book

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?
What this book covers

Downloading the color images of this book ErrataPiracyQuestions
What is digital crime?
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Forensic image
DEFTHelix
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
The dd tooldd over the network
Timeline introduction
PreprocessingCollectionWorkerStorage
Analyzing the results
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
FAT componentsFAT limitations
NTFS componentsMaster File Table (MFT)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Extracting registry files from a live systemExtracting registry files from a forensic image
The base blockHbin and CELL
RegistryRipperSysinternalsMiTeC Windows registry recovery
Event Logs - an introduction
Security Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Windows prefetch filesPrefetch file analysis
Thumbcache analysisCorrupted Windows.edb files
RECYCLER$Recycle.bin
Shortcut analysis
Browser investigation
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Memory structure
Hibernation fileCrash dumpPage files
Remote DLL injectionRemote code injectionReflective DLL injection
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Network data collection
Fields with more information
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
Introduction
The running processesNetwork activitiesAutorun keys
Memory analysisNetwork analysisTimeline analysis

Content preview from Practical Windows Forensics

Appendix appA. Building a Forensic Analysis Environment

After the previous chapters, we should now have realized how important incident response is for digital forensics processes and how necessary it is to deal with both of them accurately. In this appendix of the book, we will discuss the creation of a convenient work environment to conduct the digital forensics analysis, the digital forensics lab, at enterprise scale.

Before we start building our lab, let's answer the following questions:

What are the lab's purposes, and what kind of devices will we analyze (computers, mobiles, and so on)? This will help us determine the suitable tools for our lab.
How many cases can we expect to receive, and what is the expected expansion in our scope and lab? ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Practical Linux Forensics

Bruce Nikkel

Windows Forensics: Understand Analysis Techniques for Your Windows

Chuck Easttom, William Butler, Jessica Phelan, Ramya Sai Bhagavatula, Sean Steuber, Karely Rodriguez, Victoria Indy Balkissoon, Zehra Naseer

Practical Mobile Forensics - Fourth Edition

Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

Practical Memory Forensics

Svetlana Ostrovskaya, Oleg Skulkin

Publisher Resources

ISBN: 9781783554096