Description: This talk will focus on the deconstructing the FileHistory Catalog that has been introduced in Windows 8 and still present in Windows 10. I will look at other artifacts that are important on the Host systems before diving into teaching the attendees how to understand the FileHistory Catalog that shows what files were present and backed up by the system. Examiners will be able to identify when a specific file was first identified in a Directory/Library that is part of the backup, as well as identify when it was removed/deleted from those same Directories. This allows Examiners to prove the presence of a file and how long it was being backed up by the system. I will showcase my tool that allows examiners to quickly produce a XLS report with the important information regarding these files.
For More Information Please Visit: - http://www.bsidesiowa.com
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.