book

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?
What this book covers

Downloading the color images of this book ErrataPiracyQuestions
What is digital crime?
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Forensic image
DEFTHelix
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
The dd tooldd over the network
Timeline introduction
PreprocessingCollectionWorkerStorage
Analyzing the results
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
FAT componentsFAT limitations
NTFS componentsMaster File Table (MFT)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Extracting registry files from a live systemExtracting registry files from a forensic image
The base blockHbin and CELL
RegistryRipperSysinternalsMiTeC Windows registry recovery
Event Logs - an introduction
Security Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Windows prefetch filesPrefetch file analysis
Thumbcache analysisCorrupted Windows.edb files
RECYCLER$Recycle.bin
Shortcut analysis
Browser investigation
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Memory structure
Hibernation fileCrash dumpPage files
Remote DLL injectionRemote code injectionReflective DLL injection
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Network data collection
Fields with more information
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
Introduction
The running processesNetwork activitiesAutorun keys
Memory analysisNetwork analysisTimeline analysis

Content preview from Practical Windows Forensics

The DLL injection

DLL or Dynamic Link Libraries are resources and functions that are shared among different processes running within the system. Some processes and programs require special external DLLs, which can be included with the program to run properly. As DLLs usually run within the processes in memory, they are usually targeted by the malware as a way to access and control other processes in memory. DLLs are loaded into the process with different ways:

Dynamic linking: This is when an executable has an Import Address Table (IAT), which describes the resources needed for this executable to load along with their addresses, which are loaded in the process memory space.
Runtime Dynamic Linking: Some DLLs may not be mentioned in the IAT, but ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Practical Linux Forensics

Bruce Nikkel

Windows Forensics: Understand Analysis Techniques for Your Windows

Chuck Easttom, William Butler, Jessica Phelan, Ramya Sai Bhagavatula, Sean Steuber, Karely Rodriguez, Victoria Indy Balkissoon, Zehra Naseer

Practical Mobile Forensics - Fourth Edition

Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

Practical Memory Forensics

Svetlana Ostrovskaya, Oleg Skulkin

Publisher Resources

ISBN: 9781783554096