The Forensic World of Windows 10 Updates
|
|
- Howard Walton
- 5 years ago
- Views:
Transcription
1 The Forensic World of Windows 10 Updates Alissa
2 IT security professionals can quickly become extinct if they don t continually update their skills as new technologies emerge SANS Cybersecurity Professional Trends Survey
3 Forensics & Windows 10 Updates Highlights Evolution of Windows 10 Process Hierarchy Changes Windows Artifact Changes Memory Structure Obfuscation Memory Management Changes
4 Desktop Market Share - Oct 2018 Windows Versions (% of Desktop Share) Windows XP 5% Windows 8.1 6% Windows 8 1% Windows 7 Windows 7 48% Windows 10 Windows 8.1 Windows 10 40% Windows XP Windows 8 Oct 2018 netmarketshare.com
5 Windows 10 Features (by Update) Initial Release Start Menu (again ) Cortana Personal Assistant Notifications Center Microsoft Edge Browser More Authentication Options Distribution Updating Methods (Peer-to-Peer) Secure Kernel Later Versions (*Note: MS has stated WinVersion will not increment from Win10) Windows Subsystem for Linux - WSL (Creator s Update - Redstone 2) Dictation, Sets, Nearby Sharing (April 2018 Update - Redstone 4) Timeline (April 2018 Update - Redstone 4) Continuum for Phones WindowsInk Clipboard History (Oct 2018)
6 Windows 10 Versions (by Update) Windows 10 Version History -
7 Baselining Windows 10 Processes 7
8 Advantages of Baselining: Know Normal, Find Evil Efficient Hunting and Faster Detection Identifies Anomalous network/host/account activity Document Baseline Configurations > SAVE $$ Zero to Hero Faster Better informed external IR support Faster response/remediation Decreased cost of engagement
9 Windows 10 Processes Know Normal, Find Evil
10 Windows 10 Processes Know Normal, Find Evil BUILD 14393
11 Windows 10 Processes Know Normal, Find Evil BUILD 17134
12 Windows 10 Processes Memory Compression Store Process (as of 17063) Memory Compression Process Parent Process: Number of Instances: Start Time: Description: SYSTEM One Upon boot A minimal process whose address space is used to hold compressed pages
13 Windows 10 Processes Registry Process Registry Process Parent Process: Number of Instances: Start Time: Description: SYSTEM One Upon boot A minimal process whose address space is used to hold data on behalf of the kernel and optimize memory management for registry
14 Changes in Process Hierarchy Know Normal, Find Evil Secure Kernel - analogous to System process Memory Compression - minimal process Skydrive.exe = OneDrive.exe lsm.exe no longer in the process list LSAiso.exe (virtualized process containing credentials with use of Credential Guard) Cortana processes - remindersserver.exe, remindersapp++ taskhost.exe (win7) -> taskhostex.exe (Win8) -> taskhostw.exe (Win10)
15 Which Version of Windows?
16 Process Hierarchy In Review cmd.exe & conhost.exe (Vista & Win7)
17 New Process Hierarchy cmd.exe & conhost.exe (as of Win8) powershell.exe & conhost.exe (as of Win8)
18 Edge Browser Hierarchy $ vol.py -f win10_cmd.dmp --profile=win10x64 pstree Edge Browser launched by svchost.exe All Edge processes run in user session
19 Edge Browser Hierarchy
20 Edge Related Processes Process browser_broker.exe Microsoft_Edge.exe Description A special broker process that brokers access to various resources that the sandbox processes cannot access directly UWP app browser Runtime_Broker.exe A generic broker process that brokers access to various resources for all UWP apps ApplicationFrameworkHost.exe A process that handles UI windows creation for all UWP apps Smartscreen.exe Windows Defender anti-phishing, anti-malware browser feature (unified as of 1703) 20
21 Core Artifacts Shift in Windows 10 21
22 Interpretation of OS Install Date HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate Install Date used to be a cornerstone of forensic investigations. Meaning has shift as Windows 10 updates, when installed, are changing InstallTime value
