Healthy Paranoia Show 21: Windows Forensics with Andrew Case

That’s right, it’s time for another surveillance-free, EFF-approved episode of Healthy Paranoia! Where the passwords are salted and the packets are always encrypted. This episode is hosted by the infamous Mrs. Y, queen of metadata and official privacy advocate for Healthy Paranoia, and recorded in the NSA-proofed SCIF with Grecs, of and Shmoocon Firetalks. We discuss Windows Forensics with Andrew Case, digital forensics researcher, Hacker Academy instructor and core developer for the Volatility Framework.

According to NIST SP800-86:

Digital forensics… is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way….Because of the variety of data sources, digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage.

In this episode, we discuss:

  • Purpose of the registry
  • Challenges of Windows forensics
  • Anti-forensics
  • Analysis techniques and tips

Show Notes:

Short video introduction to registry forensics featuring Andrew Caseregistry

Willi Ballenthin’s Event Viewer parser, python-evtx

Harlan Carvey XP Event Log parser

Harlan Carvey’s Windows Incident Response Blog

Journey Into Incident Response Blog


Jumplist analysis



Cuckoo Sandbox


Sleuth Kit and Autopsy






Leave a Reply

Your email address will not be published. Required fields are marked *