- Page 7 and 8:
Registry Decoder • Originally fun
- Page 9 and 10:
Registry Decoder Offline • Used t
- Page 11 and 12:
Browsing • Similar to Access Data
- Page 13 and 14:
Plugins • Full plugin system, eac
- Page 15:
Searching - The Best Part!! • No
- Page 20 and 21:
Reporting • We wanted to be able
- Page 23 and 24:
TRIAGE Standardizing Remote IR Coll
- Page 25 and 26:
Our Problem • Slow Response Time
- Page 27 and 28:
Our Actions - After Triage • Auto
- Page 29 and 30:
What does it do? • Runs Sysintern
- Page 31 and 32: Quick Hits • Start Up Info • AV
- Page 33 and 34: CASE STUDY
- Page 35 and 36: Triage Received - AV Logs analyzed
- Page 37 and 38: Wait what was that?? • Yes we hav
- Page 39 and 40: What hit me? • Gammima.AG • Gam
- Page 41 and 42: Triage Timings • 5hr 25 Minutes
- Page 43: Who Created Triage?
- Page 46 and 47: "All our knowledge is the offspring
- Page 48: The REALITY of the depiction DOESN'
- Page 55 and 56: By the time a person reaches physic
- Page 57 and 58: The Midline moves down towards the
- Page 59 and 60: Growth & Development of the Face 7
- Page 61 and 62: Before you reach for your slide rul
- Page 63 and 64: 5 Step Age Estimation Process 1. Ro
- Page 65 and 66: 3 Years Old
- Page 67 and 68: 9 Years Old
- Page 69 and 70: 15 Years Old
- Page 71 and 72: 25 Years Old
- Page 73: "All our knowledge is the offspring
- Page 76 and 77: SANS360 Registry, UserAssist, and V
- Page 78 and 79: VSCs Does old data every completely
- Page 80 and 81: UserAssist Info from the Registry N
- Page 84 and 85: A Hash Is Worth 1000 Words Hal Pome
- Page 86 and 87: Needle in a Haystack? • Machines
- Page 88 and 89: $ ls Making a Hash of Things Dartha
- Page 90 and 91: Common as Dirt
- Page 92 and 93: Profit!
- Page 94 and 95: Some Things Cannot Be Unseen
- Page 96: http://deer-run.com/
- Page 99 and 100: Background • • Timelines "somet
- Page 101 and 102: Background • • What have we got
- Page 103 and 104: Example Run l2t_find_evil.py -r tes
- Page 105 and 106: Example Rule rule System32BinaryOut
- Page 108 and 109: In 360 Seconds Corey Harrell
- Page 110 and 111: What Are Fraudulent Documents Fraud
- Page 112 and 113: Types of Fraud - Purchasing Explan
- Page 114 and 115: Types of Fraud - Bid Rigging Expla
- Page 116 and 117: Types of Fraud Similarity Between P
- Page 118 and 119: Word Documents Metadata Metadata i
- Page 120 and 121: Word Documents Metadata Modifying
- Page 122 and 123: Word Documents Metadata Performing
- Page 124 and 125: Red Flag #2 Usernames shouldn’t a
- Page 126 and 127: Red Flag #4 Print dates shouldn’t
- Page 128 and 129: Red Flags Chart Document Created Do
- Page 130 and 131: Detection Process Locate Documents
- Page 132 and 133:
Separate Documents Separate documen
- Page 134 and 135:
Extract Metadata Metadata in Squirr
- Page 136 and 137:
Analyze Metadata Suspicious Documen
- Page 140 and 141:
Helm of Clear Thinking Dongle of Ju
- Page 145:
Follow the Yellow Bit Road…. Well
- Page 156 and 157:
Girl, Unallocated’s Digital Foren
- Page 159 and 160:
The Analytic That Changed My Life:
- Page 161 and 162:
Context Continued: Behavioral Analy
- Page 163 and 164:
Picture Time! 163
- Page 165 and 166:
Why Are We Doing This? Typical adv
- Page 167 and 168:
End Result: An Analytic Does the s
- Page 169 and 170:
Why Did This Change Your Life? Rei
- Page 172 and 173:
Shellbags Alissa Torres KEYW Corpor
- Page 174 and 175:
• Evidence of File/Folder Existen
- Page 176 and 177:
For Windows 7: C:\Users\\AppData\Lo
- Page 178 and 179:
\Software\Microsoft\Windows\Shell\B
- Page 180 and 181:
\Software\Microsoft\Windows\Shell\B
- Page 182 and 183:
C:\>sbag usrclass.dat -csv > usrcla
- Page 184 and 185:
Shown above: MiTec Windows Registry
- Page 186:
Proprietary Data Located on Removab
- Page 189 and 190:
6 fun facts about me • Parents pu
- Page 191:
Me Log2timeline-sift >> My first Co
- Page 194 and 195:
Step 1- Create Step 2- Filter Step
- Page 196 and 197:
Filtering Limitations Review Limita
- Page 198:
PoC: Import and Create DB
- Page 202:
“Think left and think right and t