Autoplay
Autocomplete
Dark Mode
Speed
Previous Lesson
Complete and Continue
Practical Windows Forensics
1) Welcome to Practical Windows Forensics (PWF)
Welcome and course introduction (4:25)
Resources and Materials Overview (4:32)
Course Links
PWF Course Roadmap (1:54)
2) Lab Requirements
Lab Setup Overview (3:15)
3) Setting up your forensic workstation
Build your forensic workstation tutorial and downloads (7:06)
VirtualBox and Windows 2019 VM installation (8:46)
WSL and Ubuntu installation on Windows 2019 Server (7:56)
WSL and Ubuntu installation on Windows 10 (alternative) (4:03)
Forensic workstation Windows configuration (5:37)
Downloading and installing forensic tools (12:04)
4) Prepare your target system
Download and install the Windows 10 VM (9:58)
Target system configuration and attack script preparation (8:04)
Execute the attack script on the target system (4:38)
5) Data collection process
Forensic process overview (3:16)
Target system containment (2:35)
Memory acquisition of the target system (8:01)
Disk acquisition of the target system (9:04)
6) Examination of the forensic data
Data examination process overview (1:04)
Mounting the disk image with Arsenal Image Mounter (8:32)
Overview of Windows files and forensic artifacts (5:46)
Creating a triage data collection with KAPE (12:51)
7) Disk analysis introduction
Sources of evidence and disk analysis process overview (3:10)
Notes taking and course materials (2:07)
7.1) Windows registry analysis
Windows registry overview (17:07)
Exploring the registry with Registry Explorer (9:34)
Gathering system information with RegRipper (9:25)
RegRipper analysis continued (10:04)
Parsing registry hives in bulk with RegRipper (8:52)
User accounts and SIDs Overview (11:27)
Analysis of user accounts, groups and profiles (14:22)
7.2) User behavior analysis
User behavior analysis overview (3:39)
UserAssist analysis (5:50)
RecentDocs analysis (2:53)
ShellBags analysis (13:57)
7.3) Overview of disk structures, partitions and file systems
What is a file system? (1:44)
Exploring disk structures and the NTFS (8:01)
7.4) Analysis of the Master File Table (MFT)
Overview of MFT Records (4:16)
Analysis of MFT Records with MFTECmd (10:10)
MFT parsing and in-depth analysis with MFTECmd (12:46)
File timestamps and the MACB timestamp format (8:56)
Investigating file timestomping (3:29)
7.5) Finding evidence of deleted files with USN Journal analysis
How can we find evidence of deleted files? (10:24)
Analyzing the USN Journal for deleted files (16:57)
7.6) Analyzing evidence of program execution on Windows systems
Execution artifacts introduction (1:23)
Analyzing the Background Activity Moderator (BAM) (7:50)
Analysis of the Application Compatibility Cache (ShimCache) (12:03)
Overview of the Amcache (5:38)
Analyzing the Amcache with AmcacheParser (9:47)
BONUS: Amcache in-depth analysis and why scheduled tasks matter (14:37)
Windows Prefetch analysis with PECmd (9:52)
Windows Prefetch timeline analysis (11:27)
7.7) Finding evidence of persistence mechanisms
Analyzing Windows run keys with Registry Explorer and RegRipper (10:02)
How to find evidence of persistence in startup folders (8:38)
Windows Services overview and analysis (6:47)
Detecting and analyzing malicious scheduled tasks (14:18)
Persistence mechanisms analysis with Sysinternals Autoruns (5:30)
7.8) Uncover malicious activity with Windows event log analysis
Windows event logs overview (11:00)
Analyzing Windows event logs with EventLogExplorer and EvtxECmd (16:44)
Windows Defender event log analysis (6:45)
Analyzing service installs using the System event log (4:54)
Security event log and authentication events (10:11)
Authentication events and logon IDs (8:20)
PowerShell event logs overview (9:28)
Analyzing malicious PowerShell events (15:55)
Overview of the Sysmon event log and relevant event IDs (2:19)
Detecting malicious events in Sysmon event logs (12:59)
8) Windows memory forensic analysis
Setting up Volatility3 in the Ubuntu environment (7:42)
Important files for memory analysis (8:40)
Gathering Windows system information with Volatility3 (7:40)
Update: If you ran the ART-attack script before July 9th!!
Detecting suspicious Windows processes (10:40)
Dumping processes from the memory (5:53)
Detecting and analyzing injected DLLs (13:46)
Identifying process owners and associated SIDs (4:37)
Detecting and analyzing malicious registry key entries from memory (7:47)
9) Kitchen-Sink analysis with Super Timelines
Super timeline analysis process and important requirements (4:43)
Preparing tools and converting the disk image with QEMU (5:18)
Memory timeline creation with Volatility3 (5:08)
Creating a timeline of the disk image with Plaso tools and Log2Timeline (5:55)
Merging timelines with mactime parser and creating a Super Timeline (5:54)
Super Timeline overview with Timeline Explorer (5:32)
Analyzing malicious activity using the Super Timeline (17:28)
10) Reporting
Considerations and reporting types (5:33)
11) Final
Wrap up and next steps (2:59)
Windows registry overview
Further reading on Windows Registry:
Microsoft:
https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives
Mandiant:
https://www.mandiant.com/resources/digging-up-the-past-windows-registry-forensics-revisited
Complete and Continue