Barely a week goes by and we see another yet post on social media that discusses knowledge sharing or “training” in cybersecurity, and in particular, DFIR and Windows forensic analysis. However, many times, these posts aren’t “new”, per se, but instead share information that is dated.
Now, there’s nothing wrong with what many perceive to be “old” or “dated” information because the simple fact is that core principles simply don’t change over time. However, there are more tactical elements of “analysis” (really, data parsing and presentation for analysis) that may, in fact, change over time. This is particularly true for Windows systems, particularly as it applies to the various builds available for Windows 10; analysts saw the creation or availability of a particular artifact (i.e., the “BAM” Registry key) in one build, only to no longer see it populated in another build.
Something else we see is an incorrect or incomplete use of terminology, which in some cases seems to be almost willful. We see this a lot when it comes to the Windows Registry, but that’s really fodder for it’s own post/article. However, there are posts like this one, that purports to share “important Windows directories”, and the first six items listed are files. Further, items 4 through 6 are not “logs”. Over the past several months, I’ve seen that particular list posted multiple times in LinkedIn, and just last week, it somehow made its way into my Twitter feed, unfortunately.
Something else we see quite often references the Wi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: