Course 36 - Windows Forensics and Tools | Episode 1: Debunking Myths and Mastering Methodology - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So imagine this. You delete a highly sensitive file on
your Windows computer, you empty the recycle bin, and you
permanently shut the machine down.

Speaker 2 (00:07):
Right, and you're thinking, Okay, I'm safe.

Speaker 1 (00:09):
Exactly. You probably think you've completely covered your tracks, but
the truth is you haven't actually deleted.

Speaker 2 (00:15):
Anything, not even close.

Speaker 1 (00:16):
Yeah, that file is still just sitting there. It's completely intact,
kind of like a ghost waiting to be summoned back.

Speaker 2 (00:22):
That's a great way to put it, actually, right.

Speaker 1 (00:25):
So today we are going into the real, meticulous and
well scientifically rigorous world of digital forensics. We want to
show you exactly how investigators bring those digital ghosts back
to life.

Speaker 2 (00:38):
And we should probably say, right up front, forget the
flashy Hollywood movies.

Speaker 1 (00:42):
Oh yeah, like the hacker furiously typing on a keyboard
for ten seconds until a giant red access denied flashes
on the screen.

Speaker 2 (00:49):
Exactly, That is not how this works. Real investigations are
entirely different.

Speaker 1 (00:54):
They really are. So in this deep dive, our mission
is to explore the step by step reality of an
investigating a Windows machine and you know, cracking open that
digital crime scene.

Speaker 2 (01:04):
It's such a fascinating process, but it does require a
complete shift in how you think about computers, honestly.

Speaker 1 (01:10):
Okay, So to grasp what we're looking at, let's start
with the basics. What actually is digital forensics.

Speaker 2 (01:18):
Well, at its core, it's the application of scientific investigatory
techniques to digital crime. So we are identifying, preserving, examining,
and analyzing digital evidence.

Speaker 1 (01:31):
And I'm guessing the keyword there is scientific. Oh.

Speaker 2 (01:33):
Absolutely, every single step has to be done using universally
accepted methodologies.

Speaker 1 (01:38):
Why is it so strict.

Speaker 2 (01:40):
Because the ultimate presentation of that evidence has to hold
up in a court of law. I mean, if you
don't follow the.

Speaker 1 (01:45):
Science, mark defense lawyers is going to get your findings
thrown out.

Speaker 2 (01:48):
Immediately exactly, they'll tear it apart.

Speaker 1 (01:50):
Okay, So let's set the record straight on what this
job actually entails. Yeah, because I think a lot of
people confuse digital forensics with security.

Speaker 2 (02:00):
That is a very common misconception. Digital forensics is not
proactive security.

Speaker 1 (02:05):
So they aren't the ones sitting at a terminal blocking
hackers in real time.

Speaker 2 (02:09):
No, not at all. This field is strictly reactive. We're
called in after a breach, a theft, or you know,
a massive system failure has already occurred, right, And it's.

Speaker 1 (02:19):
Not strictly about finding criminals either, is it.

Speaker 2 (02:21):
Well, law enforcement uses it for that sure, But in
the corporate world, the day to day job is really
about finding evidence of value, like what kind of evidence,
Like maybe that evidence clears an innocent employee who was
accused of data theft, or maybe it explains why a
critical server is completely crashed.

Speaker 1 (02:39):
Oh, I see.

Speaker 2 (02:39):
And finally, it is not quick. I mean, modern systems
have massive multi terabyte storage capacities. Sifting through all that
takes a tremendous amount of time.

Speaker 1 (02:49):
I picture it kind of like being an archaeologist. You know,
you aren't there to reinforce the walls and prevent the
ancient ruins from collapsing.

Speaker 2 (02:57):
Right because the civilization has already fallen. The event is.

Speaker 1 (03:00):
Completely over exactly. So your job is to meticulously dust
off these digital pottery shards, piece them together without breaking
them further, and figure out exactly how and why the
collapse happened. You're reading the history of the machine.

Speaker 2 (03:13):
That's a really great analogy. And if we connect this
to the bigger picture to understand how we investigate those artifacts,
we first have to understand the soil.

Speaker 1 (03:23):
We're digging in the environment itself, which in the vast
majority of cases is Windows.

Speaker 2 (03:29):
Yeah, the numbers definitely speak for themselves. There something like
ninety percent of personal computers runs some version of Windows.

