Scribd
Upload
438 views15 pages

Windows Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

karla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
438 views15 pages

Windows Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

karla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Introduction: Introduces the author and the purpose of the Windows Forensics course, setting context for the entire document.
  • About Me: Details the author's professional background and expertise, establishing credibility in the field of digital forensics.
  • Live Response Techniques: Covers strategies for live response including human interactions, creating kits, and determining data collection methods.
  • Filesystem and Disk Analysis: Explains analyzing filesystems using tools like TSK and Autopsy, and delves into disk editors and filesystems.
  • Network and File Forensics: Examines network forensics involving packet captures, and file forensics including file signatures and web browsing history.
  • Memory Forensics and Malware Analysis: Discusses advanced forensics techniques related to memory, malware analysis, and registry forensics.
  • Course Goals and Conclusion: Outlines the course's overarching objectives, emphasizing open-source tools and hands-on exercises.

Windows Forensics

Dr. Phil Polstra @ppolstra


PhD, CISSP, CEH [Link]
Certifications:
[Link]

Pentester Academy: [Link]


©[Link]
About Me

Frequent conference speaker

Repeat performances at DEFCON, BlackHat, GrrCON, 44CON, B-sides,
ForenSecure, ...

BruCON, SecTOR, ShakaCON, ...

Author

Hacking and Penetration Testing with Low Power Devices

Linux Forensics

USB Forensics

Associate Professor of Digital Forensics, Bloomsburg University of
Pennsylvania

Programming from age 8 (in Assembly at 10)

Hacking hardware from age 12

Aviator and plane builder with a dozen ratings

©[Link]
Course Contents
Live Response

Human interactions

Creating a live response kit

Transporting data across a network

Collecting volatile data

Determining if dead analysis is justified

Dumping RAM
©[Link]
Course Contents (cont.)
Acquiring filesystem images

Using dd

Using dcfldd & dc3dd

Write blocking

Software blockers

Udev rules

Forensic Linux distros

Hardware blockers

©[Link]
Course Contents (cont.)
Analyzing filesystems

Mounting image files

Finding the strange

Searching tools

Authentication related files

Recovering deleted files

Finding hidden information
©[Link]
Course Contents (cont.)
The Sleuth Kit (TSK) and Autopsy

Volume information

Filesystem information

FAT 12/16/32

NTFS

Directory entries

Constructing timelines
©[Link]
Course Contents (cont.)
Timeline Analysis

When was system installed, upgraded,
booted, etc.

Newly created files (malware)

Changed files (trojans)

Files in the wrong place (exfiltration)

©[Link]
Course Contents (cont.)
Digging deeper into Windows filesystems

Disk editors

Active@ Disk Editor

Autopsy

FAT 12/16/32

NTFS

Searching unallocated space
©[Link]
Course Contents (cont.)
Network forensics

Using snort on packet captures

Using tcpstat

Seperating conversations with tcpflow

Tracing backdoors with tcpflow

©[Link]
Course Contents (cont.)
File forensics Unknown files

Using file signatures

Comparing hashes to

Searching through know values
swap space ●
File and strings

Web browsing commands
reconstruction ●
Log files

Cookies ●
Recycle bin

Search history ●
Prefetch files

Browser caches ●
Alternate data streams
©[Link]
Course Contents (cont.)
Registry forensics ●
Past & present

RegRipper mounted devices

Python ●
User activity

System information ●
System restore

Autostart programs points

USB Devices

User info
©[Link]
Course Contents (cont.)
Memory Forensics

Retrieving process information

Windows objects

Looking for malware

Event logs

Registry in memory

Reconstructing network artifacts

Windows services

Windows GUI

Filesystems in memory

Detecting kernel rootkits

Creating timelines
©[Link]
Course Contents (cont.)
Reversing Windows ●
Command line analysis
Malware tools

Windows executables

strings

Headers ●
Running malware

Imports (carefully)

Exports

Virtual machine setup

Capturing network

Resources
traffic

Obfuscation ●
Leveraging debuggers

Dynamic linking
©[Link]
Course Contents (cont.)
Writing the reports

Autopsy

Dradis

OpenOffice

©[Link]
Overall Goals

Leverage open source (or at least free)
software

Hands on practical exercises and demos
throughout

Provide the most comprehensive
Windows forensics course available

©[Link]

You might also like