Chris Sanders 🔎 🧠Mar 12, 2024

Investigation Scenario 🔎

An attacker remotely wiped an executive’s laptop at some point after accessing it.

What do you look for to investigate how the attacker accessed the system and their actions while in control of it?

Your only evidence source is a backup of the Windows registry taken just before the attacker wiped the system.

#InvestigationPath #DFIR #SOC

Show threadJoseph E
@chrissanders88 thinking primarily the shellbags and userassist registry keys, appcompatcache, and there might be a creation date of a new account registry key. If the Amcache hive is included, that as well can be part of the execution timeline of programs that might have wiped the drive. To be honest though, i would run Regripper at what we have and go from there rather than a piecemeal approach. Then review findings of interest manually and build a timeline.
Mar 12, 2024 at 3:53pmWeb