My GCFA Exam Sketchbook
Some months ago i’ve got GCFA certification.
During exam preparation i’ve collected a lot of notes, and after the exam i’ve gradually organized them in a index based on topics emerged during the exam, usual using my few freetime.
Update 20/11/2018
I’ve released on Amazon an extended and updated version of this ebook, also available as printed version:
The little handbook of Windows Forensics
Update 29/10/2018
My “sketchbook” was an unexpected result: a lot of users bought it!
And a lot of users (thanks!) send me reports of small errors and typos in the document. That’s why i published a new version of the sketchbook, with some corrections. Furthermore, i’ve included also an extended reference to Volatility (initially included in the sketchbook, but removed in order to limit the size of the document, because it is not an exam main topic).
Users that already bought the Sketchbook, using the link received in the Gumroad’s email should be able to download the new version: otherwise, email me!
The document it’s not a simple braindump: for each exam question that remember, i’ve collect all notes taken during the preparation and organized them in a alphabetical index useful for a quick search during exam.
Finally i’ve accomplished a first version, that can be downloaded from Gumroad.
Table of contents
**FAT Filesystem**
Structure
Boot Record
FATs
Root Directory
Data Area
Clusters
Wasted Sectors
FAT Entry Values
FAT12
FAT16
FAT32
Versions
FAT12
FAT16
FAT32
Limitations with Windows 2000 & Windows XP
exFAT (sometimes incorrectly called FAT64)
Disk Unit Addressing
Metadata Addressing
Notes on Timezones
General Notes on Time
Sentinel Timestamps
References
**NTFS Filesystem**
Structure
Master File Table
Metafiles
Attributes
Last Access Time
Within the file’s attribute
Within a directory entry for a file
Alternate Data streams
Known Alternate Stream Names
Sparse Files
Journaling
Directory junctions
Hard links
File compression
References
**Volume Shadow Copies**
Overview
Windows Versions
Windows XP and Server 2003
Windows Vista, 7 and Server 2008
Windows 8 and Server 2012
Windows 10
Compatibility
Shadow Volume Copies in Digital Forensics
Why Shadow Copies are important to Forensics
Limitations of Shadow Copies in forensic investigations
Volume Shadow Copies in the Registry
Analyzing Volume Shadow Copies
References
**MAC(b) Times**
Where are they stored?
$STANDARD_INFO
$FILE_NAME
What are the differences?
Time Rules
How to detect Anti-Forensics Timestamp Anomalies?
**Memory analysis**
Volatility
Volatility Plugins reference
Acronyms
External References
Redline
Process Hollowing
Detecting hollowed processes with Volatility
Mitigation
**Windows Registry**
Persistence techniques
DLL Search Order Hijacking
Shortcut Hijacking
Bootkit
COM Hijacking
Amcache and Shimcache
Amcache
Shimcache
Recent opened Programs/Files/URLs
Start>Run
UserAssist
Shell bag
Recent URLs
Installed programs
Windows Protect Storage
Pagefile
Windows Search
File extensions
Mounted drives
USB Storage
Debugging
**Windows Events**
Structure and location
Useful events for forensics analysis
Logon Type Codes
**Security Identifiers (SIDs)**
Machine SIDs
Decoding Machine SID
Service SIDs
Well-known security identifiers
**Forensics Tools**
Sleuthkit
Timeline creation
DensityScout
Plaso
Supertimeline creation
Foremost
md5deep
RegRipper
Log Parser
python-evtx
EvtxParser
Hibr2Bin
Kansa
Sigcheck
PECmd
ShimCacheParser
**Attack tools**
I hope this helps!
I’m sorry, this time it’s not a free goody: the exam preparation is a process that cost time and money.
I think is correct share this knowledge only with users really interested.