Speaker 1 (03:35):
It's literally the infrastructure of the corporate world.

Speaker 2 (03:38):
It is, and because it's the most widely used operating system,
it's naturally the most commonly analyzed platform in computer forensics.

Speaker 1 (03:46):
It's basically the playground for everything from you know, basic
corporate phishing emails to elaborate multinational money laundering operations exactly.

Speaker 2 (03:56):
And to know how to investigate that playground, you really
have to understand how it was built and more importantly,
how it's evolved.

Speaker 1 (04:02):
Because every time Windows updates, the forensic landscape completely shifts.

Speaker 2 (04:06):
Surely it's a moving target, so let's track that evolution.

Speaker 1 (04:10):
But like through the lens of an investigator, let's go
back to Windows ninety five and later Windows XP. They
fundamentally change things by introducing something called the Windows Registry.

Speaker 2 (04:20):
Yes, and the registry is crucial. You can think of
the Windows Registry as the central nervous system, or like
the master database of the operating system.

Speaker 1 (04:28):
What exactly does it do?

Speaker 2 (04:30):
It stores configuration settings for hardware, software, user preferences, you
name it. For an investigator, the registry is just an
absolute gold mine.

Speaker 1 (04:39):
Oh wow, So what kind of stuff can you find
in there?

Speaker 2 (04:41):
Well, it can tell you what specific USB drives were
plugged in weeks ago, or what programs were secretly set
to run automatically at startup.

Speaker 1 (04:49):
That's crazy. But wait, Microsoft shifts the architecture sometimes, right,
like the massive changes they made between Windows XP and
Windows seven.

Speaker 2 (04:56):
Oh yeah, and when they do that, investigators are suddenly
thrown into the dark. Your old tools might just not
work anymore, so you have.

Speaker 1 (05:02):
To completely relearn how the system stores its deepest secrets.

Speaker 2 (05:06):
Pretty much every major release changes the rules of the game.

Speaker 1 (05:09):
Like when Windows ten introduce Quartana, the digital personal assistant,
or when it replaced Internet Explorer with microscaloft Edge.

Speaker 2 (05:17):
And then Windows eleven push even deeper into cloud integration.

Speaker 1 (05:21):
Right, And for the average user, that's just a fun
feature update. But for an investigator, what does that actually mean?

Speaker 2 (05:27):
It means an explosion of new forensic artifacts. When an
OS integrates a voice assistant like Quortana, suddenly we have
access to voice command logs and cloud SYNCD search histories.

Speaker 1 (05:39):
Stuff that simply didn't exist in older versions exactly.

Speaker 2 (05:42):
Cloud integration means a user's activity on their smartphone might
be synced and stored deep within the hidden system files
of their desktop computer.

Speaker 1 (05:51):
Okay, looking at this timeline, I have to bring up
an assumption I hear all the time here. It because
almost everyone uses Windows. Yeah, and we all grew up
clicking the start menu. Investigating a Windows machine must be
pretty straightforward, right, It's familiar territory.

Speaker 2 (06:05):
That is probably the single most dangerous myth in the industry. Really, why,
Because Windows forensics is incredibly difficult. For one, Windows is
deeply protective of its own architecture. It does not natively
allow easy access to the physical layer of the disk, a.

Speaker 1 (06:21):
Physical layer like the raw data.

Speaker 2 (06:23):
Yeah, the raw ones and zeros on a hard drive.
If an investigator needs to look at those bypassing the
file system entirely. Windows actively fights that it blocks direct
low level acts.

Speaker 1 (06:34):
Oh wow, So how do you get in?

Speaker 2 (06:36):
You have to use specialized third party tools just to
bypass the operating system's own gatekeeping.

Speaker 1 (06:42):
So it's guarding its own doors. I imagine it's full
of hidden compartments.

Speaker 2 (06:44):
Too, absolutely full of them. Undocumented features are everywhere. But
here is the really fascinating trade off. What's that The
very complexity that makes Windows a nightmare to navigate also
makes it the ultimate witness. How So, because upgrading an
operating system leaves incredibly deep tracks the features designed to
make a user's life quote unquote easier, like a timeline

(07:05):
of recently open files or predictive text, they are silently
recording user behavior in astonishing detail.

Speaker 1 (07:12):
So most people have zero idea their machine is basically
keeping a diary of their every move.

Speaker 2 (07:18):
Almost no idea at all.

Speaker 1 (07:19):
Okay, So, because Windows is this complex, constantly shifting labyrinth,
an investigator can't just, you know, boot up the suspect's
computer and start clicking around through their documents folder.

Speaker 2 (07:31):
Oh absolutely not. You would instantly ruin the evidence. You
would overwrite that diary we just talked.

Speaker 1 (07:36):
About, which brings us right back to the scientific methodology.
How do investigators actually do this without destroying the crime scene.

Speaker 2 (07:43):
They follow strict frameworks. Today we're going to look at
the eight step methodology developed by the Sans Institute.

Speaker 1 (07:49):
Right they're premier organization for cybersecurity training.

Speaker 2 (07:52):
Exactly. Other bodies like NIST or ISO have very similar frameworks,
but the core principle across all of them is the
same response, systematically preserve the evidence.

Speaker 1 (08:03):
Let's get into the mechanics of these eight steps. Step
one is verification.

Speaker 2 (08:08):
Right, This is where you verify that an incident actually
took place, determine the scope, and assess the case.

Speaker 1 (08:14):
You're asking like, what exactly is the situation here? This
feels like the step where you justify your actions.

Speaker 2 (08:21):
Precisely, like telling a CEO, yes, we absolutely must take
your multimillion dollar database offline right now. You don't just
pull the plug on a critical business system based on
a rumor that.

Speaker 1 (08:32):
Makes total sense. So once you verify the incident and
justify the investigation, you move to step two. System description.

Speaker 2 (08:40):
Right before you touch a single wire, you map the terrain,
You document the environment.

Speaker 1 (08:44):
What kind of things are you documenting?

Speaker 2 (08:46):
Things like what is the system's role in the network.
Is it just a standard workstation or an active directory server?
What's the operating system version, the disc format, the exact
amount of RAM installed. You just take meticulous.

Speaker 1 (08:58):
Notes, which leads us to step through And this is
where things get highly technical and honestly incredibly high stakes
evidence acquisition.

Speaker 2 (09:07):
Yes, this is where you actually collect the data, and
you've got to deal with two completely different types of data,
volatile and non volatile.

Speaker 1 (09:15):
And this is where cases are one or lost in
a matter of seconds. Right.

Speaker 2 (09:18):
Absolutely, volatile data is the information currently active in the
system's memory the RAM. Non volatile data is the information
permanently written to the hard drive.

Speaker 1 (09:29):
Wait, I want to make sure we visualize this perfectly
for you listening. Let's use an analogy.

Speaker 2 (09:32):
Okay, I love analogies.

Speaker 1 (09:33):
Let's say RAM the volatile memory is like a whiteboard
in an office. The computer is actively writing on it,
erasing things, sketching out ideas for whatever programs are currently running.
But the whiteboard is magical. It only exists as long
as the lights are on in the room. The second
the power drops, the whiteboard is wiped completely clean.

Speaker 2 (09:55):
That's a great visual.

Speaker 1 (09:56):
And then the non volatile hard drive, on the other hand,
is like the physical filing cabinet in the corner of
the room. Even if the lights go out, those paper
files aren't going anywhere.

Speaker 2 (10:05):
That is an excellent way to conceptualize it. Active network connections,
malware currently running in the background, passwords temporarily stored in memory,
that is all on the whiteboard.

Speaker 1 (10:15):
So it's incredibly fragile.

Speaker 2 (10:17):
Incredibly, if you walk into a room and just pull
a power plug on a suspects computer, you've just erased
the whiteboard. The volatile data is gone forever.

Speaker 1 (10:27):
Wow. So the absolute golden rule of acquisition has to
be you must capture the whiteboard first.

Speaker 2 (10:34):
Yes, you have to collect the voltle ram data while
the machine is still running.

Speaker 1 (10:39):
But wait, I'm stuck on something here. If I'm sitting
at the suspects computer, why can't I just use the
computer's own copy function or like the task manager to
save that memory?

Speaker 2 (10:48):
Because you cannot trust the computer?

Speaker 1 (10:50):
Really? Why not?

Speaker 2 (10:51):
If a hacker has compromised that system, they may have
installed what's called a root kit. They might have altered
the basic commands of the operating system itself. Oh I
see Yeah, So if you use the suspect machine's own
copy command, the hackers hidden code might intercept that command
and say, copy everything except my malicious files. It will
literally lie to you.

Speaker 1 (11:10):
Ah. So the system itself is an unreliable narrator exactly.

Speaker 2 (11:14):
That is why investigators must use what we call trusted binaries.

Speaker 1 (11:17):
Wait, just to clarify for everyone, a binary is just
the raw executable file of a program.

Speaker 2 (11:22):
Right, yep. Investigators bring their own trusted clean tools, usually
on an external secure USB drive, and they run those
tools directly from the drive.

Speaker 1 (11:33):
Completely bypassing the suspects potentially corrupted operating system software precisely. Okay,
so we've secured the whiteboard using our own trusted tools.
What about the filing cabinet. How do we acquire the
non volatile hard drive data without altering it?

Speaker 2 (11:48):
Well, if investigators can safely take the system offline, they
will physically remove the hard drive. Then they plug that
drive into a specialized hardware device called a right blocker.

Speaker 1 (11:58):
A right blocker, how does that i actually work? Does
it just use software to say don't write.

Speaker 2 (12:03):
No, It's much more robust than that. It's a physical
electronic barricade. A right blocker intercepts the data cable between
the suspects drive and the investigator's computer. Okay, it allows
read signals to pass through, so the investigator can copy
the data, but it physically blocks any right signals from
traveling back to the suspects drive.

Speaker 1 (12:21):
Oh wow, so it ensures that the investigator's computer cannot
offer a single zero or one on the original evidence exactly.

Speaker 2 (12:28):
Using this device, they create a perfect bit for bit
mathematical clone of the drive, which is called a bitstream image.

Speaker 1 (12:35):
Okay, so step three is complete. We've copied the whiteboard,
we perfectly clone the filing cabinet. But now we're just
staring at terabytes of ones and zeros.

Speaker 2 (12:43):
It's a massive mountain of data.

Speaker 1 (12:46):
So how do we actually start making sense of it?

Speaker 2 (12:48):
That brings us to step four timeline analysis. We need
to establish a chronological order of events, so we look
for mbassy time evidence.

Speaker 1 (12:57):
Let's break down MD time because that's an acronym. Trips
people up mac modified, accessed, changed, and created, right, it
sounds kind of repetitive, honestly. What is the difference between
modified and changed?

Speaker 2 (13:10):
It's a crucial distinction. Modified refers to the actual content
of the file. So if I open a word document,
type a new paragraph and save it, the modified time updates.

Speaker 1 (13:20):
Okay, makes sense. What about changed.

Speaker 2 (13:22):
Changed refers to the file's metadata. If I don't touch
the text inside the document, but I changed the file
permissions from read only to hidden, the content wasn't modified,
but the metadata was changed.

Speaker 1 (13:34):
Got it? And then access means the file was opened
or viewed.

Speaker 2 (13:39):
Yep and created is the exact moment the file was
born on that specific storage volume.

Speaker 1 (13:45):
So by extracting all those different timestamps from millions of files,
investigators can build what's called a super timeline.

Speaker 2 (13:52):
Yes, a super timeline stitches together time data from the
file system, the system memory, the Windows registry, and application
laws into one massive chronological.

Speaker 1 (14:02):
Spreadsheet that sounds intense.

Speaker 2 (14:04):
It gives the investigator a complete second by second snapshot
of all activity. You can see the exact millisecond a
USB drive was inserted, followed by the exact millisecond a
sensitive spreadsheet was accessed, followed by the file being copied.

Speaker 1 (14:18):
Okay, so the super timeline gives us the when, but
a timeline doesn't show us the actual contents of the files?
How do we figure out what actually happened?

Speaker 2 (14:25):
That leads to Step five Media and artifact analysis. This
is the deep inspection phase. What we're looking for here
we want to know what programs were executed, what specific
directories were hidden. We also bring our RAM analysis back
in here. We look at that Vodyle memory we capture
to find hidden network connections.

Speaker 1 (14:44):
Ah right, the whiteboard data exactly.

Speaker 2 (14:47):
This is also the stage where we actively hunt for
anti forendic techniques. The trick suspects use to hide their tracks.

Speaker 1 (14:54):
Oh interesting, what's the most devious trick they use?

Speaker 2 (14:58):
One of the most fascinating is called steaganography. It is
the practice of hiding data within other data, like cryptography.
Actually it's very different from cryptography. Cryptography scrambles a message
into a secret code. Everyone can see the code, they
just can't read it. Steganography hides the very existence of
the message.

Speaker 1 (15:15):
Whoa break down the mechanism for me? How do you
hide a stolen password inside say a normal photograph of
a cat.

Speaker 2 (15:22):
Think about how a digital image works. Every single pixel
in that photo has a specific color value represented by
binary code. Let's say a pixel is pure blue. If
a hacker alters just the very last digit of that
binary code, the least significant bit, they change the color
value by a tiny fraction of.

Speaker 1 (15:40):
A percent, so the human eye will still see the
exact same.

Speaker 2 (15:43):
Shade of blue exactly. The picture looks perfectly normal to
you and me. But a forensic investigator using specialized tools
can extract all those altered trailing digits from the pixels
and reassemble them into the hidden stolen password or even
malicious code.

Speaker 1 (15:58):
That is mind blowing. The data is literally hiding in
plain sight within the colors of the image.

Speaker 2 (16:03):
It really is.

Speaker 1 (16:04):
But what if you know what you're looking for, say
a specific credit card number or a known malware signature,
but the file has been renamed or hidden.

Speaker 2 (16:12):
Then we moved to step six. String or byte search.
Investigators bypass the normal filesystem entirely and search the low level,
raw bitstream image.

Speaker 1 (16:22):
How do they do that?

Speaker 2 (16:23):
They use regular expressions to come through the entire drive
for patterns like the specific mathematical format of a credit
card number. They also look for magic cookies.

Speaker 1 (16:31):
Magic cookies. I love the terminology in this field. What
is a magic cookie?

Speaker 2 (16:35):
It's basically a file signature. Every file type has a
unique sequence of bytes at the very beginning of the file,
called a header.

Speaker 1 (16:43):
Give me an example.

Speaker 2 (16:44):
For example, every standard VIP file starts with the hexadecimal
characters that translate to the letters p k okay.

Speaker 1 (16:52):
So even if a suspect renames a VIP file to
vacation photo dot jpg to hide it.

Speaker 2 (16:58):
The operating system might be fooled, but the magic cookie
at the byte level remains pk A byte search will
flag it instantly as a disguised archive file, which.

Speaker 1 (17:07):
Brings up the most common scenario. What if the suspect
realizes they're about to be caught panics highlights all the
stolen files, hits delete and empties the recycle bin.

Speaker 2 (17:17):
Right, the classic panic move.

Speaker 1 (17:19):
We established at the top of the deep dive that
the files aren't actually gone. How do we get them back?

Speaker 2 (17:23):
That is step seven data recovery. And let's use another
analogy to explain the mechanism.

Speaker 1 (17:29):
Here go forth.

Speaker 2 (17:29):
Think of your hard drive as a massive public library.
The files are the books on the shelves the Windows filesystem.
The master file table is the card catalog at the
front desk.

Speaker 1 (17:39):
Okay, I'm with you.

Speaker 2 (17:40):
When you delete a file and empty the recycle bin,
the computer does not send someone into the stacks to
burn the book. It just rips up the index card
in the catalog and marks that shelf space as available.

Speaker 1 (17:52):
So the book, the actual data is still sitting perfectly
intact on the shelf. The computer just forgot how to
find it exactly.

Speaker 2 (17:59):
That space is now known as unallocated space. It will
remain perfectly intact until the computer decides to save a
brand new file and randomly shoves a new book into
that exact same spot on the shelf overwriting it.

Speaker 1 (18:11):
Wow, and there's also something called slack space, right, how's
that different from unallocated space?

Speaker 2 (18:16):
Slack space is the leftover room within a specific storage cluster.
Hard drives store data and fixed sized chunks called clusters.

Speaker 1 (18:24):
Okay, So, keeping with a library analogy.

Speaker 2 (18:26):
Imagine every folder on the library shelf must hold exactly
ten pages. If you save a one page document, the
folder still takes up ten pages of space on the shelf.

Speaker 1 (18:35):
Oh, so the remaining nine pages of empty room inside
that folder is slack space exactly.

