Beyond Windows Forensics with Built-in Microsoft Tooling

Traditional Windows forensics typically requires a complex or expensive toolset (like Encase), Windows 8 and beyond introduced features that can considerable facilitate the windows forensics process. In this talk, we will examine the tools available from PowerShell to System Resource Usage Monitor and their ability to bootstrap the forensics process and how this can be used to move left into the incident response process.

Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Windows 8 and beyond. PowerShell has become the default “command line” management tool for windows administrators. These tools provide both a wealth of information into what has happened and is present on the system.

For Forensics and even Incident Response, these tools are now a go to built-in option to bootstrap and drive the forensics process. This talk will help the participant build the foundations to identify which built in tools can assist in the Windows Forensics process and the data points that are available.

The talk will also examine how these services, such as SRUM, can be used to extract key data points to provide information for incident response or threat hunting activities.

About the Speaker