Practical Windows Forensics

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.

Practical Windows Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

The Foundations and Principles of Digital Forensics

What is digital crime?

Digital forensics

Digital evidence

Digital forensic goals

Analysis approaches

Summary

Incident Response and Live Analysis

Personal skills

Security fundamentals

The hardware for IR and Jump Bag

Remote live response

Summary

Volatile Data Collection

Memory acquisition

Network-based data collection

Summary

Nonvolatile Data Acquisition

Forensic image

Incident Response CDs

Live imaging of a hard drive

Linux for the imaging of a hard drive

Virtualization in data acquisition

Evidence integrity (the hash function)

Disk wiping in Linux

Summary

Timeline

Timeline introduction

The Sleuth Kit

Super timeline – Plaso

Plaso architecture

Plaso in practice

Summary

Filesystem Analysis and Data Recovery

Autopsy

Summary

Registry Analysis

The registry structure

Backing up the registry files

Extracting registry hives

Parsing registry files

Auto-run keys

Registry analysis

Summary

Event Log Analysis

Event Logs - an introduction

Event Logs system

Extracting Event Logs

Summary

Windows Files

Windows prefetch files

Windows tasks

Windows Thumbs DB

Windows RecycleBin

Windows shortcut files

Summary

Browser and E-mail Investigation

Browser investigation

Microsoft Internet Explorer

Firefox

Other browsers

E-mail investigation

Summary

Memory Forensics

Memory structure

Memory acquisition

The sources of memory dump

Processes in memory

Network connections in memory

The DLL injection

API hooking

Memory analysis

Summary

Network Forensics

Network data collection

Summary

Building a Forensic Analysis Environment

Factors that need to be considered

Case Study

Summary

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Prefetch files

To try to answer the previous question, we can start analyzing the prefetch files. From DART, open the WinPrefetchView tool. This tool will automatically parse the prefetch files of the live system and view their results in human readable format.

After spending some time in viewing the files and searching for the executable named epqe, we can find that eqpe.exe ran just two seconds after a file named latest_report.pdf.exe ran in the system, and at the same second the Explorer.exe started:

As we can see, the first filename is very suspicious. It is located under C:\Users\<<UserName>>\Downloads\latest_report.pdf.exe. If we tried to search this location for this file, we won't find it. In the list of files used by this latest_report.pdf.exe file, according to WinPrefetchView, we will find the epqe.exe file used or created by this file:

However, what made the victim download this malicious executable?

Practical Windows Forensics

Practical Windows Forensics

Overview of this book

Related Content you might be interested in

Current Title:

Practical Windows Forensics

Prefetch files