23 Evidence of Execution Key Forensic Artifacts Win10 Prefetch Stored using LZXPRESS Huffman stream compression Joachim Metz libscca project
24 AppCompatCache (Creator Edition- Redstone 2) Registry values that reveal Evidence of Execution, huge win for malware investigations Creater Edition changed the signature for the beginning of the Shimcache entries and the offset where the entries begin Posed a challenge to AppCompatCache parsing tools
25 XBOX integrations Unified Core & App Platform Xbox, Win10, Windows Phone, Windows on Devices have all been merged into one kernel Rekall s svcscan output
26 Windows 10 Memory Management 26
27 Data Compression in RAM Memory Management Changes Compression of infrequently used data stored in RAM Reduces the # of Reads/Writes Reduces Use of Memory by Apps
28 Fast Startup Upon Shutdown: Users are logged out Applications are closed Kernel memory (loaded drivers, etc) written to the hiberfil.sys Data is loaded back into RAM at boot
29 Windows 10 Pagefile Features Data is compressed prior to being written to the pagefile Faster to Write/Read from Hard Disk Encryption of Pagefile Pages written out to disk only 50% as often as previous versions of the OS
30 Memory Structure Obfuscation Windows 8+ (x64) Encrypted KDBG
31 Memory Structure Obfuscation Win8+(x64) Encrypted KDBG
32 Memory Structure Obfuscation Win10 kernel object header typeindex field Win10 has 48 Types of Kernel Objects
33 Memory Structure Obfuscation Win10 typeindex field Object Header s TypeIndex field Win10 uses address of object header and XORs with TypeIndex & nt!obheadercookie Changes how plugins like handles & object_tree identify kernel object type
34 Additional Windows 10 Artifacts 34
35 All Installed Apps Database StateRepository-Machine.srd SQLite DB Tracker for installation of system s Windows Store Apps (default and user installed) Located here: C:\ProgramData\Microsoft\Windows\AppRepository\
36 Background Activity Moderator (BAM) SYSTEM\CurrentControlSet\Services\bam\UserSettings Windows service that controls activity of background applications (Fall Creators Update)
37 RecentApps NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps Execution tracker of Applications by App GUID, includes run count & last run time AppID = Name of Application LastAccessTime = Last Execution Time in UTC File GUID Subkeys contain up to 10 files accessed by application screenshot from
38 Clipboard History (Oct 18) C:\Users\<userprofile>\AppData\Local\Microsoft\Windows\clipboard If enabled, allows user to save multiple items (including images) to clipboard Clipboard cleared upon logout, unless items are pinned Supports the syncing of clipboard history across Windows devices screenshot from
39 MACB time/date behaviors Based on research performed by O.Skulkin & I. Mikhaylov, NTFS time/date update behaviors have changed When a file is modified, the $SI & $FN time/date stamps update in Windows 10 (instead of just $SI as in previous Win versions) When a file is copied, both the $SI File Modified & Metadata Modified is preserved from the original
40 Windows Timeline Feature Analysis 40
41 Timeline (April 2018 Update - Redstone 4) Organizational productivity User Experience focused tool Allows easy access to Recent Docs, webpages from the last weeks/months Added as a feature of Task View Options can be set here: Settings>Privacy>Activity Database lives at this location: C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\L.<profile>\ActivitiesCache.db
42 Timeline (April 2018 Update - Redstone 4) Windows Search Service must be enabled
43 Timeline (April 2018 Update - Redstone 4) Parsing ActivitiesCache.db Parse the ActivitiesCache.db with Eric Zimmerman s WxTCmd
44 Timeline (April 2018 Update - Redstone 4) Parsing ActivitiesCache.db Parse the ActivitiesCache.db with Eric Zimmerman s WxTCmd (Activities Table)
45 Does Clearing Activity History Clear the.db? Even after clearing Activity history via Settings, ActivitiesCache.db remains populated. 45
46
Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationAmcache and Shimcache Forensics
March, 2017 Amcache and Shimcache Forensics When and how to leverage Amcache and Shimcache artifacts Contents Overview... 3 Amcache... 3 Shimcache... 4 Leveraging Amcache and Shimcache artifacts... 5 Overview
More informationBelkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM
Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM INTRODUCTION Belkasoft Essentials is intended for investigators of any level of expertise who want to acquire hands-on skills in computer, mobile
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationCopyright 2017 Softerra, Ltd. All rights reserved
Copyright 2017 Softerra, Ltd. All rights reserved Contents Introduction Security Considerations Installation Configuration Uninstallation Automated Bulk Enrollment Troubleshooting Introduction Adaxes Self-Service
More informationTZWorks Windows AppCompatibility Cache Utility (wacu) Users Guide
TZWorks Windows AppCompatibility Cache Utility (wacu) Users Guide Copyright TZWorks LLC www.tzworks.net Contact Info: info@tzworks.net Document applies to v0.34 of wacu Updated: Apr 14, 2018 Abstract wacu
More informationGRR Rapid Response. GRR ICDF2C Prague Mikhail Bushkov, Ben Galehouse
GRR Rapid Response GRR Workshop @ ICDF2C Prague 2017 Mikhail Bushkov, Ben Galehouse Agenda Introduction to GRR Hands on work - exercises Discussion Remote Forensics at Google Scale Joe saw something weird,
More informationUnipass Secur Client User Guide v1.5
Unipass Securemail Client User Guide v1.5 This document provides a step by step illustrated user guide for the Unipass Securemail desktop software client / plug-in. UIdP Project Team May 2018 Contents
More informationTZWorks Prefetch Parser (pf) Users Guide
TZWorks Prefetch Parser (pf) Users Guide Abstract pf is a standalone, command-line tool that can parse Windows prefetch files. From a forensics perspective, the prefetch file offers the analyst information
More informationFull file at Chapter 2: Securing and Troubleshooting Windows Vista
Chapter 2: Securing and Troubleshooting Windows Vista TRUE/FALSE 1. An elevated command prompt can only be attained by an administrator after he or she has responded to a UAC box. T PTS: 1 REF: 70 2. There
More informationApple 9L OS X Support Essentials
Apple OS X Support Essentials 10.9 http://killexams.com/exam-detail/ D. What does it mean when you choose the option to "ignore volume ownership" in the Finder? What are the security ramifications of ignoring
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationForensic Timeline Splunking. Nick Klein
Forensic Timeline Splunking Nick Klein A long time ago... Brian Carrier brought us Sleuthkit, based on the earlier work of Dan Farmer and Wietse Venema date size type meta file 16 Nov 2011 15:39:44 17
More informationChapter 1: Windows Platform and Architecture. You will learn:
Chapter 1: Windows Platform and Architecture Windows 2000 product family. New features/facilities of. Windows architecture. Changes to the kernel and kernel architecture. New features/facilities. Kernel
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.3.3 Release Notes Document Date: 5/19/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationBinary Markup Toolkit Quick Start Guide Release v November 2016
Binary Markup Toolkit Quick Start Guide Release v1.0.0.1 November 2016 Overview Binary Markup Toolkit (BMTK) is a suite of software tools for working with Binary Markup Language (BML). BMTK includes tools
More informationCompTIA A+ Certification ( ) Study Guide Table of Contents
CompTIA A+ Certification (220-902) Study Guide Table of Contents Course Introduction About This Course About CompTIA Certifications Module 1 / Supporting Windows 1 Module 1 / Unit 1 Windows Operating System
More informationWindows 10. White paper. Have you heard? IT and Instrumentation for industry. Contents. What is Windows 10?... 1 What s new in Windows 10?...
Windows 10 Have you heard? Contents What is Windows 10?... 1 What s new in Windows 10?... 2 1. New Start Menu with Live Tiles... 2 2. Multiple desktops... 3 3. DirectX 12... 3 4. Tablet and touch-screen
More informationAccessData Triage 2.3 Release Notes
AccessData Triage 2.3 Release Notes Document Date: August 26, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationMD-100: Modern Desktop Administrator Part 1
Days: 5 Description: This five-day course is for IT professionals who deploy, configure, secure, manage, and monitor devices and client applications in an enterprise environment. Students will develop
More informationSimplifying implementation of Provisioning services. Elisabeth Teixeira, Principal Engineer WW Technical Readiness August 2009
Simplifying implementation of Provisioning services Elisabeth Teixeira, Principal Engineer WW Technical Readiness August 2009 Technical challenges before Provisioning services 5.1 vdisk support for more
More informationCodebook. Codebook for OS X Introduction and Usage
Codebook Codebook for OS X Introduction and Usage What is Codebook Encrypted Data Vault Guards passwords and private data Keeps sensitive information organized Enables quick recall of secrets Syncs data
More informationHardening the Modern Windows Client Let s NOT break it this time
Hardening the Modern Windows Client Let s NOT break it this time Raymond P.L. Comvalius Raymond Comvalius IT Infra Architect/Trainer MVP Windows IT Pro Zelfstandig sinds 1998 Agenda History of Hardening
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationWindows 10 Security & Audit
Windows 10 Security & Audit John Tannahill, CA, CISM, CGEIT, CRISC, CSX-P jtannahi@rogers.com Windows 10 Editions Home Pro Enterprise Education Mobile IoT Editions 1 Windows 10 Builds Windows 10 (initial
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationRekall Forensic. We can remember it for you wholesale! Michael Cohen Google Inc.
Rekall Forensic We can remember it for you wholesale! Michael Cohen Google Inc. scudette@gmail.com Rekall in a nutshell Rekall started life as Memory Forensic tool with a focus on Speed Reliability - supports
More informationIndicators of Compromise Ransomware TeslaCrypt Malware
Indicators of Compromise Ransomware TeslaCrypt Malware Kevin Kelly April 2017 GIAC GCIH, GCED, GCIA SANS Technology Institute - Candidate for Master of Science Degree 1 1 Objective Indicators of Compromise
More informationTZWorks Graphical Engine for NTFS Analysis (gena) Users Guide
TZWorks Graphical Engine for NTFS Analysis (gena) Users Guide Copyright TZWorks LLC www.tzworks.net Contact Info: info@tzworks.net Document applies to v0.39 of gena Updated: Jul 29, 2018 Abstract gena
More informationCo se změnilo ve Windows 10 z pohledu IT administrátora
Co se změnilo ve Windows 10 z pohledu IT administrátora Kamil Roman MCSE: Mobility MCSE: Cloud Platform and Infrastructure MCSA MCITP MCT konzultace@kamilrt.net @KamilRT Agenda 1. Windows as a Service
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationMIGRATING FROM WINDOWS XP
MIGRATING FROM WINDOWS XP WHAT S THE PROBLEM WITH XP? Microsoft is no longer providing security updates for XP after April 8, 2014 After this date, Microsoft Security Essentials (MSE) for XP will no longer
More informationWindows Artifacts as a part of Digital Investigation
Windows Artifacts as a part of Digital Investigation Divyang Rahevar, Nisarg Trivedi Institute of Forensic Science Gujarat Forensic Sciences University Gandhinagar, Gujarat India divurahevar@gmail.com,
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More information1. The first true 32-bit operating system developed by Microsoft was Windows 3.1.
Chapter 02 TRUE/FALSE 1. The first true 32-bit operating system developed by Microsoft was Windows 3.1. F PTS: 1 REF: 58 2. Windows 95 used cooperative multitasking for 16-bit applications and preemptive
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationInside Windows 10. Howard Burpee
Inside Windows 10 1 Why Windows 10? 7 ate 9 Too much code refers to Windows 9 Or 2 3 Due date In April, AMD s CEO, Lisa Su let slip that Windows 10 will be provided (to OEMs only?) by the end of July Microsoft
More information1
Best platform for modern business Affordable and innovative devices Highly mobile and built for agility Broadest range and selection Presented by Dmitri Milov Simple to setup and manage Setup out of the
More informationEven better, you can have the Start Menu expand to full screen whenever you want, eliminating the need for a Modern UI Start Screen.
1. Start Menu Returns It s what Windows 8 detractors have been clamoring for, and Microsoft has finally brought back the Start Menu. Now, when you click on the Start button at the bottom left of the screen,
More informationWindows 10 Fall Creators Update Presentation
Windows 10 Fall Creators Update Presentation Windows 10 Creators Update Feature Guide The second big update to Windows 10 has landed. Going by the name of Creators Update Fall Edition, this refresh of
More information[DOC] WINDOWS XP REPAIR KIT DOCUMENT
04 November, 2017 [DOC] WINDOWS XP REPAIR KIT DOCUMENT Document Filetype: PDF 411.95 KB 0 [DOC] WINDOWS XP REPAIR KIT DOCUMENT I have run a number of anti-virus, anti-malware and utilities to clean the
More information24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.
