Some months ago i've got GCFA certification.

During exam preparation i've collected a lot of notes, and after the exam i've gradually organized them in a index based on topics emerged during the exam, usual using my few freetime.



Update 20/11/2018

I've released on Amazon an extended and updated version of this ebook, also available as printed version:

The little handbook of Windows Forensics


Update 29/10/2018


My "sketchbook" was an unexpected result: a lot of users bought it!

And a lot of users (thanks!) send me reports of small errors and typos in the document.
That's why i published a new version of the sketchbook, with some corrections.
Furthermore, i've included also an extended reference to Volatility (initially included in the sketchbook, but removed in order to limit the size of the document, because it is not an exam main topic).

Users that already bought the Sketchbook, using the link received in the Gumroad's email should be able to download the new version: otherwise, email me!


The document it's not a simple braindump: for each exam question that remember, i've collect all notes taken during the preparation and organized them in a alphabetical index useful for a quick search during exam.

Finally i've accomplished a first version, that can be downloaded from Gumroad.

Table of contents

FAT Filesystem
   Structure   
   Boot Record 
   FATs    
   Root Directory  
   Data Area   
   Clusters    
   Wasted Sectors  
   FAT Entry Values
       FAT12   
       FAT16   
       FAT32   
   Versions    
       FAT12   
       FAT16   
       FAT32   
       Limitations with Windows 2000 & Windows XP  
       exFAT (sometimes incorrectly called FAT64)  
   Disk Unit Addressing    
   Metadata Addressing 
   Notes on Timezones  
   General Notes on Time
   Sentinel Timestamps
   References
NTFS Filesystem
   Structure
   Master File Table
       Metafiles
       Attributes
   Last Access Time
       Within the file’s attribute
       Within a directory entry for a file
   Alternate Data streams
       Known Alternate Stream Names
   Sparse Files
   Journaling
   Directory junctions
   Hard links
   File compression
   References
Volume Shadow Copies
   Overview
   Windows Versions
       Windows XP and Server 2003
       Windows Vista, 7 and Server 2008
       Windows 8 and Server 2012
       Windows 10
   Compatibility
   Shadow Volume Copies in Digital Forensics
       Why Shadow Copies are important to Forensics
       Limitations of Shadow Copies in forensic investigations
       Volume Shadow Copies in the Registry
       Analyzing Volume Shadow Copies
   References
MAC(b) Times
   Where are they stored?
       $STANDARD_INFO
       $FILE_NAME
       What are the differences?
   Time Rules
   How to detect Anti-Forensics Timestamp Anomalies?
Memory analysis
   Volatility
       Volatility Plugins reference
       Acronyms
       External References
   Redline
   Process Hollowing
       Detecting hollowed processes with Volatility
       Mitigation
Windows Registry
   Persistence techniques  
       DLL Search Order Hijacking
       Shortcut Hijacking
       Bootkit
       COM Hijacking
   Amcache and Shimcache
       Amcache
       Shimcache
   Recent opened Programs/Files/URLs
       Start>Run
       UserAssist
       Shell bag
       Recent URLs
   Installed programs
   Windows Protect Storage
   Pagefile
   Windows Search
   File extensions
   Mounted drives
   USB Storage
   Debugging
Windows Events
   Structure and location
   Useful events for forensics analysis
   Logon Type Codes
Security Identifiers (SIDs)
   Machine SIDs
       Decoding Machine SID
   Service SIDs
   Well-known security identifiers
Forensics Tools
   Sleuthkit
       Timeline creation
   DensityScout
   Plaso
       Supertimeline creation
   Foremost
   md5deep
   RegRipper
   Log Parser
   python-evtx
   EvtxParser
   Hibr2Bin
   Kansa
   Sigcheck
   PECmd
   ShimCacheParser
Attack tools

I hope this helps!


I'm sorry, this time it's not a free goody: the exam preparation is a process that cost time and money.

I think is correct share this knowledge only with users really interested.