These Artifacts Aren't Fiction

Explore a conference talk on digital forensics and artifact analysis, focusing on Windows SRUM database, web browser artifacts, and PowerShell. Learn about data preservation methodology, network resource usage, and investigation tooling. Discover techniques for analyzing memory dumps, parsing history artifacts, and collecting PowerShell artifacts. Gain insights into system time manipulation, file hashing, and less volatile network artifacts. Understand the importance of execution policy settings, clipboard data, auto-runs, and tasks in forensic investigations. Acquire practical tips and tricks for effective PowerShell usage in digital forensics.

Intro
Introducing: Matt Scheurer
Data Preservation Methodology
The Windows SRUM Database
Useful SRUM Data
Network Resource Usage
SRUM Database Conclusions
Web Browser Artifacts
Investigation Tooling
Artifact Sources
Memory Dumps
Example History Artifact Paths
History Parsed Example 4/4
Download Parsed Example 1/2
PowerShell Artifacts Collection
Objectives
Warning!
PowerShell Logging
PowerShell Version
PowerShell Pro Tip!
System Time
Hashing Files
Less Volatile Network Artifacts
Execution Policy Settings
Clipboard, Auto-runs, and Tasks
Host Details
The Open Files Conundrum
More PowerShell Tips & Tricks
Thank you for attending!