For examiners investigating cyber-crimes on Windows endpoints, the Windows Search Index artifact can reveal information about a user's Internet history, emails, file interactions, and even deleted user files. Originally created as a tool to enable searching for user files across the Windows operating system, the Windows Search Index as a forensic artifact provides insight into file existence and user activity. In this presentation, we will discuss how the Windows Search Index can be used as a source of evidence in DFIR investigations. This presentation will provide an overview of the data recorded in the Windows Search Index by default and user actions that trigger modifications of the index. Next, we will introduce the structure of the index in Windows 10 and prior, and how it has changed with the release of Windows 11. We will also discuss use cases for the information found in the index, such as finding evidence of website access, deleted files, and activity from users of interest. Finally, we will introduce Stroz Friedberg's open-source tool, which will help investigators parse the Windows Search Index at scale. Attendees of this presentation will gain a better understanding of how the Windows Search Index can be used as a forensic artifact and the insights it can provide to bolster your next investigation.SANS DFIR Summit 2023
Speakers:
Phalgun Kulkarni, DFIR Consultant, Aon
Julia Paluch, DFIR Consultant, Aon
View upcoming Summits:
Музыка
Фильмы
ТВ Шоу
Категории видео
