Windows Security and Forensics Study Notes

Welcome to Markof Virtual Academy's Windows Security and Forensics class.
Presenters:
- H Shar, Cyber Security Advisor at CHC.
- Extensive experience in various operating systems: Windows, Linux, etc.
- Focuses on Identity Management, Network Security, Forensic Penetration Testing.
H Shar is a Microsoft MVP in Enterprise Security.
Course outline includes six main topics and a bonus topic.

Topics Covered:
1. Security landscape today.
2. Windows memory attacks and forensics.
3. Authentication attacks.
4. Windows forensics with guest MVP Raymond.
5. Network forensics.
6. Incident Response.
7. Bonus: Windows 10 forensics.
Level: Material is geared towards a 200-300 level understanding, with some advanced topics included.

Rapid Changes in Security:
- Internet activity is high, affecting security practices.
- Microsoft's focus: "Cloud first, mobile first."
Cyber Crime:
- Transitioned from a hobby to a business enterprise.
- Significant financial incentives drive cybercrime.
- Motivations range from financial (most common) to political agendas.
- Categories of Cyber Criminals:
- Government-funded cyber armies.
- Traditional hackers.

Many organizations incorrectly believe that having products alone guarantees security.
Importance of understanding what assets need protection.
Consequences of Mismanagement:
- Poor security can lead to increased organizational losses.
- No single product can provide complete protection.

Protecting systems against unauthorized access is critical.
Each organization must identify key assets needing protection.
Defense-in-Depth:
- Security is a layered approach; measures must work in concert.

Historical Context:
- 1977: Introduction of viruses (e.g., Apollo Virus).
- 2000s: Emergence of Melissa and ILOVEYOU viruses.
- Increasing sophistication of attacks (phishing, advanced persistent threats).
- 2012 onwards: Nation-states and organized crime significantly raise effectiveness and impact.

Cyber incidents can lead to losses estimated in the trillions of dollars worldwide.
Impacts are not just financial but can also affect operational productivity and growth.

Definition: Forensics is about collecting, analyzing, and reporting digital data from attacks or breaches.
Key Process:
- Gathering artifacts and building a timeline of events post-incident.
Digital Forensics involves extracting and analyzing data to present as evidence.
Addresses illegal activities occurring within digital environments.

Importance of understanding the evidence collection process:
- Requires adherence to laws and regulations.
- Chain of Custody:
- Documenting how evidence is collected, analyzed, and preserved.
Tools Required:
- Hardware and software designed for data acquisition and analysis.
Analyze relationships between systems and their normal operations to identify incidents.

Data Types:
1. Data at rest (stored data).
2. Data in execution (executing in memory).
3. Data in transit (data being transmitted).
How cloud computing impacts forensic practices and analysis.

Memory Forensics:
- Importance in recovering data from volatile memory.
- Techniques to extract passwords and other sensitive data from memory.
Network Forensics:
- Involves monitoring and analyzing network traffic to identify malicious activities.

Powershell is a powerful tool for system management but can also be abused for cyber attacks.
Demo Overview:
- Setting up a command and control server using Metasploit.
- Executing a Powershell script that allows unauthorized access to a victim's machine.
- Employing a reverse HTTPS connection to maintain access to the victim's system.
Key Takeaways:
- Hackers leverage Powershell for executing commands without leaving traces.
- Effective countermeasures must be in place to detect these activities.

Windows environment is evolving with new security features.
Forensics continues to play a critical role in understanding and mitigating cyber threats.
Final Note: The next session will cover memory attacks and further delve into security practices.