“When Windows Lies”…what does that really mean?
Mari had a fascinating blog post on this topic some years ago; she talked about the process DFIR analysts had been using to that point to determine the installation date of the operating system. In short…and this has happened several more times since then…while DFIR analysts had been using one process to assess the installation date, Windows developers had changed how this information is stored and tracked in Windows systems, reaffirming the notion that operating systems are NOT designed and maintained with forensic examiners in mind. π
The take-away from Mari’s blog article…for me, anyway…is the need for analysts to keep up-to-date with changes to the operating system; storage locations, log formats, etc., can (and do) change without notice. Does this mean that every analyst has to invest in research to keep up on these things? No, not at all…this is why we have a community, where this research and these findings are shared. But as she mentioned in the title and content of the article, if we just keep following our same methods, we’re going to end up finding that “Windows lies”. This idea or concept is not new; I’ve talked about the need for validation previously.
Earlier this year, a researcher used a twist on that title to talk about the “lies” analysts tools will “tell” them, specifically when it comes to USB device serial numbers. I understand the author presented at the recent SANS DFIR Summit; unfortunately, I was not able to view the presentation due to a previous commitment. However, if the content was similar, I’m not sure I’d use the term “lies” to describe what was happening here.
The author does a great job of documenting the approach they took in the article, with lots of screen captures. However, when describing the T300D Super Speed Toaster, the author states:
…I would have expected a device such as this to simply be a pass-through device.
I’ve used a lot of imagin
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: