Category: Windows

Cybersecurity, Dfir, Windows

Understanding Process Hollowing

A technique used by malware author to evade defenses and detection analysis of malicious processes execution Process hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. How it works? At launch, the legitimate process is created in a suspended […]

Cybersecurity, Dfir, Forensics, Windows

MAC(b) times in Windows forensic analysis

Essential information during timeline analysis   During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it’s important to know and understand the concept of time resolution. The MAC(b) times are derived from file system metadata and they stand for: Modified Accessed Changed ($MFT Modified) Birth (file creation time) The (b) is […]

Cybersecurity, Forensics, Windows

PowerForensics: a PowerShell framework for hard drive forensic analysis

Simple to install and with a lot of features The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support. PowerForensics is built on a C# Class Library (Assembly) that provides an […]


Windows Command Line cheatsheet (part 1): some useful tips

Yes, also Windows can be used by command line… Today I propose a brief list of useful Windows CLI commands for daily use Windows Registry Adding Keys and Values C:>reg add [\TargetIPaddr][RegDomain][Key] Add a key to the registry on machine [TargetIPaddr] within the registry domain [RegDomain] to location [Key]. If no remote machine is specified, the current […]