23) Click File Analysis Tab - This allows forensic investigators to look for files on the system as they would on a regular system. Key file attributes are provided to assist the investigator (file size,
More informationCollege of Pharmacy Windows 10
College of Pharmacy Windows 10 Windows 10 is the version of Microsoft s flagship operating system that follows Windows 8; the OS was released in July 2015. Windows 10 is designed to address common criticisms
More informationWindows Core Forensics Forensic Toolkit / Password Recovery Toolkit /
The Windows Forensics Core Training follows up the AccessData BootCamp training. This advanced AccessData training class provides the knowledge and skills necessary to use AccessData products to conduct
More informationIntro to Memory Forensics with Volatility
Intro to Memory Forensics with Volatility Intro to Memory Forensics Welcome!! Let's make a great workshop! Chicolinux (a.k.a. Miguel Guirao) Intro to Memory Forensics Your computer will betray you! What
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationWindows Devices. Device Capabilities. Premium. Entry
Windows Devices $ Premium Entry Device Capabilities Windows 10 IoT $ Premium Windows 10 IoT Enterprise Desktop Shell, Win32 apps, Universal Windows Apps and Drivers 1 GB RAM, 16 GB Storage X86 Windows
More informationGRR Rapid Response. GRR CERN Mikhail Bushkov, Ben Galehouse, Miłosz Łakomy, Andreas Moser
GRR Rapid Response GRR Workshop @ CERN 2018 Mikhail Bushkov, Ben Galehouse, Miłosz Łakomy, Andreas Moser Agenda Introduction to GRR Hands on work - exercises Roadmap and Discussion Remote Forensics at
More informationGoogle chrome theme background image
Search Search pages & people Search Search Search pages & people Search Google chrome theme background image 2 days ago. Personalize your default New Tab page and Google homepage with custom background
More informationA Combination of Advanced Carver and Intelligent Parser
A Combination of Advanced Carver and Intelligent Parser Teru Yamazaki Cyber Defense Institute, Inc. Teru Yamazaki Forensic Investigator, Instructor, and Researcher [Twitter] @4n6ist [Blog] https://www.kazamiya.net/
More informationIT Track Session 5: System Management & Automation
Don t Worry Marley Meter STAFF SYMPOSIUM - IT TRACK IT Track Session 5: System Management & Automation Centralized administration and automation are necessities for effective systems management. The session
More informationAccessData AD Lab 6.3 Release Notes
AccessData AD Lab 6.3 Release Notes Document Date: 11/07/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for this
More informationWindows 7 Xp Mode Manually Publish Application
Windows 7 Xp Mode Manually Publish Application WIndows 7 in windows virtual PC windows XP mode dual monitor setting request 7 OS. In order to run my application software I download windos XP mode. You
More informationID: Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: 10:19:47 Date: 19/02/2018 Version:
ID: 47020 Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: :19:47 Date: 19/02/201 Version: 21.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationAccessData AD Lab Release Notes
AccessData AD Lab 6.3.1 Release Notes Document Date: 6/27/2018 2018 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for this
More informationCNIT 121: Computer Forensics. 13 Investigating Mac OS X Systems
CNIT 121: Computer Forensics 13 Investigating Mac OS X Systems Topics HFS+ and File System Analysis Hierarchical File System features: Nine Structures 1. Boot blocks 2. Volume header 3. Allocation file
More informationUser Manual. Admin Report Kit for IIS 7 (ARKIIS)
User Manual Admin Report Kit for IIS 7 (ARKIIS) Table of Contents 1 Admin Report Kit for IIS 7... 1 1.1 About ARKIIS... 1 1.2 Who can Use ARKIIS?... 1 1.3 System requirements... 2 1.4 Technical Support...
