PACSEC 2020 DOJO

OSX/Windows Forensics:
Acquisition and Timelining

Instructor: Albert Hui
November 9 - 20

Albert Hui

Details of the instructor are incoming.

alberthui2000.jpeg
 
 

Course Schedule

This will be a three day course. Days to be announced.


Course Abstract

This course aims at quickly equipping a digital forensic examiner who is trained to use common GUI forensic platforms with a few tricks that give powerful outputs (encrypted contents and filesystem activity timelines) that are generally not well-supported if at all by such GUI tools.

Course Pre-requisites

Some proficiency at the command line will be a plus, but not required.

Course Learning Objectives

  • Targeted Acquisition

  • Getting Filesystem Activity Timelines

  • Extracting User Saved Passwords

Who Should Attend

  • Practicing digital forensic examiners wanting to learn powerful tricks beyond what are generally supported by common GUI forensic platforms.

  • Power users and IT administrators who wants to gain a deeper understanding of Windows and macOS based on a digital forensics approach.

Course Agenda

Targeted Acquisition

  • Extracting FSEvents from a Mac

  • Extracting USN Journal and MFT from a Windows Computer

  • Extracting Registry Hives from a Windows Computer

    • Extracting Registry Hives from a Forensic Image

    • Extracting Registry Hives Live (extract locked file and deal with corrupted extracts)

Timelining

  • Timestamps

    • Windows Timestamps

      • NTFS Timestamp

      • Windows 10 Time Rules

    • macOS Timestamps

      • HFS+ Timestamps

      • APFS Timestamps

      • Apple Metadata Timestamps

      • macOS Time Rules

  • Windows Registry Time

  • FSEvents

Decrypting Protected Data

  • Decrypting Windows DPAPI-Protected Data

      (through hacking hiberfil.sys - memory dump not required)

  • Decrypting macOS Keychains

    • System Keychains

    • User Keychains

Apple Time Machine Backup System

  • AirPort Time Capsule

    • Decrypting Encrypted Time Machine Backups

  • Time Machine Local Snapshots

Appendix A. Dealing with Forensic Images

  • Examining and Mounting E01 Forensic Images on Windows

  • Examining and Mounting E01 Forensic Images on macOS

  • Converting among E01, AFF4, and Raw "dd" Forensic Images

Hardware Requirements

  • A Mac computer with an Core i5 CPU and 8GB RAM running macOS 10.13 or above, with access to an administrator account.

  • A Windows computer with an Core i5 CPU and 8GB RAM running Windows 10, with access to an administrator account.

Software Requirements

Freeware will be used.

Included Course Materials

To be announced.


Previous
Previous

Hacking Cisco Networks

Next
Next

Rust Security Audit and Fuzzing