6.2 Operating System Forensics Part 2 (FI)

00:01

Hey, everyone, welcome back to the course. So in the last video, we talked about collecting volatile data

00:07

in this video, we're gonna talk about non vile, talented.

00:12

So some of the non volatile information we would want to grab it's gonna be a registry information as well as information from E S C, which is Theo Extensible Storage injured.

00:22

So witnessed registry. And this is something that you'll definitely want to know

00:26

pretty well in debt for the exam. Um, you might see ah many, many things tested aboutthe windows registry by chance. So some of the common things you'll want to know are this H key classes, route, current user, local machine users and current config.

00:41

So H key classes route. So basically, this one ensures that correct programme opens when executed. So hence the name route there. If you think of the Linux systems,

00:49

Dragon drop rules is what it contains, as well as information about shortcuts and the user interface.

00:57

H g carry user. As the name implies, it shows information about the current logged in user

01:03

local machine, specifies hardware specific information and then also shows the mounted drives.

01:11

It's key users. Contains information about all the user. So notice a differentiation between current users and just users

01:19

Current configured just shows you the system's current configuration. So some of these air kind of easy to know what is talking about.

01:27

So other areas of the registry that you're gonna be want to be familiar with and these paths you're just gonna wanna kind of focus on the like, the last couple of things in the path. So, for example, with share names, you just want to know, like service is and then land man server and then shares. You know, you don't necessarily need to memorize a

01:46

h key lm system,

01:48

because for the most part, that's probably not gonna change if they're testing it on the exam. But what will change is kind of the last chunks of those you know. So, for example, like what time zones? You'll just want to make sure you know its current control set control and then time zone information. The pre fetching

02:04

you just want to know Session manager, memory management, prefect parameters, etcetera, etcetera. So again, just kind of remember like the last half of those,

02:10

and that will help you on the examination just in case is tested.

02:15

So why are the service said Identify R S s I d. So this is how you know you can identify the wireless networks. You know, says we go to Starbucks here, you know, we go to the store, whatever the case might be, um, you know, our device or laptop and you know, it's identifying those by the S s i d

02:32

so one thing again here, you'll want to keep in mind. Is this path so you just want to know, basically from the w Z C S V C forward. So again, we're kind of just memorized in that last half of the path.

02:46

So different types of registry tools, Not an all inclusive list. But these were some of the common ones, but you may actually just see mentioned if they ask about it on the exam. So Red's Ripper, pro discover rich edit and red scanner

03:01

extensible storage engine. So this is a related to email. So if you see anything about it on the exam, you think of it in the context of email.

03:09

Ah, and then basically, the files have a dot e d b extension. So you also want to kind of memorize that as well.

03:16

So in this video, we can talk in a very high level of some nonviolent I'll data in different ways. We could look for it