Thanks for being so great at explaining the "Why" as well as the "How"!!! Very helpful!!!

I love the fact that this is still viable in 2023. Thank you!

@wesleycastellanos5344

7 ай бұрын

13Cube, I do have a question, I was thinking of using your playlist to better understand DF before I take the plunge and study Giac Sans 500 GCFE. What would you recommend me doing to further increase my chance of passing? Are there other vids or books you recommend as well? Thank you very much!

Excellent video. I really like the way you explain and show things. Thanks a lot for taking your time. Love it :)

The best material about digital forensic I know by far. Thanks a lot for this great content. Please keep it up

Great videos. They are well structured. Easy to understand, not boring and very interesting.

ABSOLUTELY A GEM OF A VIDEO! I learned most of this in college but needed to brush up again. thank you so much for posting this video. (I also love your last name!)

I just saw your videos!! Thank you so much for this!

Great introduction.Found it very helpful,thank you.

This is fantastic, man! Thank you so much!

Thank you very much for the great video! It is very helpful for the basic forensic at the company.

Thank you for this video! I'm doing my degree on Forensic Computing and this has just helped me understand some things better than the lectures! I've definitely subscribed and I'm really looking forward to more videos

I'm new to DFIR and a coworker sent me this video! Thanks so much!! Just figured I'd put in the comments: System registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803

@13Cubed

2 жыл бұрын

Thanks - this is a fairly old video but most of it is still relevant. Check out the other episodes on the channel for more updated content. A wide variety of topics are covered, including Linux and macOS.

@melwightman6491

2 жыл бұрын

@@13Cubed Definitely will do! I find it super helpful how well you link the artifacts to the actual user actions and examples of how it could be used in an investigation :) Thanks so much!

Thanks! Excellent video. Would love to see something similar for Mac OS

Great video, things are very clear now. Thanks a lot

Thank you ! Such an excellent intro to Registry and generic Windows forensics. Great Job!!! Do you know where on Windows 10 can we find Microsoft Egde Forensics info (such as bookmarks stored locally, History stored locally, etc ).

Great, informative video - thank you! What would you recommend to watch/read next (except your channel of course which I subscribe) to widen knowlege on digital forensics topic? Also I have a chance to participate in a SANS training during DFIR Summit in Prague. What would you recommend for a newbie in Forensics? I have a strong background in networking, so I thought about Advanced Network Forensic (FOR572) but from the video and GIAC Roadmap I recon that Windows Forensic (FOR500) would be the best start

Thanks for sharing ! Really nice.

thanks for the vid! Learned a lot!

This. Is. Amaziiiiiiiiiiiiiiiing.

This is best video for learning windows forensics Thankyou so much for making this video on Windows forensics

@13Cubed

5 ай бұрын

No problem. Check out Investigating Windows Endpoints at 13cubed.com for an even more in-depth full course on Windows forensics!

Thank very Much for your lecture. is very helpful forensic student.

Thank you for being such a great tutor on the video. I'm a total newbie in the Cybersecurity but I found this is super interesting to learn.

@rohansnayak6465

29 күн бұрын

Yo wassup, How's your journey in cybersecurity till now

Thank you so much for such detailed explanation. Can you please provide those registry data as well for importing to try handson. Or suggest sites to download such entries for analysis

Thank you for such informative and a not boring lesson on Window Registry forensics. I definitely going to share this video with my classmates.

@netindigo

6 жыл бұрын

I would love to see more of your lectures and learn from you. I am doing my MS in Computer Forensics, but I always had so little confidence in working with the registry (I was trying to avoid it because it seemed so complicated). Not any more =)

Very helpful... Congratulations Thank You very much.

This video is a lifesaver. This is very informative and very easy to understand. I am currently about taking the FOR500 course classes. DFIRDiva referred me this KZread channel. This is really so helpful, words can express my gratitude for sharing this wealth of knowledge. Once again thank u 13cubed.

Wow, very nice. Explains things very well

thank for helping me pass the gcfe and for the star trek the next generation reference

VERY HELPFUL THANKS !!!

🎯 Key Takeaways for quick navigation: 00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.* 02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).* 08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.* 10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.* 11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.* 13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.* 15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.* 16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.* 18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.* 21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.* 23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.* 23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.* 25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.* 26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.* 28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.* 30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.* 32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.* 35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.* 40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.* 42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.* 43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.* 49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.* 53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.* 58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.* Made with HARPA AI

Thank you.and l am a rookie and watch your videos i learning more

Thanks for that. It`s great!!!

