Healthy Paranoia Show 21: Windows Forensics with Andrew Case


That’s right, it’s time for another surveillance-free, EFF-approved episode of Healthy Paranoia! Where the passwords are salted and the packets are always encrypted. This episode is hosted by the infamous Mrs. Y, queen of metadata and official privacy advocate for Healthy Paranoia, and recorded in the NSA-proofed SCIF with Grecs, of Novainfosec.com and Shmoocon Firetalks. We discuss Windows Forensics with Andrew Case, digital forensics researcher, Hacker Academy instructor and core developer for the Volatility Framework.

According to NIST SP800-86:

Digital forensics… is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way….Because of the variety of data sources, digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage.

In this episode, we discuss:

  • Purpose of the registry
  • Challenges of Windows forensics
  • Anti-forensics
  • Analysis techniques and tips

Show Notes:

Short video introduction to registry forensics featuring Andrew Caseregistry

Willi Ballenthin’s Event Viewer parser, python-evtx

Harlan Carvey XP Event Log parser

Harlan Carvey’s Windows Incident Response Blog

Journey Into Incident Response Blog

CCleaner

Jumplist analysis

Shellbags

Regripper

Cuckoo Sandbox

Registrydecoder

Sleuth Kit and Autopsy

Volatility

Log2timeline

DumpIt

KnTDD

F-Response

Leave a Reply

Your email address will not be published. Required fields are marked *