Prefetch Deep Dive
This is the premiere of a new 13Cubed series called Deep Dives. In this episode, we'll take an in-depth look at one of the most important Windows "evidence of execution" artifacts. The following topics will be covered: An Introduction to Prefetch; Prefetch Location and File Naming Convention; Prefetch Hash Computation and Exceptions to the Rule; Prefetch File Analysis via MACB Timestamps; Parsing Prefetch Files via PECmd; and Extracting Prefetch Data from Memory. ** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ** Prefetch Explorer (PECmd): https://ericzimmerman.github.io/ Prefetch Hashes: http://www.hexacorn.com/blog/2012/06/... Prefetch Anti-Forensics: http://www.hexacorn.com/blog/2012/03/... Volatility: https://github.com/volatilityfoundati... Volatility prefetchparser Plugin: https://github.com/superponible/volat... Open Source Implementations of Microsoft Compression Algorithms: https://github.com/coderforlife/ms-co... Background Music Courtesy of Anders Enger Jensen: / hariboosx #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Let's Talk About Shimcache - The Most Misunderstood Artifact
EventTranscript.db Deep Dive - New Windows Forensic Artifact!
LNK Files and Jump Lists
Detecting PsExec Usage
Explaining File Compression Formats
Windows MACB Timestamps (NTFS Forensics)
Introduction to Memory Forensics
Something is jamming GPS over Europe. Here's what we found
"Something Wicked This Way Comes" — Why The AI Bubble Isn't What You Think
Memory Forensics Baselines
The Volume Shadow Knows
SANS DFIR Webcast - Incident Response Event Log Analysis
Cyberattacks, data encryption, extortion - How cybercriminals operate | DW Documentary
Classify Malware with YARA
Memory Forensics with Volatility | HackerSploit Blue Team Series
Introduction to Windows Forensics
Windows Memory Forensics
researcher accidentally finds 0-day affecting his entire internet service provider
Why Filipino Women Are Choosing to Stay Single Forever | AB Explained
