Healthy Paranoia Show 21: Windows Forensics with Andrew Case

That’s right, it’s time for another surveillance-free, EFF-approved episode of Healthy Paranoia! Where the passwords are salted and the packets are always encrypted. This episode is hosted by the infamous Mrs. Y, queen of metadata and official privacy advocate for Healthy Paranoia, and recorded in the NSA-proofed SCIF with Grecs, of and Shmoocon Firetalks. We discuss Windows Forensics with Andrew Case, digital forensics researcher, Hacker Academy instructor and core developer for the Volatility Framework.

According to NIST SP800-86:

Digital forensics… is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way….Because of the variety of data sources, digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage.

In this episode, we discuss:

  • Purpose of the registry
  • Challenges of Windows forensics
  • Anti-forensics
  • Analysis techniques and tips

Show Notes:

Short video introduction to registry forensics featuring Andrew Caseregistry

Willi Ballenthin’s Event Viewer parser, python-evtx

Harlan Carvey XP Event Log parser

Harlan Carvey’s Windows Incident Response Blog

Journey Into Incident Response Blog


Jumplist analysis



Cuckoo Sandbox


Sleuth Kit and Autopsy






Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • Sabatini Monatesti

    If you are relying on the forensics game, citizen information security and privacy of personal information are aleady lost. Privacy and security must be “built-in” during architecture design, system/network development, manufacturing and deployment. I believe the technologist must leverage these four ethical principles: informed consent, confidentiality, double-effect, beneficence and non-maleficence to ensure the rights of citizen are protected during use of the technology. Our asymmetric world, where it is difficult for citizen to discern vulnerability, requires that the technologist protect the rights of the ctizen. Our government doesn’t appear to want to do that, e.g., NSA cyber tampering and TARGET exposure as two examples.

  • Guesty Guest Guest

    While it may sound like Windows is “stalking” you it actually uses that information so that it can do things like autocomplete in an explorer windows.