Windows Forensics

Windows Forensics Cheat Sheets

Invoke-IR/ForensicPosters

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or window. Reload to refresh your session. Reload to refresh your session. We use optional third-party analytics cookies to understand how you use GitHub.com so we can build better products.

github.com

Service overview and network port requirements - Windows Server

This article discusses the required network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system. Administrators and support professionals may use this article as a roadmap to determine which ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network.

docs.microsoft.com

Windows File System

What I wish someone had told me when I started learning about File System Forensics

If you're new to Digital Forensics a first question you might be asking is: why do I need to learn how file systems work as a digital forensics analyst? And how much do I need to know about it? Let's answer that question starting with a very simple definition of digital forensics.

osdfir.blogspot.com

Windows Event Logs

Finding Forensic Goodness In Obscure Windows Event Logs

If you've been doing some digital forensics or threat hunting for some time. You'll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the "main" sources of logs such as "System" or "Application", even though windows provide many sources.

nasbench.medium.com

Windows Registry Forensics

Digging Up the Past: Windows Registry Forensics Revisited

Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. This can be useful to discover malicious activity and to determine what data may have been stolen from a network.

www.fireeye.com

Windows Monitoring techniques

Red Team Tactics: Advanced process monitoring techniques in offensive operations | Outflank Blog

In this blog post we are going to explore the power of well-known process monitoring utilities and demonstrate how the technology behind these tools can be used by Red Teams within offensive operations. Having a good technical understanding of the systems we land on during an engagement is a key condition for deciding what is...

outflank.nl

AmCache

• An artifact which stores metadata related to PE execution and program installation on Windows

AmCache Analysis

Frequently overlooked and understudied, this database is rarely fully exploited when doing incident response. Indeed, its correct interpretation is complex: a lot of special cases can occur that have to be taken into account when performing an analysis.

www.ssi.gouv.fr