Oleg Skulkin, Author, Windows Forensics Cookbook

Oleg, tell us a bit about your background. How did you get into digital forensics?

About 6 years ago I was hired by my local police department’s forensic lab. The funny thing is – I should have become a forensic linguist, but finally started doing digital forensics, as there were lots of cases and only one examiner, so I’d become the second. Very soon it became my main interest.Now I can say that it’s both my job and my hobby, and I’m really happy about it.

What does your current role involve? Can you talk us through a day in your life?

My current role involves forensic examination of different digital media: HDDs and SSDs, mobile devices, DVRs, etc. But sometimes I do traditional forensics, because in the police dept I’m currently working even digital forensic examiners sometimes have to go to a crime scene and, for example, look for fingerprints, footprints, etc. Thankfully I’m changing my work place very soon and will finally start doing only a DFIR job.

Also, when I get too tired of working on my cases, I write articles both in English and in Russian, and look for DFIR news to post on our blog – Cyber Forensicator.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

You've recently published the Windows Forensics Cookbook. Can you give us an overview of what readers can expect from the book?

For the last 6 years I’ve read a great number of digital forensic books, from Carrier and Carvey to Hale Ligh and Case. I really enjoyed almost every book, and it became a dream to write my own one day. And this day had come. I noticed Scar’s tweet – she was looking for a co-author. This is how I was involved in writing Windows Forensics Cookbook.

The book consists of a number of Windows forensics recipes – how to extract this or that forensic artifact with the help of both commercial and open source tools. Almost all commercial tools presented in the book have trial versions, so the readers can test all of them and choose one or two they like most. As for free and open source – I would recommend to add all of them to your DFIR toolkit. All the recipes are walk-throughs, so the book is highly recommended for the beginners.

The 'cookbook' format is an unusual route to take – how does this differ from a traditional format?

I really enjoyed this format: I used to write articles for the blog and they looked just like the recipes I needed to write for the book. Most non-recipe parts of the book were written by Scar.

What unique challenges are involved in Windows forensics, and how does the book help to address these?

Any operating system has its unique challenges. And Windows is not an exception. Windows examination is easier for most examiners, as they face it very often and usually have it installed on both lab and home computers, so they are very familiar with it. But, of course, there are a lot of OS-specific artifacts an examiner or analyst must know, and must know well. The book introduces a lot of these artifacts, and also the tools, both commercial and open source, capable of extracting them.

What are some of the tools and techniques featured in the book, and why did you choose these?

You can solve a lot of Windows forensic problems with Magnet AXIOM. I think it will become the most widely used forensic tool on the market, as it’s being developed very fast.

Also the book includes the recipes on how to use the most popular open source tools which must be in every digital forensic examiner’s toolkit, for example, the Sleuth Kit and Volatility.

In your opinion, what's the "next big thing" in digital forensics?

I think the “next big thing” is the cloud, especially for mobile forensics. It’s becoming more and more difficult to extract data from mobile devices due to strong passcodes and encryption. Recently we had a discussion with my friend Igor Shorokhov, and he suggested that soon mobile devices would have very limited storage – user data would be stored in the cloud, and it wouldn’t be a problem as the Internet speed would be very fast. As for computer forensics, especially malware forensics, I think we will face memory-only malware more and more often, so nowadays memory forensics skills are a must for every digital forensic examiner.

Finally, when you're not writing or working, what do you enjoy doing in your spare time?

Unfortunately, I don’t have much spare time, because digital forensics takes a lot of it. But if I have some, I really enjoy hanging with my wife and friends, and trying not to give up skateboarding.

Windows Forensics Cookbook by Oleg Skulkin & Scar de Courcier is published by Packt; you can buy it on Amazon. Oleg Skulkin can also be found at CyberForensicator.com.

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 5 hours ago

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...