The Volume Shadow Knows
As a continuation of the "Introduction to Windows Forensics" series, this episode covers Volume Shadows and how they can be a forensic goldmine for the investigator. We'll first look at the basics of the technology, and then we'll revisit a concept from an earlier 13Cubed episode and look at two different ways to mount Volume Shadow Copies on a live Windows system. Then, we'll look at how we can mount and interact with these artifacts from a disk image via the "libvshadow" library and its associated utilities.
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
VSCMount:
https://ericzimmerman.github.io/
SANS SIFT Workstation:
https://github.com/sans-dfir/sift-cli
Background Music Courtesy of Anders Enger Jensen:
https://www.youtube.com/user/HariboOSX
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The Volume Shadow Knows канала 13Cubed
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
VSCMount:
https://ericzimmerman.github.io/
SANS SIFT Workstation:
https://github.com/sans-dfir/sift-cli
Background Music Courtesy of Anders Enger Jensen:
https://www.youtube.com/user/HariboOSX
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео The Volume Shadow Knows канала 13Cubed
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
First Look at Volatility 3 Public BetaNew Course! Investigating Linux DevicesIntroduction to MFTECmd - NTFS MFT and Journal ForensicsIntroduction to Plaso HeimdallVMware Memory Forensics - Don't Miss This Important Detail!An Important Change to ShellBags - Windows 11 2023 Update!Introduction to iLEAPP - iOS Forensics Made EasyWindows MACB Timestamps (NTFS Forensics)Secret Office 365 Activities APIRDP Authentication vs. AuthorizationChannel Update and SurveyYour Signature Is a JARRDP Hashes - Event ID 1029 ExplainedWindows Process Genealogy - UpdateDFIR Home Labs - Storage ReviewProfiling Network Activity with Volatility 3 - GeoIP from MemoryVisual Analysis with ProcDOTWhere's the 4624? - Logon Events vs. Account LogonsLet's Talk About MUICacheUser Access Logging (UAL) ForensicsTwo Thumbs Up - Thumbnail Forensics