RSS Feed

Incident Response & Hunting Across the Enterprise | Advanced Adversary & Anti-Forensics Detection

Created: 18.11.2020


Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 👌-done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.


  • Volume shadow snapshot analysis
  • Timelines across volume shadow snapshots
  • Anti-Forensics analysis using various components of the NTFS filesystem
  • Timestomp checks against suspicious files
  • Advanced data recovery with records carving and deleted volume shadow copy recovery


Advanced adversaries are good. We must be better.

Attackers commonly take steps to hide their presence on compromised systems. While some anti-forensics steps can be relatively easy to detect, others are much harder to deal with. As such, it’s important that forensic professionals and incident responders are knowledgeable on various aspects of the operating system and file system which can reveal critical residual evidence. In this section, we focus primarily on the file system to recover files, file fragments, and file metadata of interest to the investigation. These trace artifacts can help the analyst uncover deleted logs, attacker tools, malware configuration information, exfiltrated data, and more. This often results in a deeper understanding of the attacker TTPs and provides more threat intelligence for thorough scoping the intrusion. In some cases, these deep-dive techniques could be the only means for proving that an attacker was active on a system of interest.

Volume Shadow Copy Analysis

  • Volume Shadow Copy Service
  • Options for Accessing Historical Data in Volume Snapshots
  • Accessing Shadow Copies with vshadowmount
  • Volume Shadow Copy Timelining

Advanced NTFS Filesystem Tactics

  • NTFS Filesystem Analysis
  • Master File Table (MFT) Critical Areas
  • NTFS System Files
  • NTFS Metadata Attributes
  • Rules of Windows Timestamps for $StdInfo and $Filename
  • Detecting Timestamp Manipulation
  • Resident versus Nonresident Files
  • Alternate Data Streams
  • NTFS Directory Attributes
  • B-Tree Index Overview and Balancing
  • Finding Wiped/Deleted Files using the $I30 indexes
  • Filesystem Flight Recorders: $Logfile and $UsnJrnl
  • Common Activity Patterns in the Journals
  • Useful Filters and Searches in the Journals
  • What Happens When Data Is Deleted from an NTFS Filesystem?

Advanced Evidence Recovery

  • Markers of Common WIpers and Privacy Cleaners
  • Deleted Registry Keys
  • Detecting “Fileless” Malware in the Registry
  • File Carving
  • Volume Shadow Carving
  • Carving for NTFS and Event Log Records
  • Effective String Searching
  • NTFS Configuration Changes to Combat Anti-Forensics


[1] About some APT groups

[2] Practical Malware Analysis book