More informationBromium: Virtualization-Based Security
Bromium: Virtualization-Based Security TAG-Cyber Briefing Presented by Simon Crosby CTO, Co-Founder of Bromium Bromium 2016 2 Bromium 2016 3 Real-time Detection & Analysis Malware manifest Bromium 2016
More informationID: Cookbook: urldownload.jbs Time: 11:39:45 Date: 07/04/2018 Version:
ID: 53619 Cookbook: urldownload.jbs Time: 11:39:45 Date: 07/04/2018 Version: 22.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationAD105 Introduction to Application Development for the IBM Workplace Managed Client
AD105 Introduction to Application Development for the IBM Workplace Managed Client Rama Annavajhala, IBM Workplace Software, IBM Software Group Sesha Baratham, IBM Workplace Software, IBM Software Group
More informationComputer Software. Lect 4: System Software
Computer Software Lect 4: System Software 1 What You Will Learn List the two major components of system software. Explain why a computer needs an operating system. List the five basic functions of an operating
More informationFinancial Forensic Accounting
Financial Forensic Accounting Qualification Scope of Content Version: as at 02 March 2018 6. SCOPE OF CONTENT 1. Digital forensics overview 1.1. History of digital forensics 1.2. Sources of electronic
More informationdocalpha Recognition Station
ARTSYL DOCALPHA RECOGNITION STATION MANUAL 1. docalpha Architecture Overview... 3 1.1. Recognition Station Overview... 4 2. What's New in docalpha Recognition Station 4.0... 4 3. Working with Recognition
More informationSAP GUI 7.30 for Windows Computer
SAP GUI 7.30 for Windows Computer Student and Faculty Installation Instructions Table of Contents Caution:... 2 System Requirements:... 2 System Memory (RAM) requirements:... 2 Disk Space requirements:...
More informationWorkspace ios Content Locker. UBC Workspace 2.0: VMware Content Locker v4.12 for ios. User Guide
UBC Workspace 2.0: VMware Content Locker v4.12 for ios User Guide Navigating Content Locker Content Locker centralizes all your enterprise data in a single container and integrates existing content repositories
More informationCybersecurity for IT Online. kaspersky.com/awareness #truecybersecurity. Kaspersky Enterprise Cybersecurity
Kaspersky Enterprise Cybersecurity Cybersecurity for IT Online First line incident response training for general IT specialists kaspersky.com/awareness #truecybersecurity Cybersecurity for IT Online (CITO)
More informationChapter 2. Operating-System Structures
Chapter 2 Operating-System Structures 2.1 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationNotes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.
EF-1. All protocols used between the different components in the distributed architecture (management server, agents, database, forensic analyst system, etc) shall be encrypted and signed. EF-2. The Enterprise
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationRed Leaves implant - overview
Ahmed Zaki David Cannings March 2017 Contents 1 Handling information 3 2 Introduction 3 3 Overview 3 3.1 Summary of files analysed.......................................... 3 3.2 Execution flow................................................
More informationAccessData Triage 2.4 Release Notes
AccessData Triage 2.4 Release Notes Document Date: October 25, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationARCHITECTURE GUIDE. Campaign Manager 6.0
ARCHITECTURE GUIDE Campaign Manager 6.0 VERSION CONTROL Version Date Author Changes 1.0 28 April 2017 D Cooper Release RELATED DOCUMENTS The related documents are located in the Alterian product help.
More informationAbout the Presentations
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning of each presentation. You may customize the presentations
More informationCommand Prompt Codes Bypass System Error 5 Has Occurred Access Denied
Command Prompt Codes Bypass System Error 5 Has Occurred Access Denied Close the Command Prompt window and reboot the machine, retry to connect the networks which are It says Access is denied system error
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationUSER GUIDE. We hope you enjoy using the product, and please don t hesitate to send us questions or provide feedback at Thank You.
