Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello. Welcome back to the course as we previously story for our friend Signal is's perspective. Another. At least there's no general interact with the race Street through there is reality on. Analyst will most likely interactive recent high files directly
00:15
through a commercial forensic analysis application or, as a result, off instructing the front. If I system or front acquired image.
00:24
However, it is important for the analysts to know where this file exists on the risk so that they can be the truth and analyzed. I recommend if you haven't watched the produce billions in this mortal, please post this one on Western. For more information on Where are These high files stored
00:41
Windows Vista on Windows eight. Into this new race, three high files in the system root system to toe config. Folder near highs includes BCD or boot configuration data. A line or early launch until our B V. I or roser based interface on more
01:02
Windows Vista introduces Bud's Configuration data, or BCD.
01:07
This new data store service, essentially the same purpose as boot that any,
01:12
however basically access the underlying from were on provided a common programming interface to manipulate the environment for all Windows supported computer blood for us
01:23
to give you some context. When a computer is started, order booed it. It moves slow. Do printing system
01:30
the details of this process very depending on the sisters. Hardware on firmware on whether the system is bullet for this drive, a network or some other source.
01:41
The data. The house sitter me how the anti loader loads of windows has been contained in a text file that it's named Boot, that any on recited on the root folder off the boots. Drive
01:53
boot that any contains a separate put entry for a special or configuration off windows that is available to the user.
02:01
Ignitable configurations or persons off the operating system are available. The anti lower displaced at least off book entries to allow the user to specify which will should be loaded
02:14
It. Don't proceed east Load the selective person off the Brit, insisting with a configuration that is based on the selected entry sport auctions
02:23
V City Riders. A friend were independent mechanism for manipulating boot environment data for any type off window system. Windows Vista On later brushes off windows. We'll use it to load the operating system or to run both applications, such as Memory Diagnostics. BC These data store
02:43
I saw her used to hide
02:45
cannot be accessed with the registry a little.
02:46
It's manipulation requires elevated permissions interaction with the underlying frank where, of course, in the support of Bay City interface is for this reason, we see these stores should be access on Lee through the Associated Tools.
03:02
Every launch. 20 mile Where there's a will. There's a security technology that everywhere it's known Microsoft Windows Boot Time device or replication drivers for malicious code.
03:14
It is the first system colonel driver that starts in real state operating mode before Editor Paris Offer or driver
03:23
Santy members. So for has become better and better on the Texan Wrong time. Our Attackers are also becoming Barrett at creating root case that can hide from detection. Detecting my word that starts early in the boot cycle is a challenged most vendors addressed brilliantly.
03:39
Typically, they create system hacks that are not supported by the whole separating system and can actually result in place in the computer in a stable state. Before, these windows had no provided a good way to attacks under sauce, these air legal threats,
03:55
windows eight, introduces a new feature called Secure Boot, which protects the windows put configuration and components on those an early lunch anti malware driver.
04:06
This driver starts before other bullets. Stars driver on enables devaluation off those drivers and helps the Windows colonel decide where they should be initialized.
04:17
Both drivers are initialized based on the classifications return from the alarm driver, according to on an association policy. By the fault, the policy initialize is known good no drivers but will not initialize known about drivers.
04:34
A system administrator can specify costume policy through group policy that can prevent unknown drivers
04:41
for initializing or carry. Naval drivers that are critical to the good process would have been tampered with
04:48
the BB iris to file or brother based interface.
04:54
Check for potential think actions social in applications of interest with events like a lender, Time song changes.
05:01
This file is used with Emerson Applications at Kiss All Immersive halfs license to the user on the host machine in sync with other machines that are trusted by the user.
05:14
It also uses locked on user on time for licensing specific to users under applications. They're truthful keys in this race, refile
05:23
events which these applications performing a C in cooperation on Dwork items, which leaves the actual performs for a specific application.
05:33
Okay, here's a quick post assessment question for you in the context off the system registry. What those B c D stand for?
05:41
Is it eight board configuration data or be bad configuration data? Or maybe see boot calibration data or the Visionary corporation data?
05:51
If you say a you're correct. The boot configuration data was introduced in Windows Vista, and it's used to load operating system or to run both applications, such as memory diagnostics.
06:04
In this model, we have covered the Windows System Registry on defined it as assistant to find other ways in which application and system components store under trees configuration data.
06:15
We also analyzed the structure on different recent high files and folders as well as the recent room keys.
06:23
If you want to know more about these topics, don't forget to check the references and supplementary material on you mean the next mortal where we will be starting the analysis off the evidence where to look and hope to perform it on some tools that can be used

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor