Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (20 chapters)
Practical Windows Forensics
About the Authors
About the Reviewers

Browser analysis

The last_report.pdf.exe file may have been copied to the machine from another storage or over the network, but because it was located in the Downloads folder, it may be more reasonable to start investigating the browser history.

The installed browsers in the system were Internet Explorer and Mozilla Firefox. By investigating both with DART tools, we can find some interesting results from MozillaHistoryView:

We can see that the file was downloaded from However, we can see that the visit time was just after the user visited, which increases the chance that the malicious link was sent to the victim in an e-mail.

If we have the ability to open the victim's mailbox to prove or refute this assumption, in our case, we will find the following message:

We can find this e-mail where the language isn't accurate and the link was added in order to display other text this link rather than the actual link:


Note: The e-mail and browser history analysis results won't appear in your analysis if you run the malware within a machine on your own.