Forensic Analysis of a Windows 10 Client

In this lab, you will use Autopsy, an open-source forensic suite, to load and then analyze a disk image of a compromised Windows client. After completing this lab, you will be familiar with some of the common locations where forensic artifacts exist on a Windows client machine. Windows client machines include Windows 7, Windows 8.1, and Windows 10. The disk image for this lab was created using the Windows 10 operating system, the latest version of the Windows client operating system at the time this lab was written.

Overview

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows client machine. Windows’ client machines tend to be a large target for hackers because end users, who may lack knowledge of computer security, can download malicious files or open malicious attachments. Some of the relevant forensic artifacts from a Windows server include Windows event log files, event viewer files, and registry entries.

outcomes

In this lab, you will learn to:

Examine a compromised Windows 10 client using Autopsy
Analyze the common locations of compromised artifacts
Analyze a compromised Windows registry using Windows Registry Recovery

Courses

Cybersecurity Attack and Defend Skill Lab

Key terms and descriptions

Autopsy

A free program that can be used to analyze forensic images.

Event Viewer files

The most commonly viewed Event Viewer files are the Application, Security, and System logs. The files are stored in modern versions of Windows in C:\Windows\winevt.

Scheduled tasks

These are programs that are set to run automatically, normally stored in the C:\Windows\System32\Tasks folder.

Registry files

Some of the registry files with a large amount of information about Windows configurations, including SYSTEM, SOFTWARE, and SAM, are stored in C:\Windows\System32\Config.

Creation date

A timestamp in Windows that can be used to track when a file was placed on a system.