book

Mastering Windows Network Forensics and Investigation, 2nd Edition

by Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson

June 2012

Intermediate to advanced

696 pages

22h 58m

English

Sybex

Read now

Unlock full access

Cover
Contents
Introduction
Part 1: Understanding and Exploiting Windows Networks
Chapter 1: Network Investigation Overview
Performing the Initial Vetting
Meeting with the Victim Organization
Understanding the Victim Network InformationUnderstanding the IncidentIdentifying and Preserving EvidenceEstablishing Expectations and Responsibilities
Collecting the Evidence
Analyzing the Evidence
Analyzing the Suspect’s Computers

Recognizing the Investigative Challenges of Microsoft Networks
The Bottom Line
Chapter 2: The Microsoft Network Structure
Connecting Computers
Windows Domains
Interconnecting DomainsOrganizational Units
Users and Groups
Types of AccountsGroups
Permissions
File PermissionsShare PermissionsReconciling Share and File Permissions
Example Hack
The Bottom Line
Chapter 3: Beyond the Windows GUI
Understanding Programs, Processes, and Threads
Redirecting Process Flow
DLL InjectionHooking
Maintaining Order Using Privilege Modes
Using Rootkits
The Bottom Line
Chapter 4: Windows Password Issues
Understanding Windows Password Storage
Cracking Windows Passwords Stored on Running Systems
Exploring Windows Authentication Mechanisms
LanMan AuthenticationNTLM AuthenticationKerberos Authentication
Sniffing and Cracking Windows Authentication Exchanges
Using ScoopLM and BeatLM to Crack Passwords
Cracking Offline Passwords
Using Cain & Abel to Extract Windows Password HashesAccessing Passwords through the Windows Password VerifierExtracting Password Hashes from RAMStealing Credentials from a Running System
The Bottom Line
Chapter 5: Windows Ports and Services
Understanding Ports
Using Ports as Evidence
Understanding Windows Services
The Bottom Line
Part 2: Analyzing the Computer
Chapter 6: Live-Analysis Techniques
Finding Evidence in Memory
Creating a Windows Live-Analysis Toolkit
Using DumpIt to Acquire RAM from a 64-Bit Windows 7 SystemUsing WinEn to Acquire RAM from a Windows 7 EnvironmentUsing FTK Imager Lite to Acquire RAM from Windows Server 2008Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image
Monitoring Communication with the Victim Box
Scanning the Victim System
The Bottom Line
Chapter 7: Windows Filesystems
Filesystems vs. Operating Systems
Understanding FAT Filesystems
Understanding NTFS Filesystems
Using NTFS Data StructuresCreating, Deleting, and Recovering Data in NTFS
Dealing with Alternate Data Streams
The exFAT Filesystem
The Bottom Line
Chapter 8: The Registry Structure
Understanding Registry Concepts
Registry HistoryRegistry Organization and Terminology
Performing Registry Research
Viewing the Registry with Forensic Tools
Using EnCase to View the Registry
Examining Information ManuallyUsing EnScripts to Extract Information
Using AccessData’s Registry Viewer
Other Tools
The Bottom Line
Chapter 9: Registry Evidence
Finding Information in the Software Key
Installed SoftwareLast LogonBanners
Exploring Windows Security, Action Center, and Firewall Settings
Analyzing Restore Point Registry Settings
Windows XP Restore Point Content
Analyzing Volume Shadow Copies for Registry Settings
Exploring Security Identifiers
Examining the Recycle BinExamining the ProfileList Registry Key
Investigating User Activity
Examining the PSSP and IntelliForms KeysExamining the MRU KeyExamining the RecentDocs KeyExamining the TypedURLs KeyExamining the UserAssist Key
Extracting LSA Secrets
Using Cain & Abel to Extract LSA Secrets from Your Local Machine
Discovering IP Addresses
Dynamic IP AddressesGetting More Information from the GUID-Named Interface
Compensating for Time Zone Offsets
Determining the Startup Locations
Exploring the User Profile AreasExploring Batch FilesExploring Scheduled TasksExploring the AppInit_DLL KeyUsing EnCase and Registry ViewerUsing Autoruns to Determine Startups
The Bottom Line
Chapter 10: Introduction to Malware
Understanding the Purpose of Malware Analysis
Malware Analysis Tools and Techniques
Constructing an Effective Malware Analysis ToolkitAnalyzing Malicious CodeMonitoring Malicious CodeMonitoring Malware Network Traffic
The Bottom Line
Part 3: Analyzing the Logs
Chapter 11: Text-Based Logs
Parsing IIS Logs
Parsing FTP Logs
Parsing DHCP Server Logs
Parsing Windows Firewall Logs
Using Splunk
