masterpiece mentor

how trelecharge it this tools ?

This. Is. Amaziiiiiiiiiiiiiiiing.

this one wild

this is great work im very impressed with the skills you have seized!!

No thank you for thanking your time to make this important knowledge available to the people!!!☺

Now I'm getting amazing informations about RDP investigations. please keep doing new scenario about. very very apreciate) ☑☑✔✔ thank you so much

Very informative and clear to understand. brilliant thanks

This is great! Thank you for all the hard work in putting these videos together.

it still cannot mount logical evidence files. I’ve asked them several times for this feature. I rarely use full disk

Amazing tutorial..kindly do the Linux forensic and macOS just like windows

A great episode as always.

7:00 How did you get copies of the files?

“Dokan Library 2.1,0.1000 (x64) Setup Wizard ended prematurely because of an error. Your system has not been modified. To instal this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.” What’s the problem?🥲🥲🥲

I found 2 anti-forensics method for prefetch: First is secure delete prefetch folder twice and the second is use USB boot to secure delete prefetch folder.

HTB CTF :D This video helped me to retrieve a flag, thanks! :) I was searching for hours, for the filesize 6:20 mindblown me, never heard of resident files :D oof

The issue here is that if an attacker uses an RDP connection to my host, I can't view this data because it's only available on their machine.

Awesome clip I was having trouble understanding the whole psexec thing, your video cleared so much things up, but I have a question you need target system credentials or some sort of hash to use psexec against it right?

You should price this course at $2197, which is the result of 13 cubed😆

Thank you so much. As always, your videos are awesome!

📝 Summary of Key Points: 📌 The video discusses the basics of account authentication in an Active Directory environment, using a scenario involving a domain controller, Windows workstations, and network shares. 🧐 The authentication process involves mapping a network drive from one Windows workstation to another using domain credentials, leading to the logging of authentication events like 4624 type 3 on the target system and Kerberos authentication events on the domain controller. 💡 Additional Insights and Observations: 💬 Quotable Moments: "The 4624 type 3 was on the target system, but the authentication related to that event, which was Kerberos within our Active Directory environment, was logged on the domain controller." 📊 Data and Statistics: The video showcases event IDs like 4624, 4768, and 4769, highlighting the logging of authentication activities in an Active Directory setup. 📣 Concluding Remarks: The video effectively demonstrates how account authentication flows in an Active Directory environment, emphasizing the role of domain controllers in servicing authentication requests and the logging of relevant events. Understanding these processes is crucial for Windows forensics and network security. Generated using TalkBud

thank you very much! Hope you can do the same for cobalt strike.

So if a user logs into workstation using the local account & maps a share does a 4768 get logged? source or target?

This is awesome! I shared your video with my Jr. colleagues who are studying Windows Event Log ID/Codes! What is staggering to me is the number of Windows Admins I work with who don't know how 4624 and Kerberos TGT works in a Windows Domain AND not having Kerberos Auth Auditing turned on in their GPO. Threat hunting becomes even more complicated - its like buying a 5000 piece puzzle, the image on the box is blurry and a 1000 random puzzle pieces are missing. Can you do one for Windows File Auditing? Read, Write, Delete, Modified event codes and how to decipher the event messages?

Brilliant !!

Always clear, thank you

❤thank you very much for all of your great work

Very helpful!

Very well done.

Excellent video again. Big thank you!

Hi Richard - Love your videos. On this one, please issue the command with a space after the command. I know, not needed in Windows command line but needed in Linux command line.

But how to delete this task if you could not see it?

none of these commands work for me. amazing

I think it is a great video about prefetch files.

what about dameware ?

Thanks for your video. But I have the next error "Error outputting file". What I have to do? Thanks in advance!

amazing vid...is it possible to retrive that data on a machine that is not active? lets say we only have the ntuser file. or we dont want to run any tools on the machine but still want to retrive this data

Love learning new tidbits like this! Keep them coming!

This is simply brilliant - thank you for this amazing video

Not complicated but very usefull. Thanks!

This is great information - thanks!

How do you determine authorization failed?

🎯 Key Takeaways for quick navigation: 00:00: Introduction *to Windows Forensics covering basic Windows forensic analysis techniques and artifacts.* 02:35: Explanation *of the Windows Registry structure, its location, and important registry hives (e.g., HKCU, HKLM).* 08:12: Overview *of registry keys like common dialogue 32, last visited PIDL MRU, and open/save PIDL MRU, showing recent file paths and interactions.* 10:47: Discussion *on the "Run MRU" registry key, revealing executed commands from the Run dialog.* 11:54: Exploration *of "Typed Paths" in the registry, indicating explicitly typed paths in Windows Explorer.* 13:17: Introduction *to "UserAssist" registry key, which logs executed programs and provides information on their usage.* 15:11: Explanation *of "Run" and "RunOnce" registry keys in both current user and local machine, detailing programs that start upon login.* 16:47: Introduction *to "Shell Bags" registry artifacts, storing Windows Explorer customization details and persisting information on deleted paths.* 18:18: Demonstration *of "Shell Bags Explorer" tool to parse and view shell bags information, showing evidence of deleted paths.* 21:27: Introduction *to "User Class Dat" registry hive, added in Windows 7 for segmentation of low integrity processes, emphasizing its importance in forensic analysis.* 23:30: Transition *to discussing USB devices in Windows forensics, highlighting the significance of tracking plugged-in USB mass storage devices.* 23:59 Analyzing *registry paths like `hklm system currentcontrolset enum USB store` can reveal information about plugged-in devices, with details such as serial numbers and timestamps.* 25:07 In *forensics, it's crucial not to assume but rely on evidence. The correct registry key (e.g., `controlset 0 0 1`) must be determined by examining the system's registry rather than making assumptions.* 26:41 Examining *the USB store in the registry can provide details about connected USB devices, including serial numbers, manufacturer information, and timestamps of connection.* 28:57 USB *device information, including VID (Vendor ID) and PID (Product ID), can be used to look up the make and model of the device by referencing online databases.* 30:47 Exploring *the Windows registry can reveal information about mounted devices, including volume GUIDs, friendly names, and timestamps, aiding in understanding device usage.* 32:23 The *volume GUID obtained from the registry can help identify the drive letter assigned to the USB device, providing additional insights into the device's usage.* 35:30 Examining *the registry's mounted devices can link a volume GUID to the user who mounted the USB device, offering insights into user activity.* 40:32 Specific *registry keys, like `0 0 6 4`, `0 0 6 6`, and `0 0 6 7`, can reveal valuable information about USB device events, including installation, connection, and removal times.* 42:18 The *setup API logs (e.g., `setupapi.dev.log`) can be referenced to find information about the first installation time of a USB device, providing additional context for forensic analysis.* 43:12 Miscellaneous *registry keys, such as time zone information, computer name, and network configurations, can be crucial for forensic investigations, helping establish a comprehensive understanding of the system.* 49:25 The *NLA registry keys in Windows can be used by forensic investigators to find evidence of every network a machine is connected to. Check the last write time of the key to determine the last time a PC connected to a specific network. The NLA information includes details like default gateway MAC, DNS suffix, SSID, and profile type.* 53:33 Linked *files (LNK files) in Windows contain valuable metadata, including the MAC address of the host computer, original file path, size, and more. Even if a file has been securely erased, analyzing LNK files can provide evidence of its existence. Don't ignore LNK files in forensic investigations.* 58:31 Prefetch *and Superfetch in Windows, designed to improve user experience by caching frequently used data, can be leveraged by forensic investigators. Prefetch files (PF) in the Windows prefetch directory can show evidence of application execution globally for all users on the system. Analyzing PF files provides details like executable name, path, run counter, and last run time. Consider the enable prefetch registry key value (default is 3) to ensure prefetching is enabled.* Made with HARPA AI

Thanks again for another great vid. Would you always suggest to suspend the VM and then Snapshot or just snapshot while running ? Any advantage for one or the other from your experience ? Thank you.

Could not find the KPMG link

You've marketed these as affordable, but that's not the case at all, especially for non-US folks.

best explanation ever on how shimcache works! Thanks, you clarify me a lot of doubts.

Do I have to activate loggings? In the section there is 0 entries...

Any discounts for students?