Forensicating Windows Artifacts: Investigation w/out Event Logs! presented at BSidesLondon 2019

by Renzon Cruz,

Summary : When dealing with security incidents, hackers tend to wipe their digital footprints to avoid being detected. Normally, they wanted to wipe event logs, so it would be hard for incident responders / forensicators to detect what exactly they did on the compromised machine. As a security professionals working in investigation like this, what would you do once the event logs got wiped? That's why windows artifacts are there to help us investigate and conduct forensics to know what happened before and after compromising the windows machine. On this talk, I'm going to show you the importance of windows artifacts such as prefetch files, registry keys, link files, browser artifacts, shell bags,etc. I will also show you the tools that I've been using in order to get the best out of it during forensics investigation. This lesson is very important specially to those people working in SOC environment, incident responders, and digital forensics investigators.