Explore Windows 10 digital forensics and information security challenges in this BSidesLV conference talk. Dive into Windows as a Service (WAAS) concepts, examining key artifacts like Activities Cache.db and System Resource Usage Monitor (SRUM). Learn about tracking program execution, signed driver enforcement, and Virtual Secure Mode (VSM/VBS). Discover techniques for credential isolation, preventing cached credential harvesting, and the impact of VSM on acquisition tools. Investigate modern hibernation files, memory compression challenges, and encryption key gathering. Gain insights into analyzing Windows 10 memory dumps, including encrypted KDBG structures and Volatility's approach to these challenges.
Overview
Syllabus
Intro
Windows 10 is the LAST Version of Windows
Windows as a Service (WAAS) Definitions
ActivitiesCache.db
System Resource Usage Monitor (SRUM)
Tracking Artifacts of Program Execution
Signed Driver Enforcement
Virtual Secure Mode (VSM/VBS)
Credential Isolation
CG Prevents Cached Credential Harvesting
VSM and Acquisition Tools
Required Setup for Testing Acquisition Tools
Hibernation Files
Modern Hiberation Files Pain
Gathering Encryption Keys
Analysis without Encryption Keys
Memory Compression Challenges
Memory Compression Analysis
Swapfile.sys
Encrypted KDBG & Volatility Starting with Windows the critical KOBG structure is encrypted in memory
Volatility Underscore Profiles
Questions/Comments?
Taught by
BSidesLV
