Windows 10 DFIR and InfoSec Challenges
Offered By: BSidesLV via YouTube
Course Description
Overview
Explore Windows 10 digital forensics and information security challenges in this BSidesLV conference talk. Dive into Windows as a Service (WAAS) concepts, examining key artifacts like Activities Cache.db and System Resource Usage Monitor (SRUM). Learn about tracking program execution, signed driver enforcement, and Virtual Secure Mode (VSM/VBS). Discover techniques for credential isolation, preventing cached credential harvesting, and the impact of VSM on acquisition tools. Investigate modern hibernation files, memory compression challenges, and encryption key gathering. Gain insights into analyzing Windows 10 memory dumps, including encrypted KDBG structures and Volatility's approach to these challenges.
Syllabus
Intro
Windows 10 is the LAST Version of Windows
Windows as a Service (WAAS) Definitions
ActivitiesCache.db
System Resource Usage Monitor (SRUM)
Tracking Artifacts of Program Execution
Signed Driver Enforcement
Virtual Secure Mode (VSM/VBS)
Credential Isolation
CG Prevents Cached Credential Harvesting
VSM and Acquisition Tools
Required Setup for Testing Acquisition Tools
Hibernation Files
Modern Hiberation Files Pain
Gathering Encryption Keys
Analysis without Encryption Keys
Memory Compression Challenges
Memory Compression Analysis
Swapfile.sys
Encrypted KDBG & Volatility Starting with Windows the critical KOBG structure is encrypted in memory
Volatility Underscore Profiles
Questions/Comments?
Taught by
BSidesLV
Related Courses
Foundations of Computer Science for TeachersThe University of Texas at Austin via edX Computer Forensics
Rochester Institute of Technology via edX FinTech Security and Regulation (RegTech)
The Hong Kong University of Science and Technology via Coursera Cyber Security
CEC via Swayam Fundamentos de Ciberseguridad: un enfoque práctico
Inter-American Development Bank via edX