Microsoft has added a significant number of features to Windows 10 that affect the types of evidence that can be found both on disk and in memory during digital forensic and incident response investigations. These features include new event logging sources, new artifacts of program execution and file access, compression of in-memory data stores, native support for Linux virtual machines, and much more. The inclusion of these features necessitate that blue team members update a significant portion of their workflow to fully capture events that previously occurred on the system. These features also force red team members to update their workflows if they wish to operate in a stealthy manner. During this presentation, the full range of these new features will be presented along with how they can be accessed, analyzed, and understood. This will include discussion of open source tools along with analysis methodologies. By the end of the presentation, attendees who work in a wide variety of information security roles will understand how Windows 10 changes their daily workflow and how to best take advantage of the new features. With Windows 7 reaching its official end-of-life in January 2020, now is the time to learn these new skills.
Andrew Case is the Director of Research at Volexity and a core developer of the Volatility memory analysis framework. His professional experience includes digital forensic investigations, incident response handling, malware analysis, penetration tests, and source code audits. Andrew is a co-author of the award-winning book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory”. Andrew also co-teaches the “Digital Forensics & Incident Response” class at Black Hat. Andrew’s primary research focus is physical memory analysis, and he has presented his research at conferences including Black Hat, RSA, SecTor, SOURCE, BSides, OMFW, GFirst, and DFRWS.