6.2 Operating System Forensics Part 2 (FI)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we talked about collecting volatile data
in this video, we're gonna talk about non vile, talented.
So some of the non volatile information we would want to grab it's gonna be a registry information as well as information from E S C, which is Theo Extensible Storage injured.
So witnessed registry. And this is something that you'll definitely want to know
pretty well in debt for the exam. Um, you might see ah many, many things tested aboutthe windows registry by chance. So some of the common things you'll want to know are this H key classes, route, current user, local machine users and current config.
So H key classes route. So basically, this one ensures that correct programme opens when executed. So hence the name route there. If you think of the Linux systems,
Dragon drop rules is what it contains, as well as information about shortcuts and the user interface.
H g carry user. As the name implies, it shows information about the current logged in user
local machine, specifies hardware specific information and then also shows the mounted drives.
It's key users. Contains information about all the user. So notice a differentiation between current users and just users
Current configured just shows you the system's current configuration. So some of these air kind of easy to know what is talking about.
So other areas of the registry that you're gonna be want to be familiar with and these paths you're just gonna wanna kind of focus on the like, the last couple of things in the path. So, for example, with share names, you just want to know, like service is and then land man server and then shares. You know, you don't necessarily need to memorize a
h key lm system,
because for the most part, that's probably not gonna change if they're testing it on the exam. But what will change is kind of the last chunks of those you know. So, for example, like what time zones? You'll just want to make sure you know its current control set control and then time zone information. The pre fetching
you just want to know Session manager, memory management, prefect parameters, etcetera, etcetera. So again, just kind of remember like the last half of those,
and that will help you on the examination just in case is tested.
So why are the service said Identify R S s I d. So this is how you know you can identify the wireless networks. You know, says we go to Starbucks here, you know, we go to the store, whatever the case might be, um, you know, our device or laptop and you know, it's identifying those by the S s i d
so one thing again here, you'll want to keep in mind. Is this path so you just want to know, basically from the w Z C S V C forward. So again, we're kind of just memorized in that last half of the path.
So different types of registry tools, Not an all inclusive list. But these were some of the common ones, but you may actually just see mentioned if they ask about it on the exam. So Red's Ripper, pro discover rich edit and red scanner
extensible storage engine. So this is a related to email. So if you see anything about it on the exam, you think of it in the context of email.
Ah, and then basically, the files have a dot e d b extension. So you also want to kind of memorize that as well.
So in this video, we can talk in a very high level of some nonviolent I'll data in different ways. We could look for it
in the next video. We're gonna go over some basically Cem browser past. So you know, things like fire, Fox, Google, Chrome and again, these were just some passes you want to kind of memorize for the exam. You may see different things about it.
Up Next