Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Practical Windows Forensics
  • Table Of Contents Toc
Practical Windows Forensics

Practical Windows Forensics

5 (6)
Buy this Book
close
close
Practical Windows Forensics

Practical Windows Forensics

5 (6)
Buy this Book

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (15 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. The Foundations and Principles of Digital Forensics
chevron up
Icon
1. The Foundations and Principles of Digital Forensics
Icon
What is digital crime?
Icon
Digital forensics
Icon
Digital evidence
Icon
Digital forensic goals
Icon
Analysis approaches
Icon
Summary
2
2. Incident Response and Live Analysis
Icon
2. Incident Response and Live Analysis
Icon
Personal skills
Icon
Security fundamentals
Icon
The hardware for IR and Jump Bag
Icon
Remote live response
Icon
Summary
3
3. Volatile Data Collection
Icon
3. Volatile Data Collection
Icon
Memory acquisition
Icon
Network-based data collection
Icon
Summary
4
4. Nonvolatile Data Acquisition
Icon
4. Nonvolatile Data Acquisition
Icon
Forensic image
Icon
Incident Response CDs
Icon
Live imaging of a hard drive
Icon
Linux for the imaging of a hard drive
Icon
Virtualization in data acquisition
Icon
Evidence integrity (the hash function)
Icon
Disk wiping in Linux
Icon
Summary
5
5. Timeline
Icon
5. Timeline
Icon
Timeline introduction
Icon
The Sleuth Kit
Icon
Super timeline – Plaso
Icon
Plaso architecture
Icon
Plaso in practice
Icon
Summary
6
6. Filesystem Analysis and Data Recovery
Icon
6. Filesystem Analysis and Data Recovery
Icon
Hard drive structure
Icon
The FAT filesystem
Icon
The NTFS filesystem
Icon
The Sleuth Kit (TSK)
Icon
Autopsy
Icon
Foremost
Icon
Summary
7
7. Registry Analysis
Icon
7. Registry Analysis
Icon
The registry structure
Icon
Backing up the registry files
Icon
Extracting registry hives
Icon
Parsing registry files
Icon
Auto-run keys
Icon
Registry analysis
Icon
Summary
8
8. Event Log Analysis
Icon
8. Event Log Analysis
Icon
Event Logs - an introduction
Icon
Event Logs system
Icon
Extracting Event Logs
Icon
Summary
9
9. Windows Files
Icon
9. Windows Files
Icon
Windows prefetch files
Icon
Windows tasks
Icon
Windows Thumbs DB
Icon
Windows RecycleBin
Icon
Windows shortcut files
Icon
Summary
10
10. Browser and E-mail Investigation
Icon
10. Browser and E-mail Investigation
Icon
Browser investigation
Icon
Microsoft Internet Explorer
Icon
Firefox
Icon
Other browsers
Icon
E-mail investigation
Icon
Summary
11
11. Memory Forensics
Icon
11. Memory Forensics
Icon
Memory structure
Icon
Memory acquisition
Icon
The sources of memory dump
Icon
Processes in memory
Icon
Network connections in memory
Icon
The DLL injection
Icon
API hooking
Icon
Memory analysis
Icon
Summary
12
12. Network Forensics
Icon
12. Network Forensics
Icon
Network data collection
Icon
Exploring logs
Icon
Using tcpdump
Icon
Using tshark
Icon
Using WireShark
Icon
Knowing Bro
Icon
Summary
13
appA. Building a Forensic Analysis Environment
Icon
appA. Building a Forensic Analysis Environment
Icon
Factors that need to be considered
14
appB. Case Study
Icon
Introduction
Icon
Scenario
Icon
Acquisition
Icon
Live analysis
Icon
Prefetch files
Icon
Browser analysis
Icon
Postmortem analysis
Icon
Summary

Analysis approaches

During incident handling, each case can be considered as a different scenario. Therefore, different approaches can take place during the first response, based on the circumstances of the individual case. There are two general approaches that can be used to deal with a security incident:

  • Live analysis: This is usually performed when the analyst has a live system in hand. Shutting the system down is one of the "don'ts" that the responder shouldn't do. Performing some primary analysis of the live system can provide valuable information that can guide the analyst in the future investigation. Also, in some situations, a quick analysis of the incident is highly required when there is no time to go through the normal steps of the analysis.
  • Postmortem analysis: This is the normal steps of the process, where the responder acquires all the available data from the incident scene, and then conducts postmortem analysis on the evidence.

Mainly, the hybrid approach is considered the best, where the responder conducts the live analysis on the powered on and accessible systems, records their findings, and acquires all the data, including the live ones, for postmortem analysis. Combining both results from live and postmortem analysis can clearly explain the status of the system under investigation. Performing the acquisition first in such a case is the best practice as the evidence will be acquired before any analysis traces are in the system.

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Practical Windows Forensics
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon