Forensic Analysis of a Windows 10 Client
In this lab, you will use Autopsy, an open-source forensic suite, to load and then analyze a disk image of a compromised Windows client. After completing this lab, you will be familiar with some of the common locations where forensic artifacts exist on a Windows client machine. Windows client machines include Windows 7, Windows 8.1, and Windows 10. The disk image for this lab was created using the Windows 10 operating system, the latest version of the Windows client operating system at the time this lab was written.
Overview
In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows client machine. Windows’ client machines tend to be a large target for hackers because end users, who may lack knowledge of computer security, can download malicious files or open malicious attachments. Some of the relevant forensic artifacts from a Windows server include Windows event log files, event viewer files, and registry entries.
outcomes
In this lab, you will learn to:
- Examine a compromised Windows 10 client using Autopsy
- Analyze the common locations of compromised artifacts
- Analyze a compromised Windows registry using Windows Registry Recovery