VeloCon 2023: Windows Search Index: The forensic artifact you’ve been searching for
ฝัง
- เผยแพร่เมื่อ 14 ก.ย. 2023
- By Phalgun Kulkarni - DFIR Consultant - Aon And Julia Paluch DFIR Software Developer - Aon
For examiners investigating cyber-crimes on Windows endpoints, the Windows Search Index consists of rich information such as a user’s Internet history, emails, file interactions, and even deleted data. Created as a tool to enable searching for files across the Windows operating system, the Windows Search Index as a forensic artifact provides insight into file existence and user activity. In this presentation, we will discuss how the Windows Search Index can be used as a source of evidence in DFIR investigations and how it can be parsed at scale by integrating an open-source tool named SIDR (Search Index Database Reporter) with Velociraptor.
This presentation will provide an overview of the data recorded in the Windows Search Index by default and user actions that trigger modifications of the index. Next, we will introduce the structure of the index in Windows 10 and prior operating systems, and how it has changed in Windows 11. We will also discuss use cases for the information present in the index, such as finding evidence of website access, deleted data, and activity from users of interest. Finally, we will introduce SIDR (Search Index Database Reporter) and a Velociraptor plugin, to parse the Windows Search Index at scale.
Attendees will gain a deep understanding of the Windows Search Index structure, how it can be used as a forensic artifact, and the insights it can provide to bolster the next investigation.
PSA: For reference please see www.aon.com/cyber-solutions/a...
SIDR available at github.com/strozfriedberg/sidr - บันเทิง
![[UNCUT] ฝันรักห้วงนิทรา | EP.9 (3/4)](http://i.ytimg.com/vi/ikd1tEhXbp8/mqdefault.jpg)
@Velocidex Enterprises, thank you for posting this informative session. As a professor of Cybersecurity, this is definitely helpful.