book

Practical Windows Forensics

Name: Practical Windows Forensics
ISBN: 9781783554096

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Practical Windows Forensics
Practical Windows Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the color images of this book ErrataPiracyQuestions
1. The Foundations and Principles of Digital Forensics
What is digital crime?
Digital forensics
Digital evidence
Digital forensic goals
Analysis approaches
Summary
2. Incident Response and Live Analysis
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security fundamentals
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
The hardware for IR and Jump Bag
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Remote live response
Summary
3. Volatile Data Collection
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
Network-based data collection
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Summary
4. Nonvolatile Data Acquisition
Forensic image
Incident Response CDs
DEFTHelix
Live imaging of a hard drive
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
Linux for the imaging of a hard drive
The dd tooldd over the network
Virtualization in data acquisition
Evidence integrity (the hash function)
Disk wiping in Linux
Summary
5. Timeline
Timeline introduction
The Sleuth Kit
Super timeline – Plaso
Plaso architecture
PreprocessingCollectionWorkerStorage
Plaso in practice
Analyzing the results
Summary
6. Filesystem Analysis and Data Recovery
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
The FAT filesystem
FAT componentsFAT limitations
The NTFS filesystem
NTFS componentsMaster File Table (MFT)
The Sleuth Kit (TSK)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
Autopsy
Foremost
Summary
7. Registry Analysis
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Backing up the registry files
Extracting registry hives
Extracting registry files from a live systemExtracting registry files from a forensic image
Parsing registry files
The base blockHbin and CELL
Auto-run keys
Registry analysis
RegistryRipperSysinternalsMiTeC Windows registry recovery
Summary
8. Event Log Analysis
Event Logs - an introduction
Event Logs system
Security Event Logs
Extracting Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Summary
9. Windows Files
Windows prefetch filesPrefetch file analysis
Windows tasks
Windows Thumbs DB
Thumbcache analysisCorrupted Windows.edb files
Windows RecycleBin
RECYCLER$Recycle.bin
Windows shortcut files
Shortcut analysis
Summary
10. Browser and E-mail Investigation
Browser investigation
Microsoft Internet Explorer
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Firefox
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Other browsers
E-mail investigation
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Summary
11. Memory Forensics
Memory structure
Memory acquisition
The sources of memory dump
Hibernation fileCrash dumpPage files
Processes in memory
Network connections in memory
The DLL injection
Remote DLL injectionRemote code injectionReflective DLL injection
API hooking
Memory analysis
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Summary
12. Network Forensics
Network data collection
Exploring logs
Using tcpdump
Using tshark
Using WireShark
Fields with more information
Knowing Bro
Summary
appA. Building a Forensic Analysis Environment
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
appB. Case Study
Introduction
Scenario
Acquisition
Live analysis
The running processesNetwork activitiesAutorun keys
Prefetch files
Browser analysis
Postmortem analysis
Memory analysisNetwork analysisTimeline analysis
Summary

Content preview from Practical Windows Forensics

Postmortem analysis

Before performing the live analysis, we acquired the evidence. These were the memory and the hard drive. Let's see what we can get from this evidence.

Memory analysis

The memory is the working space for the operating system, and we can get many traces of any malware that ran within the system from the memory analysis. In this section, we will use the volatility framework to analyze the dumped memory file and try to get the same information that we got from the live analysis.

To get information about the profile of the memory file, we can use the imageinfo plugin:

From the output, the image profile that we will use is Win7SP0x64. Then, let's list the running processes and the network connections, as we discussed in the memory analysis ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Digital Forensics Basics: A Practical Guide Using Windows OS

Publisher Resources

ISBN: 9781783554096

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

Postmortem analysis

Memory analysis

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.