-
Recent Posts
- Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence
- PowerShell Basic Introduction (Security Version)
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- IoCs
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- PowerShell
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Tag Archives: Windows Registry Forensics
USB Forensics Pt. 4 Volume Serial Number
On to Part 4 of our ongoing discoveries about USB forensics. A quick recap So far we have managed to get details of two devices which have been connected to our image. We have looked at how to get: Unique … Continue reading
USB Forensics Pt. 3 Discover the Volume Name
Part 3 of our investigation is to discover what the Volume Name of the USB device was. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally … Continue reading
USB Forensics Pt. 1 Serial Number
Forensicating USB devices can be a arduous task, as such I am going to break it down into byte (get it) size chunks. In order to get the Serial number from a USB device we must start our investigation on … Continue reading
RegBack Folder Update Times
Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these … Continue reading
Hives and Tools and Timestamps….. oh my!
Continuing on from yesterday’s post regarding Hive files not updating: A colleague and I (say hi Joe) have been doing some research on this along with some very helpful comments from Brian Moran (@brianjmoran) via Twitter. My previous post commented … Continue reading
Windows 8 Hives Not Saved On The Fly
*********After reading, please see this post for the conclusion********* Whilst playing about with USB devices to start my upcoming USB identification series I noticed something a little odd. I captured the locked files on the VM when I started this … Continue reading
Network History and Decoding System Time
Following on from my last post we had a GUID starting C1CDD (normally I would write the whole GUID down, but for the sake of not boring you all, I will keep it short), in this post we are going … Continue reading
Network Interfaces
Having the last known IP address of a machine can help you to identify if it was in the wrong segment of the network (everyone does segment their network…. right?), if the address was static or dynamically assigned or if … Continue reading
Computer Name, Timezone & Current Control Set
Computer Name Having the computer name will show that the image you have in front of you is from the machine you were expecting. Obviously it’s not a 100% guarantee, but if it’s deifferent, then something is 100% wrong and … Continue reading
Operating System Version and Banners
Without know which Operating System your image was running you cannot possibly hope to carry out a comprehensive investigation. So my next couple of posts will be very short ‘quick wins’ of where to get some critical data. Starting with … Continue reading