Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Windows 8 and beyond. PowerShell has become the default "command line" management tool for windows administrators. These tools provide both a wealth of information into what has happened and is present on the system.
For Forensics and even Incident Response, these tools are now a go to built-in option to bootstrap and drive the forensics process including opening access to artefacts that an overzealous user or even a "smart" attacker has removed. SRUM for instance can provide data points ranging from network to process activitiy providing insight into what, who, when and how an attacker or malicious process introduced itself into the environment.
This talk will help the participants build the foundations to identify which built-in tools can assist in the Windows Forensics process and the data points that are available, as well as examine, how services such as SRUM can be used to extract key data points to provide information for incident response or threat hunting activities.