Practical Windows Forensics

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.

Practical Windows Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

The Foundations and Principles of Digital Forensics

What is digital crime?

Digital forensics

Digital evidence

Digital forensic goals

Analysis approaches

Summary

Incident Response and Live Analysis

Personal skills

Security fundamentals

The hardware for IR and Jump Bag

Remote live response

Summary

Volatile Data Collection

Memory acquisition

Network-based data collection

Summary

Nonvolatile Data Acquisition

Forensic image

Incident Response CDs

Live imaging of a hard drive

Linux for the imaging of a hard drive

Virtualization in data acquisition

Evidence integrity (the hash function)

Disk wiping in Linux

Summary

Timeline

Timeline introduction

The Sleuth Kit

Super timeline – Plaso

Plaso architecture

Plaso in practice

Summary

Filesystem Analysis and Data Recovery

Autopsy

Summary

Registry Analysis

The registry structure

Backing up the registry files

Extracting registry hives

Parsing registry files

Auto-run keys

Registry analysis

Summary

Event Log Analysis

Event Logs - an introduction

Event Logs system

Extracting Event Logs

Summary

Windows Files

Windows prefetch files

Windows tasks

Windows Thumbs DB

Windows RecycleBin

Windows shortcut files

Summary

Browser and E-mail Investigation

Browser investigation

Microsoft Internet Explorer

Firefox

Other browsers

E-mail investigation

Summary

Memory Forensics

Memory structure

Memory acquisition

The sources of memory dump

Processes in memory

Network connections in memory

The DLL injection

API hooking

Memory analysis

Summary

Network Forensics

Network data collection

Summary

Building a Forensic Analysis Environment

Factors that need to be considered

Case Study

Summary

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Summary

In this chapter, we got introduced to the registry as one of the most important Windows artifacts, which holds most of the operating system and the installed programs' configurations and settings. We explained the function of each registry hive and its location in the filesystem. Besides this, we parsed the structure of one registry file as an important process in case a corrupted registry file or a recovered fragment of the registry file needs to be analyzed. Then, we explained how malware programs use the registry to preserve their existence in the system and how to discover their presence. We used different tools to view and analyze the registry files.

In the next chapter, we will cover another important artifact of the Windows operating system, the Event Log files. We will explore how to use event files to track the activities of the users in the system and how to discover malicious activities within the system.

Practical Windows Forensics

Practical Windows Forensics

Overview of this book

Related Content you might be interested in

Current Title:

Practical Windows Forensics

Summary