book

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?
What this book covers

Downloading the color images of this book ErrataPiracyQuestions
What is digital crime?
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Forensic image
DEFTHelix
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
The dd tooldd over the network
Timeline introduction
PreprocessingCollectionWorkerStorage
Analyzing the results
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
FAT componentsFAT limitations
NTFS componentsMaster File Table (MFT)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Extracting registry files from a live systemExtracting registry files from a forensic image
The base blockHbin and CELL
RegistryRipperSysinternalsMiTeC Windows registry recovery
Event Logs - an introduction
Security Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Windows prefetch filesPrefetch file analysis
Thumbcache analysisCorrupted Windows.edb files
RECYCLER$Recycle.bin
Shortcut analysis
Browser investigation
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Memory structure
Hibernation fileCrash dumpPage files
Remote DLL injectionRemote code injectionReflective DLL injection
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Network data collection
Fields with more information
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
Introduction
The running processesNetwork activitiesAutorun keys
Memory analysisNetwork analysisTimeline analysis

Content preview from Practical Windows Forensics

Browser analysis

The last_report.pdf.exe file may have been copied to the machine from another storage or over the network, but because it was located in the Downloads folder, it may be more reasonable to start investigating the browser history.

The installed browsers in the system were Internet Explorer and Mozilla Firefox. By investigating both with DART tools, we can find some interesting results from MozillaHistoryView:

We can see that the file was downloaded from http://www.maldomain.com/public/latest_report.pdf.exe. However, we can see that the visit time was just after the user visited mail.yahoo.com, which increases the chance that the malicious ...