Security is increasingly becoming a selling point for people, which means we are faced with more and more encrypted network connections, chats, and so on. As a result, we need to understand encryption implementations and identify possible ways to decrypt them. This book will not teach you to become a codebreaker, but it will introduce the basics of cryptography.

The usage of cloud storage are becoming a standard when examining computers, I have tried to list the locations of where you can find evidence of cloud storage on Windows.

Windows application compatibility database is used by Windows to identify possible application compatibility challenges when executing PE files. Execution files get shimmed as soon as they hit the disk. If the executable is moved, rename or modified, the executable gets re-shimmed by the system, adding new entries into shimcache database. Any executable that has existed on the system can be found in this key. It should be noted that it does not get instantly get written to the register. It only gets written to the database when the system reboots, until that it only lives within memory. AppCompatCache also stores the timestamp for when the file was last modified. When it comes to malware it can be used to track any executable that has hit the disk. Even if deleted, renamed, etc. the entry will still be there.

Key indicators for recognizing encryption algorithms:

The intelligence lifecycle is a high-level process that can be mapped to multiple sources, such as SIGINT, HUMINT, etc. It consists of six stages:

When performing IP geolocation on user IP addresses, it can be challenging to achieve meaningful precision because users are often assigned random IP addresses by DHCP.
One way to overcome this problem is to use the traceroute command on the IP in question. Instead of geolocating the user’s IP address directly, you can geolocate the last routing hop’s IP address, which can yield much better results. The reason this method works better is that routing infrastructure tends to be more stable and consistent over time, as opposed to constantly changing user IP addresses.
However, one major drawback of this technique is that most routing traffic infrastructure blocks ICMP packets, which are essential for traceroute to function correctly. As a result, you might be unable to obtain the routing IP address in some cases, limiting the effectiveness of this approach.