Overview
Syllabus
Intro
Windows 10 is the LAST Version of Windows
Windows as a Service (WAAS) Definitions
ActivitiesCache.db
System Resource Usage Monitor (SRUM)
Tracking Artifacts of Program Execution
Signed Driver Enforcement
Virtual Secure Mode (VSM/VBS)
Credential Isolation
CG Prevents Cached Credential Harvesting
VSM and Acquisition Tools
Required Setup for Testing Acquisition Tools
Hibernation Files
Modern Hiberation Files Pain
Gathering Encryption Keys
Analysis without Encryption Keys
Memory Compression Challenges
Memory Compression Analysis
Swapfile.sys
Encrypted KDBG & Volatility Starting with Windows the critical KOBG structure is encrypted in memory
Volatility Underscore Profiles
Questions/Comments?
Taught by
BSidesLV