Andrew Case (Volexity) gave this talk at the September 2019 Volexity Cyber Sessions.
Microsoft has added a significant number of features to Windows 10 that affect the types of evidence that can be found both on disk and in memory during digital forensic and incident response investigations. These features include new event logging sources, new artifacts of program execution and file access, compression of in-memory data stores, native support for Linux virtual machines, and much more. The inclusion of these features necessitate that blue team members update a significant portion of their workflow to fully capture events that previously occurred on the system. These features also force red team members to update their workflows if they wish to operate in a stealthy manner.
During this presentation, the full range of these new features will be presented along with how they can be accessed, analyzed, and understood. This will include discussion of open source tools along with analysis methodologies. By the end of the presentation, attendees who work in a wide variety of information security roles will understand how Windows 10 changes their daily workflow and how to best take advantage of the new features. With Windows 7 reaching its official end-of-life in January 2020, now is the time to learn these new skills.