Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
Hi. Welcome back to the course in this small you were going to story and out off the windows. Forensic essential. The Windows Profession, which is a directory that contains files that Helen Chris, deficiency of the system. You will see what it is. The structure, the configuration that restrict on how is the profession process performed
00:20
Windows profess fires first appears in we knew Zach speak on. The purpose is to boast the start of process off Lois applications. They include the name of this, a curable, which they accelerate
00:32
Unicode off. The deal is that the security requires discretion.
00:37
Turn stones, which being cold when the application was last launch on a counter that keeps track off the times that the secure all has being executed, profession files commedia. Their application was actually stolen. I launched by the suspect at some point in time,
00:54
even if they obey the presence off a white application
00:57
or everyone say, Terminator's on Naughty nails, which are programs with the poor, pops off truly removing selection off the Europe from the hard drive.
01:06
That's because the actual envious was destroyed by the wife. Your application, the mere presence off awaken application can itself become a sun cream unitary as the files that were destroyed with it.
01:19
Profession Five names of the four we naming convention
01:23
a secure will name a citizen stated is the name off this incurable fight? Harsh Isn't a character excellent seaman harsh off the path from which this incurable was launched On that Pierre is the file extension note that that separates the security lane from the harsh on that the fund name is made up
01:42
Onley uppercase current ist
01:45
with the exception off the file extension
01:48
then where applications started for a different or separate location on the drive mutable distant research file will be created its corresponding one off the location from which application was from
02:00
profession as assist in windows Mr where he has been enhanced by so perfect really boost Really good supper fish looks you Such a scenario on places resources into the memory before they are requested
02:15
Really boost Isn't this cash which most processes but using any type off portable flash Marcia storage system as cash which enables the operating system to serve this random discreet with a hands performance
02:30
Really boost cash doesn't only relate to the best file or system, the less but to the whole dis continent
02:39
refreshing takes place when the operating system is monitoring components off the area. It is destructive from the hard drive into the run.
02:49
The monitoring takes place onto your scenarios. First begins on every system startup, alas, for two minutes off the process.
02:57
Second, it also takes place following the completion off the starting off all winter to service is a last force assistance cycles. Finally, it'll course each time an application is launched a last for the first time, say come off his execution.
03:13
Subsequently, that cash manager, along with the taxes Kettler Rice today are in tow That Pierre Fais thes fights has been off the system by making themselves promptly available before there's any actual demand for them from the user.
03:29
Hence, the profession acts as an alligator off the year from the hard drive into the main memory before any actual request for it. Husband mate.
03:38
Okay, here's a quick question for you
03:42
from the following. Which one is the correct name in convention for profess Fine.
03:46
Do you think he's a secure will name dash hash that p s or be harsh. Dash is a girl named that P F or C, A sexy little name dash Harsh. That pft or the harsh dash is a girl named That's Pft.
04:04
If you said a you're correct, as we have analyzed, the new start with the Security will find name, followed by a harsh, which isn't eight character hitless in a harsh off the past from which to secure Hubble was launched.
04:19
And that fear is the file extension.
04:24
The past configuration parameters off. The professor is risky. Local machine system covering Contra set control Station manager memory management,
04:36
British Parameters Tokyo for you, the professor who has changed the value off the naval professor on to configure superficial. We must do the same with enable Super Fetch the Value tree in Eagle's Profession or spur fit for application Startup on both
04:55
Enables Profession
04:58
one Enables prefecture or superficial for application startup on zero The Sables profession or spur Fetch it come introduced. The cyber criminals can disable the profession and get enough privilege filed for custody to remove traces off illegal activity.
05:14
So she was opening our application silly child pornographer on everywhere basis
05:18
or accessing copyrighted material without the reader on permissions. The only coast is never for most of the sister
05:27
we lost x p this down wind of seven for for application profession by the fourth. Why Windows Country to go Some aid are capable of her formal profession, but the Fisher is turned off by the fault. Also every very showing off Windows Open Window six p Those boots profession
05:48
supper, fish fight. Begin with the perfect A G
05:53
on end with extension Devi. The day there is return into Super Fast five is collected by Cece Mae that l a care in the system rules under the system tree to folder on is a part off the service horse process eso known
06:10
asked S V c host that XY,
06:13
which is located in the same directory. The Devi five can be found in the directory system route under the profession folder along with the other profession Vice.
06:26
The mental there in Professor five is very important to forensic analyst in Willow. Six p. The 64 bit times time there indicates when the executed all was lost. Launch Hassan offset off excess amount 78 within the file
06:43
on the counter that identifies the number of times the security has been launched
06:47
is a four bite the world value located at offset his *** 90 or 144 right on your hands. The offset off the last from Times Time. This has a similar 80 in divine, very content off the particular profess frying
07:05
on the numbers Times opened counter
07:08
is located at offset Assassin 98 Windows Vista. I'm Windows seven sisters.
07:15
It's also possible to the got more data from the menorah ADA or a present fight inside the profession. FYI, there's data revealing the volume from which the security AWAS started on the strings that showed the path to the modules. With the security codes required to start,
07:31
you know the simply or turns off refreshed fives and swearing when a certain activity has a school. The other association time where activity has taken place, how frequently it was performed. The other counter that shows the number of times this incredible house Ron, which increments by one on the strange
07:49
professionalize move you off skated directories.
07:54
Forrester's Let's Say a profession. Security has been executed 50 times.
08:00
Make some in the profession fire. We can see the file path off the fights that three Curtis execution which is located in a true create volume,
08:09
has to creep in a worse uses to conceal directories is vital to examine the past enumerated in the professor's fais as this may be a dork, a war's at their source that would have not Bean otherwise identified
08:22
is the Examiner didn't look at the part. They may have never identified the Off Scary directory with a past hearing with Crete. Because the system to Tito territory is field with progressed. ER used by the grading system on an ordinary person would have never checked its contents
08:41
to conclude this was you. We can say the profession files are designed to boost the speed off the system in computers, Profession Committee say vote and enable us to use a prefers
08:54
on each time the contents off Profession file with rested.
08:58
Besides their primary purpose, profess fives are useful forensic examiners because they can prove the application was installed and started on a particular machine.
09:09
They can pinpoint the time when it was opened on how many times it was opened.
09:15
They can also reveal from which value it's run on which models the application loaded. Furthermore profession. FIEs may also reveal any heating or office. K the director's inquiry on authorized or any other abnormal accounts
09:31
they may expose any external storage devices
09:35
on. They can identify if their worst time spanking.
09:39
Therefore, Professor FIEs help famine. There's *** for the whole. What? Why went on where Questions us round any digital or known digital investigation. That certainly means that the analysis, if off most import tax,
09:56
don't forget to check the reference Transparent. Any material for more information on the Windows profession on cash in the next morning, where we will be starting the Bristol points in Windows, which another off the food goes from signing off great importance.

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor