Friday, November 9, 2018

Daily Blog #533: Windows Forensics DFIR InDepth proposed outline

Hello Reader,
       I'm back in the United States for awhile and with that should signal a return of the test kitchen in coming nights. Until then I thought I post my current planned outline for the new book to be named Windows Forensics: DFIR InDepth.

What I'm looking for at this point is your feedback on what else you think is missing or you would like to see added or expanded on. The plan is to finish one chapter, publish the book and then keep pushing updates as I write so you can read the book as I finish it, update it, add to it, correct it from ongoing research rather than waiting a year.

Windows Forensic Fundamentals

Why this data exists
How to form your hypothesis
Building a test bed

File systems

NTFS
FAT32
EXFAT
REFS

File access

ObjectIDs
Lnk Files
Jumplists
Shellbags
Registry data

Device access

Driver install process
Registry data
Driver install logs
GUIDs and meainings

Program execution

Application Compatibility Caching
Application prefetching
Application Superfetching
User application tracking

External access

RDP
Network Shares
Teamviewer

Network connectivity

Network connections
Network drivers

System Monitoring

Journal Analysis

SRUM


Let me know your thoughts in the comments below, LinkedIn or Twitter!