Thinking about what traces are left when activities occur on a Windows system?
Think past the operating system itself! Everything that occurs within the
Windows operating system must cross RAM, making it the vessel of an abundant
amount of residual data from user activities. Decrypted versions of encrypted
data, internet activity, user communication, network information, evidence of
program execution, passwords and encryption keys, and more! Much of this data
will only be found in memory, leaving no traces behind on the associated
endpoint. This lecture will discuss the intricacies of Windows memory, how data
gets stored in RAM, and delve into examples of the type of data you can piece
together! There’s so much data to find in memory alone, come have a look!