Category Archives: Windows Forensics

SANS Christmas Hacking Challenge

Posted on January 3, 2015 by HatsOffSecurity

I thought I would write about my experiences with the Christmas Hacking Challenge by SANS, I am writing this before Christmas, but I wont publish it until after the closing date for obvious reasons 🙂 The challenge has an amazing … Continue reading →

Posted in Competition, Cyber, Heartbleed, Pen Testing, Research, SANS, Shellshock, USB Forensics, Windows Forensics | Tagged ../../../../, directory traversal, hats off security, heartbleed, linux, research, sans competiton, shellshock | 5 Comments

Mounted Devices Key

Posted on December 4, 2014 by HatsOffSecurity

Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged artefact locations, hats off security, registry hives, USB, windows 7, Windows Registry Forensics, Windows8 | Leave a comment

USB Forensics Update

Posted on November 25, 2014 by HatsOffSecurity

Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics, Windows Registry Forensics | Tagged hats off security, USB, Windows Registry Forensics | 1 Comment

Research: Decoding LanmanServer\Shares

Posted on November 9, 2014 by HatsOffSecurity

For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading →

Posted in Cyber, Research, Shared Folders, Windows Forensics, Windows Registry Forensics | Tagged artefact locations, hats off security, registry hives, research, windows 7, windows 8.1, Windows Registry Forensics, windows xp, Windows8 | 6 Comments

Google Analytic Cookies

Posted on October 3, 2014 by HatsOffSecurity

Google Analytic Cookies are very powerful at tracking what we do and where we do it, by knowing how they work you can use this to your advantage. Assumptions Quite rare I add in assumptions, but this topic could potentially … Continue reading →

Posted in Browser Forensics, Cookies, Decoding Time, Google Analytics | Tagged browser forensics, cookies, google analytics, hats off security | Leave a comment

Link Files

Posted on September 14, 2014 by HatsOffSecurity

Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading →

Posted in Link FIles, Windows Forensics | Tagged artefact locations, basics, hats off security, link files, windows 7, Windows8 | Leave a comment

Jump Lists

Posted on September 6, 2014 by HatsOffSecurity

What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading →

Posted in Jump Lists, Windows Forensics | Tagged artefact locations, hats off security, jump lists, jumplists, recent, registry hives, windows 7, Windows Registry Forensics, Windows8 | Leave a comment

Chrome – Basics

Posted on June 25, 2014 by HatsOffSecurity

Google Chrome, or just Chrome, is (at the time of writing) the most popular web browser by a fair amount. Twice as popular as Mozilla’s Firefox. Chrome stores its artefacts in SQLite, JSON (JavaScript Object Notation) and SNSS (Session Saver) … Continue reading →

Posted in Browser Forensics, Chrome, Google Chrome, Windows Forensics | Tagged artefact locations, basics, browser forensics, chrome, dcode time, google chrome, hats off security, sqlite, windows 7, Windows8 | Leave a comment

Internet Explorer – Basics

Posted on June 22, 2014 by HatsOffSecurity

As IE comes bundled with Windows as standard it is often the browser (of choice?) used by a lot of organisations. Larger organisations are also often slower to update IE, in my experience, as they have integrated business critical applications … Continue reading →

Posted in Browser Forensics, Internet Explorer, Windows Forensics | Tagged artefact locations, basics, browser forensics, hats off security, internet explorer, windows 7, windows 8.1, Windows8 | Leave a comment

Mozilla Firefox – Basics

Posted on June 20, 2014 by HatsOffSecurity

Mozilla Firefox was the most popular back in 2011, and although its popularity has been surpassed by Google Chrome (which I will cover later), it still holds around a quarter of the internet’s browser base. With Windows 7 there were … Continue reading →

Posted in Browser Forensics, Firefox | Tagged browser forensics, firefox, hats off security, sqlite, Windows8 | Leave a comment

M	T	W	T	F	S	S
« Jan
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

	Week 3 – 2018… on SMB2 – File/Directory…
	I can read it for yo… on Force Enabling ReadyBoost Wind…
	A on Force Enabling ReadyBoost Wind…
	Max on Ringzer0team – Forensics…
	Sam on Force Enabling ReadyBoost Wind…

Category Archives: Windows Forensics

SANS Christmas Hacking Challenge

Mounted Devices Key

USB Forensics Update

Research: Decoding LanmanServer\Shares

Google Analytic Cookies

Link Files

Jump Lists

Chrome – Basics

Internet Explorer – Basics

Mozilla Firefox – Basics

Hats Off Security

Recent Posts

Categories

CyberLinks

Recent Posts

Recent Comments

Archives

Categories

Meta