Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “FeatureUsage”In general, “FeatureUsage” is a registry key which is stored as part of the user’s profile. This means that the information is stored for…8h ago8h ago
Shlomi Boutnaru, Ph.D.The Windows Concept Journey — Roaming User ProfileThe goal of a “Roaming User Profile” is to provide users their personal data/settings on every Windows system (or even virtual desktop)…21h ago21h ago
Shlomi Boutnaru, Ph.D.The Windows Process Journey — “certutil.exe” (Digital Certificate Utility)“certutil.exe” (Digital Certificate Utility) is a binary PE file located at “%windir%\system32\certutil.exe”. On 64-bit versions of…1d ago1d ago
Shlomi Boutnaru, Ph.D.The Windows Process Journey — “cofire.exe” (Corrupted File Recovery Client)“cofire.exe” (Corrupted File Recovery Client) is a PE binary located in “%windir%\System32\cofire.exe”. On 64-bit versions of Windows…2d ago2d ago
Shlomi Boutnaru, Ph.D.The Linux Concept Journey — Uninterruptible ProcessIn the Linux realm we have two types of waiting processes: “interruptible processes” and “uninterruptible processes”. In general this type…3d ago3d ago
Shlomi Boutnaru, Ph.D.The Linux Concept Journey — “/proc/kcore” (Kernel ELF Core Dumper)Basically, “/proc/kcore” is a file which is part of the the “/proc” pseudo file-system which is used for process information\system…4d ago4d ago
Shlomi Boutnaru, Ph.D.The Windows Security Journey — PEL (Protected Event Logging)“Protected Event Logging” is a new security feature added in Windows 10. Its goal is to use encryption in order to protect sensitive data…5d ago5d ago
Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — Windows TimelineThe “Windows Timeline” feature was introduced as part of Windows 10 (version 1803). By using these features a user can checkout current…6d ago6d ago
Shlomi Boutnaru, Ph.D.The Linux Concept Journey — Pipe File (aka Named Pipe/FIFO)As we know the philosophy of Linux is that “Everything is a file”. However, not all files are created equally…6d ago6d ago