
Focus Areas: 🔒 Data Privacy & Protection , 🔑 Cryptography , ⛓️ Blockchain Security , 💻 Endpoint Security , 🚨 Incident Response

Abstract

Microsoft Windows presents a number of avenues to the Forensic investigator to establish the most critical questions during any investigation - Who, When, Why and How? There is a wealth of information available in the Windows system which can help the investigator establish a chain of events, identify the possible cause of any untoward activity and gather non-refutable evidence to prosecute the perpetrator. Some of the evidentiary avenues that would be highlighted in this presentation are as follows:

  1. Windows Registry as a critical avenue of information – MRU Lists, MUI cache, UserAssist and so on
  2. NTFS Data structures and MFT analysis
  3. Understanding and Cracking EFS
  4. Analyzing File System Metadata – the mystery of timestamps
  5. Analyzing Windows Memory contents – how to conduct Live Response?
  6. Using Event Logs to establish a timeline of events.
  7. Web Usage profiling
  8. Analyzing Prefetch, Recycle Bin artifacts and shortcut files
  9. Analyzing slack space and detecting hidden/formatted partitions.
  10. Understanding and analyzing Thumbs.db