book

Practical Windows Forensics

by Ayman Shaaban, Konstantin Sapronov

June 2016

Beginner to intermediate

322 pages

6h 18m

English

Packt Publishing

Read now

Unlock full access

Why subscribe?
What this book covers

Downloading the color images of this book ErrataPiracyQuestions
What is digital crime?
Personal skillsWritten communicationOral communicationPresentation skillsDiplomacyThe ability to follow policies and proceduresTeam skillsIntegrityKnowing one's limitsCoping with stressProblem solvingTime managementTechnical skills
Security principlesSecurity vulnerabilities and weaknessesThe InternetRisksNetwork protocolsNetwork applications and servicesNetwork security issuesHost or system security issuesMalicious codeProgramming skillsIncident handling skills
SoftwareLive versus mortemVolatile dataNonvolatile dataRegistry data
Memory acquisitionIssues related to memory accessChoosing a toolDumpItFTK ImagerAcquiring memory from a remote computer using iSCSIUsing the Sleuth Kit
HubsSwitchesTcpdumpWiresharkTsharkDumpcap
Forensic image
DEFTHelix
FTK imager in live hard drive acquisitionImaging over the network with FTK imagerIncident response CDs in live acquisition
The dd tooldd over the network
Timeline introduction
PreprocessingCollectionWorkerStorage
Analyzing the results
Hard drive structureMaster boot recordPartition boot sectorThe filesystem area in partitionData area
FAT componentsFAT limitations
NTFS componentsMaster File Table (MFT)
Volume layer (media management)Filesystem layerThe metadata layeristaticatifindThe filename layerData unit layer (Block)blkcatblklsBlkcalc
The registry structureRoot keysHKEY_CLASSES_ROOT or HKCRHKEY_LOCAL_MACHINEHKEY_USERS or HKUHKEY_CURRENT_USER or HKCUMapping a hive to the filesystem
Extracting registry files from a live systemExtracting registry files from a forensic image
The base blockHbin and CELL
RegistryRipperSysinternalsMiTeC Windows registry recovery
Event Logs - an introduction
Security Event Logs
Live systemsOffline systemEvent ViewerEvent Log ExplorerUseful resourcesAnalyzing the event log – an example
Windows prefetch filesPrefetch file analysis
Thumbcache analysisCorrupted Windows.edb files
RECYCLER$Recycle.bin
Shortcut analysis
Browser investigation
History filesHistory.IE5IEHistoryViewBrowsingHistoryViewMiTeC Internet History browserCacheContent.IE5IECacheViewMsiecf parser (Plaso framework)CookiesIECookiesViewFavoritesFavoritesViewSession restoreMiTeC SSVInprivate modeWebCacheV#.datESEDatabaseView
Places.sqliteMozillaHistoryViewCookies.sqliteMozillaCookiesViewCacheMozillaCacheView
Outlook PST fileOutlook OST filesEML and MSG filesDBX (Outlook Express)PFF Analysis (libpff)Other tools
Memory structure
Hibernation fileCrash dumpPage files
Remote DLL injectionRemote code injectionReflective DLL injection
The volatility frameworkVolatility pluginsimagecopyraw2dmpimageprofilepslistpsscanpstreepsxviewgetsidsdlllisthandlesfilescanprocexedumpmemdumpsvcscanconnectionsconnscansocketssockscanNetscanhivelist and printkeymalfindvaddumpapihooksmftparser
Network data collection
Fields with more information
Factors that need to be consideredSizeEnvironment controlSecuritySoftwareHardwareVirtualizationVirtualization benefits for forensicsThe distributed forensic systemGRRServer installationClient installationBrowsing with the newly-connected clientStart a new flow
Introduction
The running processesNetwork activitiesAutorun keys
Memory analysisNetwork analysisTimeline analysis

Content preview from Practical Windows Forensics

API hooking

Hooking is usually used by rootkits, forcing the kernel to hide all activities that are related to the malware and to intercept the user input in order to steal sensitive information from the user. This used to be achieved by manipulating the output of the API calls by the system kernel. This can be deceptive in live analysis during the incident-handling process. In depth analysis of the memory image acquired during the evidence acquisition of the infected system would making it much easier to detect such behavior. Hooking is done simply by redirecting the normal flow of one process execution to execute malicious code in another location in the memory, and then return back to complete the normal process code.