- Page 7 and 8: Registry Decoder • Originally fun
- Page 9 and 10: Registry Decoder Offline • Used t
- Page 11 and 12: Browsing • Similar to Access Data
- Page 13 and 14: Plugins • Full plugin system, eac
- Page 15: Searching - The Best Part!! • No
- Page 20 and 21: Reporting • We wanted to be able
- Page 23 and 24: TRIAGE Standardizing Remote IR Coll
- Page 25 and 26: Our Problem • Slow Response Time
- Page 27 and 28: Our Actions - After Triage • Auto
- Page 29 and 30: What does it do? • Runs Sysintern
- Page 31 and 32: Quick Hits • Start Up Info • AV
- Page 33 and 34: CASE STUDY
- Page 35 and 36: Triage Received - AV Logs analyzed
- Page 37 and 38: Wait what was that?? • Yes we hav
- Page 39 and 40: What hit me? • Gammima.AG • Gam
- Page 41 and 42: Triage Timings • 5hr 25 Minutes
- Page 43: Who Created Triage?
- Page 46 and 47: "All our knowledge is the offspring
- Page 54 and 55: • The Midline Proportional Marker
- Page 56 and 57: It doesn’t matter how tall an adu
- Page 58 and 59: 10mo Headlengths 2 head lengths 2 h
- Page 60 and 61: Other Perceptual Cues • Body habi
- Page 62 and 63: How Good Are We At Age Estimation?
- Page 64 and 65: 0 Years Old
- Page 66 and 67: 6 Years Old
- Page 68 and 69: 12 Years Old
- Page 70 and 71: 18 Years Old
- Page 72 and 73: Conclusions • Based upon the prep
- Page 75 and 76: SANS360 Presentation H. Carvey Chie
- Page 77 and 78: Issue - Historical Data UserAssist
- Page 79 and 80: Accessing VSCs Corey Harrell did a
- Page 81 and 82: What else? This works, as well, wit
- Page 84 and 85: A Hash Is Worth 1000 Words Hal Pome
- Page 86 and 87: Needle in a Haystack? • Machines
- Page 88 and 89: $ ls Making a Hash of Things Dartha
- Page 90 and 91: Common as Dirt
- Page 92 and 93: Profit!
- Page 94 and 95: Some Things Cannot Be Unseen
- Page 96: http://deer-run.com/
- Page 99 and 100:
Background • • Timelines "somet
- Page 101 and 102:
Background • • What have we got
- Page 103 and 104:
Example Run l2t_find_evil.py -r tes
- Page 105 and 106:
Example Rule rule System32BinaryOut
- Page 108 and 109:
In 360 Seconds Corey Harrell
- Page 110 and 111:
What Are Fraudulent Documents Fraud
- Page 112 and 113:
Types of Fraud - Purchasing Explan
- Page 114 and 115:
Types of Fraud - Bid Rigging Expla
- Page 116 and 117:
Types of Fraud Similarity Between P
- Page 118 and 119:
Word Documents Metadata Metadata i
- Page 120 and 121:
Word Documents Metadata Modifying
- Page 122 and 123:
Word Documents Metadata Performing
- Page 124 and 125:
Red Flag #2 Usernames shouldn’t a
- Page 126 and 127:
Red Flag #4 Print dates shouldn’t
- Page 128 and 129:
Red Flags Chart Document Created Do
- Page 130 and 131:
Detection Process Locate Documents
- Page 132 and 133:
Separate Documents Separate documen
- Page 134 and 135:
Extract Metadata Metadata in Squirr
- Page 136 and 137:
Analyze Metadata Suspicious Documen
- Page 140 and 141:
Helm of Clear Thinking Dongle of Ju
- Page 145:
Follow the Yellow Bit Road…. Well
- Page 156 and 157:
Girl, Unallocated’s Digital Foren
- Page 159 and 160:
The Analytic That Changed My Life:
- Page 161 and 162:
Context Continued: Behavioral Analy
- Page 163 and 164:
Picture Time! 163
- Page 165 and 166:
Why Are We Doing This? Typical adv
- Page 167 and 168:
End Result: An Analytic Does the s
- Page 169 and 170:
Why Did This Change Your Life? Rei
- Page 172 and 173:
Shellbags Alissa Torres KEYW Corpor
- Page 174 and 175:
• Evidence of File/Folder Existen
- Page 176 and 177:
For Windows 7: C:\Users\\AppData\Lo
- Page 178 and 179:
\Software\Microsoft\Windows\Shell\B
- Page 180 and 181:
\Software\Microsoft\Windows\Shell\B
- Page 182 and 183:
C:\>sbag usrclass.dat -csv > usrcla
- Page 184 and 185:
Shown above: MiTec Windows Registry
- Page 186:
Proprietary Data Located on Removab
- Page 189 and 190:
6 fun facts about me • Parents pu
- Page 191:
Me Log2timeline-sift >> My first Co
- Page 194 and 195:
Step 1- Create Step 2- Filter Step
- Page 196 and 197:
Filtering Limitations Review Limita
- Page 198:
PoC: Import and Create DB
- Page 202:
“Think left and think right and t