Speaker 2 (18:40):
The computer doesn't bother clearing it out, so that slack
space might contain leftover fragments of older deleted files that
used to occupy that exact spot.

Speaker 1 (18:49):
So how do investigators pull the books out of the
unallocated space or the slack space if the card catalog
is gone?

Speaker 2 (18:56):
They use a technique called file carving. Since they don't
have the file system to guide them, they scan the
raw data looking for those magic cookies we talked about
the fileheaders.

Speaker 1 (19:05):
So when the carving tool finds the PK header of
a zip file or the hitter of a PDF.

Speaker 2 (19:11):
It essentially grabs it and pulls the entire file out
of the unallocated space, bringing the deleted data right back
to the surface.

Speaker 1 (19:18):
That is incredible. Okay, let's review the journey we just took.
It's been a long one. We verified the incident, we
mapped the terrain. We carefully acquired the fragile whiteboard of
RAM and clone the filing cabinet using a physical right blocker.
We built a super timeline analyzing modified, accessed, changed, and
created data. We looked for pixels, hiding steganography, haunted for

(19:40):
magic cookies, and carved deleted files straight out of the
library's unallocated space.

Speaker 2 (19:45):
We found the digital smoking gun.

Speaker 1 (19:48):
Yes, but the investigation isn't over, is.

Speaker 2 (19:53):
It not quite? In fact, none of those brilliant technical
discoveries matter if you fail at step eight hoarding results.

Speaker 1 (20:01):
Ah, because a forensic investigation is completely useless if the
results cannot be clearly communicated.

Speaker 2 (20:07):
That makes total sense. You could be the most brilliant
investigator in the world, speaking entirely in hexodescimal bytecode. But
if you can't explain how you found the evidence to
a jury of everyday people, you will lose the case exactly.

Speaker 1 (20:20):
And that is why the report must be written based
strictly on the scientific methods and objective facts you established
throughout the entire process.

Speaker 2 (20:27):
Furthermore, investigators must adapt their reporting style depending on the audience.

Speaker 1 (20:32):
Right, an executive summary designed for a corporate board of
directors trying to understand their business risk is going to
look fundamentally different from a highly technical, granular affidavit submitted
to a federal judge.

Speaker 2 (20:43):
But in every iteration, the report must be bulletproof because
it will be the foundation for legal or administrative action.

Speaker 1 (20:49):
It is a massive, incredibly detailed process. So what does
this all mean for you listening to this deep dive
right now?

Speaker 2 (20:57):
We covered a lot of ground we did, yeah.

Speaker 1 (20:59):
And we like to make sure these concepts actually stick
with you. Let's see if you were paying attention to
our eight steps. I've got a quick review question for you.
Let's hear it out of the eight steps we just unpacked,
in which step would an investigator specifically analyze slack space
and unallocated space to carve out a file the suspect
thought they had permanently deleted. Think about the library analogy

(21:22):
for a second.

Speaker 2 (21:22):
Take a guess, got it?

Speaker 1 (21:24):
The answer is step seven data recovery. That is where
we bypass the ripped up card catalog and pull the
deleted secrets straight from the digital graveyard.

Speaker 2 (21:33):
And as we wrap up this exploration, there is an
important reality I want you to mull over the next
time you boot up your machine.

Speaker 1 (21:39):
What's that?

Speaker 2 (21:40):
Well, we talked extensively about how Windows leaves a rich
trail of forensic artifacts. Every single time an operating system
gets an upgrade. The marketing focuses on making your life easier,
predictive text timeline histories, instant sinking across your devices.

Speaker 1 (21:55):
But those conveniences come with a hidden cost.

Speaker 2 (21:58):
Exactly time your computer prompts you for a system update,
promising a smooter workflow or a smarter digital assistant, you
might want to wonder what new digital footprints is your
machine secretly learning to record about you.

Speaker 1 (22:11):
Wow, we are all constantly leaving invisible artifacts behind the
ruins of our own digital lives, just waiting for an
investigator to come along, bypass the locks and mediculously dust
them off.

All Episodes

Course 36 - Windows Forensics and Tools | Episode 1: Debunking Myths and Mastering Methodology

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

iHeartRadio 24/7 News: The Latest

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 36 - Windows Forensics and Tools | Episode 1: Debunking Myths and Mastering Methodology