Thank you!

THANK YOU!!!

Love it

Thanks for this video. My job is more IR than DF but I'm taking FOR508 class in about 3 weeks and want to go in a better grasp of forensicating. Planning to study up a bit and play around with SIFT and the tools I got during GCIH before I go. Appreciated!

@13Cubed

4 жыл бұрын

Vero Ev0 Glad you found it useful. Be sure to check out all the other videos in the series, as well as the memory forensics and malware analysis series.

thank you !

Nice work And great struggle 👏

thanks!

Old one but great one! I am thinking about switching career paths from CTI to Digital Forensics and this was a great intro. Easy to follow. Thank you!

@sumanadasawijayapala5372

Жыл бұрын

what's wrong with CTI?

I am unable to download register explorer, is it possible to get the link

ty for this brah

Hi, Will you be doing any on the BAM/DAM and RecentApps forensic artifacts? Trying to find some info.

Hey, you should brand your PDF so I know where I borrowed it from and remember to visit you more often.

This video is so clear and easy to follow (while at the same time being very informative and professional) that I would like you to make something similar to the MAC OS. Meanwhile, thanks so much for sharing this.

@13Cubed

4 жыл бұрын

L. Barrera Thanks, be sure to check out the playlist of the same name that contains all of the episodes in the series covering a wide variety of topics.

@lautarob

4 жыл бұрын

@@13Cubed Thank you for your prompt reply. I have seen almost all of your youtube videos (I meant, those related to Windows OS and memory forensics). However, I haven't seen any video related to MAC OS forensics (I meant, related to HFS+ or even better, related to APFS and their corresponding operative systems: OS Sierra etc). And again, thanks for sharing so valuable and educative information!!.

@13Cubed

4 жыл бұрын

L. Barrera No macOS episodes yet, but they are coming. 😁

@lautarob

4 жыл бұрын

@@13Cubed Thank you. I look forward for them. Best wishes!

The cheat sheet will not download, using Chrome or Firefox. Can this be fixed? Thank you.

Thank you so much for the video series that you provided!! Helped me a lot to pass my GCFE exam! Any suggestions with regards to getting the GOLD?

@13Cubed

5 жыл бұрын

Trendnet18 Good to hear! I’ve never done a gold paper, but if you want to research something how about the forensic implications of the Windows Subsystem for Linux (WSL). Lots of good material there...

@Trendnet18

5 жыл бұрын

Ok thanks l'll look it up. Btw are courses from pentester academy any good?

@13Cubed

5 жыл бұрын

Not sure - not familiar with them.

Great Videos. Can you please make a video on SSD acquisition and encrypted drive forensics?

@13Cubed

6 жыл бұрын

Jheel rathod Appreciate the suggestion. I will add this to my list.

great Video! thanks a lot. can you please provide a SANS 408 Index?

Thanks for you contribution. This will be my guideline (initial guideline, btw) to the DFIR world.

Thanks a lot for the video!! What if we delete/rename ntuser.dat file?

At minute 25:05. Could there be a case in which current control set could be 1 but last known good other than 1. If yes , how is that possible?

@13Cubed

3 жыл бұрын

The current could have issues, and the last known good could be other than one. This would allow someone to boot and choose the "Last Known Good Configuration" option.

thank you for the video it was very helpful I can't find Dcode V4 tool where can I find it

@13Cubed

2 жыл бұрын

www.digital-detective.net/dcode/

@servermadum7297

2 жыл бұрын

@@13Cubed yes i know that but it doesn't work well like V5 and and V4

Hi , I justed want to know if someone downladed a file from any of the web browser or downladed from the email what all things in the registry we need to look it out as a part of forensic investigation.

@13Cubed

5 жыл бұрын

Sumeet Mishra A lot... RecentDocs, RecentFiles, UserAssist for program execution artifacts... really too many to cover here. Most are covered in this video and others in this series.

Thanks - The latest version of Registry Explorer v1.4.2 gives the details in parsed format directly - no additional tool is needed - even the ROT13 decoding is done

@bitdefe

2 жыл бұрын

Donde compras o descargas la version legal. Registry Explorer

48:35 how do we know what IP address was assigned as there were 4 different entries under interfaces?

