ฝัง
- เผยแพร่เมื่อ 17 ธ.ค. 2024
- In this recorded webinar, we conducted a real-world Windows Forensic Investigation involving a phishing attack. We covered key forensic techniques, including validating evidence, mounting E01 images, and using powerful tools like Arsenal Image Mounter, KAPE and RegRipper.
Throughout the session, we explored critical Windows artifacts such as Prefetch Files, SRUM, UserAssist, and more, demonstrating how to uncover valuable forensic data.
A special shoutout to Mark Spencer, Eric Zimmerman, Harlan Carvey, and Andrew Rathbun for their invaluable contributions to the #dfir community and the tools we used in this investigation.
---
One Correction: during the session I mentioned that consent.exe is a legitimate Windows executable used to support programs running from the command-line interfaces like Command Prompt (cmd.exe), but actually I mixed that with Conhost.exe. Consent is also a legitimate Windows system process, but it is responsible for managing User Account Control (UAC) prompts.
