Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Windows 10 DFIR and InfoSec Challenges

BSidesLV via YouTube

Overview

Explore Windows 10 digital forensics and information security challenges in this BSidesLV conference talk. Dive into Windows as a Service (WAAS) concepts, examining key artifacts like Activities Cache.db and System Resource Usage Monitor (SRUM). Learn about tracking program execution, signed driver enforcement, and Virtual Secure Mode (VSM/VBS). Discover techniques for credential isolation, preventing cached credential harvesting, and the impact of VSM on acquisition tools. Investigate modern hibernation files, memory compression challenges, and encryption key gathering. Gain insights into analyzing Windows 10 memory dumps, including encrypted KDBG structures and Volatility's approach to these challenges.

Syllabus

Intro
Windows 10 is the LAST Version of Windows
Windows as a Service (WAAS) Definitions
ActivitiesCache.db
System Resource Usage Monitor (SRUM)
Tracking Artifacts of Program Execution
Signed Driver Enforcement
Virtual Secure Mode (VSM/VBS)
Credential Isolation
CG Prevents Cached Credential Harvesting
VSM and Acquisition Tools
Required Setup for Testing Acquisition Tools
Hibernation Files
Modern Hiberation Files Pain
Gathering Encryption Keys
Analysis without Encryption Keys
Memory Compression Challenges
Memory Compression Analysis
Swapfile.sys
Encrypted KDBG & Volatility Starting with Windows the critical KOBG structure is encrypted in memory
Volatility Underscore Profiles
Questions/Comments?

Taught by

BSidesLV

Reviews

Start your review of Windows 10 DFIR and InfoSec Challenges

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.