Some months ago i’ve got GCFA certification.
During exam preparation i’ve collected a lot of notes, and after the exam i’ve gradually organized them in a index based on topics emerged during the exam, usual using my few freetime.
My “sketchbook” was an unexpected result: a lot of users bought it!
And a lot of users (thanks!) send me reports of small errors and typos in the document.
That’s why i published a new version of the sketchbook, with some corrections.
Furthermore, i’ve included also an extended reference to Volatility (initially included in the sketchbook, but removed in order to limit the size of the document, because it is not an exam main topic).
Users that already bought the Sketchbook, using the link received in the Gumroad’s email should be able to download the new version: otherwise, email me!
The document it’s not a simple braindump: for each exam question that remember, i’ve collect all notes taken during the preparation and organized them in a alphabetical index useful for a quick search during exam.
Finally i’ve accomplished a first version, that can be downloaded from Gumroad.
Table of contents
FAT Filesystem Structure Boot Record FATs Root Directory Data Area Clusters Wasted Sectors FAT Entry Values FAT12 FAT16 FAT32 Versions FAT12 FAT16 FAT32 Limitations with Windows 2000 & Windows XP exFAT (sometimes incorrectly called FAT64) Disk Unit Addressing Metadata Addressing Notes on Timezones General Notes on Time Sentinel Timestamps References NTFS Filesystem Structure Master File Table Metafiles Attributes Last Access Time Within the file’s attribute Within a directory entry for a file Alternate Data streams Known Alternate Stream Names Sparse Files Journaling Directory junctions Hard links File compression References Volume Shadow Copies Overview Windows Versions Windows XP and Server 2003 Windows Vista, 7 and Server 2008 Windows 8 and Server 2012 Windows 10 Compatibility Shadow Volume Copies in Digital Forensics Why Shadow Copies are important to Forensics Limitations of Shadow Copies in forensic investigations Volume Shadow Copies in the Registry Analyzing Volume Shadow Copies References MAC(b) Times Where are they stored? $STANDARD_INFO $FILE_NAME What are the differences? Time Rules How to detect Anti-Forensics Timestamp Anomalies? Memory analysis Volatility Volatility Plugins reference Acronyms External References Redline Process Hollowing Detecting hollowed processes with Volatility Mitigation Windows Registry Persistence techniques DLL Search Order Hijacking Shortcut Hijacking Bootkit COM Hijacking Amcache and Shimcache Amcache Shimcache Recent opened Programs/Files/URLs Start>Run UserAssist Shell bag Recent URLs Installed programs Windows Protect Storage Pagefile Windows Search File extensions Mounted drives USB Storage Debugging Windows Events Structure and location Useful events for forensics analysis Logon Type Codes Security Identifiers (SIDs) Machine SIDs Decoding Machine SID Service SIDs Well-known security identifiers Forensics Tools Sleuthkit Timeline creation DensityScout Plaso Supertimeline creation Foremost md5deep RegRipper Log Parser python-evtx EvtxParser Hibr2Bin Kansa Sigcheck PECmd ShimCacheParser Attack tools
I hope this helps!