Introduction to Windows Forensics

I love the fact that this is still viable in 2023. Thank you!

wesleycastellanos

I'm new to DFIR and a coworker sent me this video! Thanks so much!!
Just figured I'd put in the comments: System registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803

melwightman

Thanks for being so great at explaining the "Why" as well as the "How"!!! Very helpful!!!

Thejasonwilkins

This is best video for learning windows forensics Thankyou so much for making this video on Windows forensics

adarshrami

The best material about digital forensic I know by far. Thanks a lot for this great content. Please keep it up

huyvuquang

Love your teaching style Richard! I was wondering, what do you think about the CCD cert?

This video is a lifesaver. This is very informative and very easy to understand. I am currently about taking the FOR500 course classes. DFIRDiva referred me this YouTube channel. This is really so helpful, words can express my gratitude for sharing this wealth of knowledge. Once again thank u 13cubed.

ruthawele

🎯 Key Takeaways for quick navigation:

00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.*
02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).*
08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.*
10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.*
11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.*
13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.*
15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.*
16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.*
18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.*
21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.*
23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.*
23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.*
25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.*
26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.*
28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.*
30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.*
32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.*
35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.*
40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.*
42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.*
43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.*
49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.*
53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.*
58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.*

Made with HARPA AI

damirgames

ABSOLUTELY A GEM OF A VIDEO! I learned most of this in college but needed to brush up again. thank you so much for posting this video. (I also love your last name!)

stevedavis

Thank you for being such a great tutor on the video. I'm a total newbie in the Cybersecurity but I found this is super interesting to learn.

xiajiangguo

Thank you very much for the great video! It is very helpful for the basic forensic at the company.

aryandatta

thank for helping me pass the gcfe
and for the star trek the next generation reference

andrewaskins

Wow, very nice. Explains things very well

derrickdike

Thanks for this video. My job is more IR than DF but I'm taking FOR508 class in about 3 weeks and want to go in a better grasp of forensicating. Planning to study up a bit and play around with SIFT and the tools I got during GCIH before I go. Appreciated!

vero

This is fantastic, man! Thank you so much!

charleshennings

Thank you for this video! I'm doing my degree on Forensic Computing and this has just helped me understand some things better than the lectures!

I've definitely subscribed and I'm really looking forward to more videos

glassfrog

At minute 25:05. Could there be a case in which current control set could be 1 but last known good other than 1. If yes, how is that possible?

rajkaransinghgill

I just saw your videos!! Thank you so much for this!

dongodilorica

Hello man, , I have a small question... at 10:54 you made a zoom while recording... how did you do that? what are you using for recording ??? or you did it in the editing stage ???

please answer..


Like your work

MoradRawashdeh

The cheat sheet will not download, using Chrome or Firefox. Can this be fixed? Thank you.

cleverestx