USER GUIDE Introduction This User Guide is designed to serve as a brief overview to help you get started. There is also information available under the Help option in the various Contributor interface
More informationTerminal Services 2008 Design Document. Family Credit Technopolis Kolkata
Terminal Services 2008 Design Document For Family Credit Technopolis Kolkata Ontrack House, 19, Ekdalia Road, Kolkata 700019, India Telephone: +91 33 2460 1980/1/2 /2129 Fax: +91 33 2460 1280 Web Site:
More informationHow To Remove Windows 7 Genuine Advantage Notification From Registry
How To Remove Windows 7 Genuine Advantage Notification From Registry review(s) for the wga removal tool for windows 7. Review by:vik.leonova Update? Remover 1.5? Download Now Genuine Advantage Notification
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationTZWorks USB Storage Parser (usp) Users Guide
TZWorks USB Storage Parser (usp) Users Guide Abstract usp is a standalone, command-line tool used to extract USB artifacts from Windows operating system. The sources of the artifacts include the registry
More informationZmanda Cloud Backup FAQ
Zmanda Cloud Backup 2.0.1 FAQ The first sections of this document cover general questions regarding features, cloud, and support; the last section lists error messages and what to do about them. Terminology
More informationHunting Adversaries with "rastrea2r" and Machine Learning
Hunting Adversaries with "rastrea2r" and Machine Learning Gabriel Infante-Lopez, @gainlo Ismael Valenzuela, @aboutsecurity SANS SOC Summit 2017 Crystal City, VA 1 How do we investigate? Results of a survey
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationTime ^ ping estom tim
Time ^ timestomping For our guests from England, please allow me to translate. ^ timestomping Quick background File Creation Date Last Accessed File 127 08/04/11 10:22:36 08/04/11 10:22:3 File 128 08/04/11
More informationUsing Hashing to Improve Volatile Memory Forensic Analysis
Using Hashing to Improve Volatile Memory Forensic Analysis American Academy of Forensic Sciences Annual Meeting February 21, 2008 AAron Walters awalters@volatilesystems.com Blake Matheny, LLC Center for
More informationOverview. Top. Welcome to SysTools MailXaminer
Table of Contents Overview... 2 System Requirements... 3 Installation of SysTools MailXaminer... 4 Uninstall Software... 6 Software Menu Option... 8 Software Navigation Option... 10 Complete Steps to Recover,
More informationID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:
ID: 80115 Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version: 23.0.0 Table of Contents Table of Contents Analysis Report js.jar Overview General Information
More informationBuilding a Threat-Based Cyber Team
Building a Threat-Based Cyber Team Anthony Talamantes Manager, Defensive Cyber Operations Todd Kight Lead Cyber Threat Analyst Sep 26, 2017 Washington, DC Forward-Looking Statements During the course of
More informationAddendum Forensic Report for GOAA BP-S00132 Procurement
Addendum Forensic Report for GOAA BP-S00132 Procurement Case Number: CF-BC021418 March 13 th, 2018 Internal Case #: CF-BC021418 1 Table of Contents I. Introduction... 3 II. Executive Summary... 4 III.
More informationTanium Trace User Guide. Version 2.2.0
Tanium Trace User Guide Version 2.2.0 November 07, 2017 The information in this document is subject to change without notice. Further, the information provided in this document is provided as is and is
More informationVMware Enterprise Desktop Solutions: What s NEW with VMware View 3. John Hinkle Professional Services Practice principal February 18 th, 2009
VMware Enterprise Desktop Solutions: What s NEW with VMware View 3 John Hinkle Professional Services Practice principal February 18 th, 2009 Agenda What is VMware View 3 Market Momentum What s new with
More informationThese views are mine alone and don t reflect those of my employer
These views are mine alone and don t reflect those of my employer You are compromised - Player (1) Insert coin - If? When? Why? login: root Password: ********** Welcome back, root. root@localhost:~# _
More informationARTSYL DOCALPHA INSTALLATION GUIDE
ARTSYL DOCALPHA INSTALLATION GUIDE 1. docalpha Architecture Overview... 2 1.1. docalpha Server Components... 4 1.2. docalpha Production Environment Stations Overview... 4 1.3. docalpha Setup & Administration
More informationCOMMON WINDOWS 10 QUESTIONS & ANSWERS
COMMON WINDOWS 10 QUESTIONS & ANSWERS Windows 10 is a blend of the best features of Windows 7 and 8.1 but many people are frustrated when they can t find a feature or fix they were used to in one of the
More informationID: Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version:
ID: 67658 Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version: 23.0.0 Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More information