- Page 7 and 8: Registry Decoder • Originally fun
- Page 9 and 10: Registry Decoder Offline • Used t
- Page 11 and 12: Browsing • Similar to Access Data
- Page 13 and 14: Plugins • Full plugin system, eac
- Page 15: Searching - The Best Part!! • No
- Page 20 and 21: Reporting • We wanted to be able
- Page 24 and 25: About Us • Immature • Global Co
- Page 26 and 27: Our Actions - Before Triage • Con
- Page 28 and 29: What is Triage? • Collection of I
- Page 30 and 31: Limitations • ADMIN • Locally
- Page 32 and 33: Our Results • Great Starting Poin
- Page 34 and 35: AV to the rescue • 9:53 AM Tamper
- Page 36 and 37: Triage Received - Analyzing reports
- Page 38 and 39: GOOGLE to the Rescue • AXSOSO.exe
- Page 40 and 41: Timing BEFORE Triage • 48 hrs •
- Page 42 and 43: Summary • Semi Automatic Data col
- Page 45 and 46: How We Know the Sky is Blue: Child
- Page 47 and 48: The Ability to Identify Sexual Matu
- Page 54 and 55: • The Midline Proportional Marker
- Page 56 and 57: It doesn’t matter how tall an adu
- Page 58 and 59: 10mo Headlengths 2 head lengths 2 h
- Page 60 and 61: Other Perceptual Cues • Body habi
- Page 62 and 63: How Good Are We At Age Estimation?
- Page 64 and 65: 0 Years Old
- Page 66 and 67: 6 Years Old
- Page 68 and 69: 12 Years Old
- Page 70 and 71: 18 Years Old
- Page 72 and 73:
Conclusions • Based upon the prep
- Page 75 and 76:
SANS360 Presentation H. Carvey Chie
- Page 77 and 78:
Issue - Historical Data UserAssist
- Page 79 and 80:
Accessing VSCs Corey Harrell did a
- Page 81 and 82:
What else? This works, as well, wit
- Page 84 and 85:
A Hash Is Worth 1000 Words Hal Pome
- Page 86 and 87:
Needle in a Haystack? • Machines
- Page 88 and 89:
$ ls Making a Hash of Things Dartha
- Page 90 and 91:
Common as Dirt
- Page 92 and 93:
Profit!
- Page 94 and 95:
Some Things Cannot Be Unseen
- Page 96:
http://deer-run.com/
- Page 99 and 100:
Background • • Timelines "somet
- Page 101 and 102:
Background • • What have we got
- Page 103 and 104:
Example Run l2t_find_evil.py -r tes
- Page 105 and 106:
Example Rule rule System32BinaryOut
- Page 108 and 109:
In 360 Seconds Corey Harrell
- Page 110 and 111:
What Are Fraudulent Documents Fraud
- Page 112 and 113:
Types of Fraud - Purchasing Explan
- Page 114 and 115:
Types of Fraud - Bid Rigging Expla
- Page 116 and 117:
Types of Fraud Similarity Between P
- Page 118 and 119:
Word Documents Metadata Metadata i
- Page 120 and 121:
Word Documents Metadata Modifying
- Page 122 and 123:
Word Documents Metadata Performing
- Page 124 and 125:
Red Flag #2 Usernames shouldn’t a
- Page 126 and 127:
Red Flag #4 Print dates shouldn’t
- Page 128 and 129:
Red Flags Chart Document Created Do
- Page 130 and 131:
Detection Process Locate Documents
- Page 132 and 133:
Separate Documents Separate documen
- Page 134 and 135:
Extract Metadata Metadata in Squirr
- Page 136 and 137:
Analyze Metadata Suspicious Documen
- Page 140 and 141:
Helm of Clear Thinking Dongle of Ju
- Page 145:
Follow the Yellow Bit Road…. Well
- Page 156 and 157:
Girl, Unallocated’s Digital Foren
- Page 159 and 160:
The Analytic That Changed My Life:
- Page 161 and 162:
Context Continued: Behavioral Analy
- Page 163 and 164:
Picture Time! 163
- Page 165 and 166:
Why Are We Doing This? Typical adv
- Page 167 and 168:
End Result: An Analytic Does the s
- Page 169 and 170:
Why Did This Change Your Life? Rei
- Page 172 and 173:
Shellbags Alissa Torres KEYW Corpor
- Page 174 and 175:
• Evidence of File/Folder Existen
- Page 176 and 177:
For Windows 7: C:\Users\\AppData\Lo
- Page 178 and 179:
\Software\Microsoft\Windows\Shell\B
- Page 180 and 181:
\Software\Microsoft\Windows\Shell\B
- Page 182 and 183:
C:\>sbag usrclass.dat -csv > usrcla
- Page 184 and 185:
Shown above: MiTec Windows Registry
- Page 186:
Proprietary Data Located on Removab
- Page 189 and 190:
6 fun facts about me • Parents pu
- Page 191:
Me Log2timeline-sift >> My first Co
- Page 194 and 195:
Step 1- Create Step 2- Filter Step
- Page 196 and 197:
Filtering Limitations Review Limita
- Page 198:
PoC: Import and Create DB
- Page 202:
“Think left and think right and t