book

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?
What this book covers

Downloading the color images of this book ErrataPiracyQuestions
What is digital crime?
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Forensic image
DEFTHelix
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
The dd tooldd over the network
Timeline introduction
PreprocessingCollectionWorkerStorage
Analyzing the results
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
FAT componentsFAT limitations
NTFS componentsMaster File Table (MFT)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Extracting registry files from a live systemExtracting registry files from a forensic image
The base blockHbin and CELL
RegistryRipperSysinternalsMiTeC Windows registry recovery
Event Logs - an introduction
Security Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Windows prefetch filesPrefetch file analysis
Thumbcache analysisCorrupted Windows.edb files
RECYCLER$Recycle.bin
Shortcut analysis
Browser investigation
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Memory structure
Hibernation fileCrash dumpPage files
Remote DLL injectionRemote code injectionReflective DLL injection
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Network data collection
Fields with more information
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
Introduction
The running processesNetwork activitiesAutorun keys
Memory analysisNetwork analysisTimeline analysis

Content preview from Practical Windows Forensics

Chapter 8. Event Log Analysis

In this chapter, we will learn about Event Logs in the Microsoft operating system. We will discuss why it is important to cover issues related to event logs for successful investigation. We will consider differences between event logs depending on the MS Windows version.

Event Logs - an introduction

When an operating system works, a lot of events take place in the system. The range of these events is very large and a majority of them can be registered in the system. To register events on the system, there is a powerful mechanism called Event Logging. It presents a standard centralized way, which the operating system and applications use to record important information coming from software and hardware. An event can be ...