@13Cubed

3 жыл бұрын

Each interface will have its own IP address associated with it. I just happened to click on the first GUID, which was this VM's primary adapter. The others could be VPN interfaces, loopback adapters, etc.

interesting!

7:00 How did you get copies of the files?

@13Cubed

2 ай бұрын

On a live system, you could use FTK Imager, KAPE, RawCopy, or anything that provides raw disk access.

went to through the SANS video. Then came back here man make things so much simpler to understand. Just a question I googled for Broadband and VPN (For user profile)do I follow I keep seeing 243(decimal) for it and 0x17 for VPN. Is this a recent change ?

@13Cubed

6 жыл бұрын

Interesting - that's entirely possible. However, I cannot find any documentation about this, and my tests were not able to duplicate your findings. If you find anything more about this, please share it.

@Trendnet18

6 жыл бұрын

13Cubed any idea how to duplicate the broadband using mobile phone? I try to test out. Currently its showing up as wireless when I use usb tethering it doesn't show up. later ill put the link to the forum later.

@13Cubed

6 жыл бұрын

Trendnet18 Pretty sure it would have to be an internal WWAN card and not tethering via cell phone to show up in that way.

@Trendnet18

6 жыл бұрын

13Cubed ok ill post the link to the forum later. For VPN wise doesn't seem to show up when I use openvpn. Is there a specific method that it records it in the regsitry?

@13Cubed

6 жыл бұрын

Trendnet18 Try VPN services built into the OS.

Without taking the GCFE, can I work through all these videos and work through the Windows Forensics book by PHD Philip Polstra instead, and be fine moving into the GCFA?

@13Cubed

6 ай бұрын

Possibly, but I would recommend taking Investigating Windows Endpoints and Investigating Windows Memory. Those are comprehensive courses, and both together cover nearly everything in FOR500 and FOR508 (plus a lot of additional detail not covered in either). Both courses also include a certification attempt. See 13cubed.com for more info.

@deathofasellout

6 ай бұрын

@@13Cubed Do they cover Windows 11?

@13Cubed

6 ай бұрын

@@deathofasellout Yes, absolutely.

Muy bueno, donde descargo Registry Explorer

@13Cubed

2 жыл бұрын

¡Gracias! Me alegro de que te haya gustado. ericzimmerman.github.io/#!index.md

Hello man,, I have a small question... at 10:54 you made a zoom while recording... how did you do that? what are you using for recording ??? or you did it in the editing stage ??? please answer.. Like your work

@13Cubed

4 жыл бұрын

I use ScreenFlow and Final Cut Pro, but for this old video I think the only thing I used was QuickTime. macOS has a built-in zoom feature which is all I used.

@MoradRawashdeh

4 жыл бұрын

@@13Cubed thank my friend ... I am still watching your videos right this moment... Learning forensics 😉

Would like to see a video on Anti- forensics detection, $usnjournal etc.

@13Cubed

5 жыл бұрын

sarath kumar Appreciate the suggestion, and I will add it to my list.

Where can I find that dfir cheat sheet?

@13Cubed

3 жыл бұрын

Go to 13cubed.com, then Downloads. You'll see it (and others) listed there.

Do you run your analysis environment in a VM? I want to keep my studying of this separate from my personal system as much as possible.

@13Cubed

2 жыл бұрын

This was recorded years ago, so for this particular episode, yes. For current stuff, I do use VMs for Windows Server-based episodes, but I have a dedicated DFIR box that I built on which I do all of the lab work for current episodes.

Hello 13Cubed. any plans in releasing a udemy course?

@13Cubed

3 жыл бұрын

No, just free KZread content. If you are looking for something even more in-depth, I would recommend SANS. There are numerous classes available in the DFIR curriculum.

You might have invented a word : ) " forensicating " @ 14:50

@chadguru9565

3 жыл бұрын

Not to take credit away from the excellent human this this youtuber is, but "forensicating" is a fairly common euphemism in DFIR community

Personal Timestamp: 21:34

Seems like Forensics Wiki is no more. What happened?

@13Cubed

4 жыл бұрын

I don't know -- I was wondering the same thing.

Man not able to download the cheet sheet

@13Cubed

2 жыл бұрын

www.13cubed.com/downloads/dfir_cheat_sheet.pdf

@Aspirant23242

2 жыл бұрын

@@13Cubed thank you it is working now 😊

@Aspirant23242

2 жыл бұрын

@@13Cubed and great content very useful