The Bottom Line
Chapter 12: Windows Event Logs
Understanding the Event Logs
Exploring Auditing Settings
Using Event Viewer
Opening and Saving Event LogsViewing Event Log Data
Searching with Event Viewer
The Bottom Line
Chapter 13: Logon and Account Logon Events
Begin at the Beginning
Comparing Logon and Account Logon EventsAnalyzing Windows 2003/2008 Logon EventsExamining Windows 2003/2008 Account Logon Events
The Bottom Line
Chapter 14: Other Audit Events
The Exploitation of a Network
Examining System Log Entries
Examining Application Log Entries
Evaluating Account Management Events
Interpreting File and Other Object Access Events
Examining Audit Policy Change Events
The Bottom Line
Chapter 15: Forensic Analysis of Event Logs
Windows Event Log Files Internals
Windows Vista/7/2008 Event LogsWindows XP/2003 Event Logs
Repairing Windows XP/2003 Corrupted Event Log Databases
Finding and Recovering Event Logs from Free Space
The Bottom Line
Part 4: Results, the Cloud, and Virtualization
Chapter 16: Presenting the Results
Report Basics
Creating a Narrative Report with Hyperlinks
Creating HyperlinksCreating and Linking Bookmarks
The Electronic Report Files
Creating Timelines
CaseMap and TimeMapSplunk
Testifying about Technical Matters
The Bottom Line
Chapter 17: The Challenges of Cloud Computing and Virtualization
What Is Virtualization?
The Hypervisor
Preparing for Incident Response in Virtual Space
Forensic Analysis Techniques
Dead Host-Based Virtual EnvironmentLive Virtual EnvironmentArtifacts
Cloud Computing
What Is It?ServicesForensic ChallengesForensic Techniques
The Bottom Line
Part 5: Appendices
Appendix A: The Bottom Line
Chapter 1: Network Investigation Overview
Chapter 2: The Microsoft Network Structure
Chapter 3: Beyond the Windows GUI
Chapter 4: Windows Password Issues
Chapter 5: Windows Ports and Services
Chapter 6: Live-Analysis Techniques
Chapter 7: Windows Filesystems
Chapter 8: The Registry Structure
Chapter 9: Registry Evidence
Chapter 10: Introduction to Malware
Chapter 11: Text-based Logs
Chapter 12: Windows Event Logs
Chapter 13: Logon and Account Logon Events
Chapter 14: Other Audit Events
Chapter 15: Forensic Analysis of Event Logs
Chapter 16: Presenting the Results
Chapter 17: The Challenges of Cloud Computing and Virtualization
Appendix B: Test Environments
Software
Hardware
Setting Up Test Environments in Training Laboratories
Chapter 1: Network Investigation OverviewChapter 2: The Microsoft Network StructureChapter 3: Beyond the Windows GUIChapter 4: Windows Password IssuesChapter 5: Windows Ports and ServicesChapter 6: Live-Analysis TechniquesChapter 7: Windows FilesystemsChapter 8: The Registry StructureChapter 9: Registry EvidenceChapter 10: Introduction to MalwareChapter 11: Text-Based LogsChapter 12: Windows Event LogsChapter 13: Logon and Account Logon EventsChapter 14: Other Audit EventsChapter 15: Forensic Analysis of Event LogsChapter 16: Presenting the ResultsChapter 17: The Challenges of Cloud Computing and Virtualization
Index

Content preview from Mastering Windows Network Forensics and Investigation, 2nd Edition

Using EnCase to View the Registry

EnCase is a computer forensics tool used by many computer forensic examiners and intrusion investigators. Depending on your environment, you may be doing both the computer forensics and the network investigation. In other environments, the functions are segregated. Regardless, if you have EnCase available, it is an excellent tool to use to examine the Windows registry.

Examining Information Manually

Registry hive files are compound files that are mountable in EnCase. Within EnCase version 6 (we’ll talk about version 7 later in this chapter), you can mount these files by right-clicking the registry file’s name and choosing View File Structure from the pop-up menu. Before you mount the file, however, you must first ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781118236086Purchase book Downloads

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Windows Network Forensics and Investigation, 2nd Edition

by Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson

Using EnCase to View the Registry

Examining Information Manually

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Network Forensics

Learning Network Forensics

Incident Response & Computer Forensics, 2nd Ed., 2nd Edition

The Network Security Test Lab: A Step-by-Step Guide

Publisher Resources