Category Archives: Windows Forensics

SANS Christmas Hacking Challenge

I thought I would write about my experiences with the Christmas Hacking Challenge by SANS, I am writing this before Christmas, but I wont publish it until after the closing date for obvious reasons 🙂 The challenge has an amazing … Continue reading

Posted in Competition, Cyber, Heartbleed, Pen Testing, Research, SANS, Shellshock, USB Forensics, Windows Forensics | Tagged , , , , , , , | 5 Comments

Mounted Devices Key

Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , | Leave a comment

USB Forensics Update

Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics, Windows Registry Forensics | Tagged , , | 1 Comment

Research: Decoding LanmanServer\Shares

For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading

Posted in Cyber, Research, Shared Folders, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , , , | 6 Comments

Google Analytic Cookies

Google Analytic Cookies are very powerful at tracking what we do and where we do it, by knowing how they work you can use this to your advantage. Assumptions Quite rare I add in assumptions, but this topic could potentially … Continue reading

Posted in Browser Forensics, Cookies, Decoding Time, Google Analytics | Tagged , , , | Leave a comment

Link Files

Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading

Posted in Link FIles, Windows Forensics | Tagged , , , , , | Leave a comment

Jump Lists

What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading

Posted in Jump Lists, Windows Forensics | Tagged , , , , , , , , | Leave a comment

Chrome – Basics

Google Chrome, or just Chrome, is (at the time of writing) the most popular web browser by a fair amount. Twice as popular as Mozilla’s Firefox. Chrome stores its artefacts in SQLite, JSON (JavaScript Object Notation) and SNSS (Session Saver) … Continue reading

Posted in Browser Forensics, Chrome, Google Chrome, Windows Forensics | Tagged , , , , , , , , , | Leave a comment

Internet Explorer – Basics

As IE comes bundled with Windows as standard it is often the browser (of choice?) used by a lot of organisations. Larger organisations are also often slower to update IE, in my experience, as they have integrated business critical applications … Continue reading

Posted in Browser Forensics, Internet Explorer, Windows Forensics | Tagged , , , , , , , | Leave a comment

Mozilla Firefox – Basics

Mozilla Firefox was the most popular back in 2011, and although its popularity has been surpassed by Google Chrome (which I will cover later), it still holds around a quarter of the internet’s browser base. With Windows 7 there were … Continue reading

Posted in Browser Forensics, Firefox | Tagged , , , , | Leave a comment