Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.

Related Content you might be interested in

Current Title:

Small book image
Practical Windows Forensics
Jun, 2016 | 322 pages
No titles found
Table of Contents (20 chapters)
Practical Windows Forensics
Practical Windows Forensics
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Foundations and Principles of Digital Forensics
The Foundations and Principles of Digital Forensics
What is digital crime?
Digital forensics
Digital evidence
Digital forensic goals
Analysis approaches
Summary
2
Incident Response and Live Analysis
Incident Response and Live Analysis
Personal skills
Security fundamentals
The hardware for IR and Jump Bag
Remote live response
Summary
3
Volatile Data Collection
Volatile Data Collection
Memory acquisition
Network-based data collection
Summary
4
Nonvolatile Data Acquisition
Nonvolatile Data Acquisition
Forensic image
Incident Response CDs
Live imaging of a hard drive
Linux for the imaging of a hard drive
Virtualization in data acquisition
Evidence integrity (the hash function)
Disk wiping in Linux
Summary
5
Timeline
Timeline
Timeline introduction
The Sleuth Kit
Super timeline – Plaso
Plaso architecture
Plaso in practice
Summary
6
Filesystem Analysis and Data Recovery
Filesystem Analysis and Data Recovery
Hard drive structure
The FAT filesystem
The NTFS filesystem
The Sleuth Kit (TSK)
Autopsy
Foremost
Summary
7
Registry Analysis
Registry Analysis
The registry structure
Backing up the registry files
Extracting registry hives
Parsing registry files
Auto-run keys
Registry analysis
Summary
8
Event Log Analysis
Event Log Analysis
Event Logs - an introduction
Event Logs system
Extracting Event Logs
Summary
9
Windows Files
Windows Files
Windows prefetch files
Windows tasks
Windows Thumbs DB
Windows RecycleBin
Windows shortcut files
Summary
10
Browser and E-mail Investigation
Browser and E-mail Investigation
Browser investigation
Microsoft Internet Explorer
Firefox
Other browsers
E-mail investigation
Summary
11
Memory Forensics
Memory Forensics
Memory structure
Memory acquisition
The sources of memory dump
Processes in memory
Network connections in memory
The DLL injection
API hooking
Memory analysis
Summary
12
Network Forensics
Network Forensics
Network data collection
Exploring logs
Using tcpdump
Using tshark
Using WireShark
Knowing Bro
Summary
Building a Forensic Analysis Environment
Building a Forensic Analysis Environment
Factors that need to be considered
Case Study
Case Study
Introduction
Scenario
Acquisition
Live analysis
Prefetch files
Browser analysis
Postmortem analysis
Summary

About the Reviewers

Jim Swauger has over 18 years of experience in the digital forensics field, starting as a computer forensics specialist with the Ohio Attorney General's Computer Crime Unit and then moving on to being the technical security investigator for a top financial institution before becoming an expert consultant with Binary Intelligence. At Binary Intelligence, a firm that specializes in complex cellphone forensic services, Jim manages advanced mobile device Chip-Off, JTAG, and ISP extractions and subsequent forensic data analyses. Jim is an avid Linux user and proponent of using open source resources in digital forensic investigations. His clients include law enforcement and government agencies, corporations, and law firms.

Dr. Stilianos Vidalis was born and raised in Mykonos, a Greek island in Cyclades. He moved to the UK in 1995 to study computer science. He holds a PhD in the threat assessment of micro-payment systems. He is currently the Director of Training for the Cyber Security Centre at the University of Hertfordshire. He lectures on the subjects of cyber security and digital forensics and undertakes consultancy for a number of private and public organizations.

His involvement in the information operations arena began in 2001. Since then, he has participated in high-profile, high-value projects for large international organizations and governments. He has collected and analyzed information for prestigious European financial institutions, applying international standards under the context of risk and threat assessment. He trained the British Armed Forces (Tri-Service) in penetration testing and digital forensics for a number of years.

During his career, Dr. Vidalis has developed and published in peer-reviewed scientific journals his own threat-assessment methodology and other aspects of his work on threat agent classification, vulnerability assessment, early warning systems, deception in CNO,  identity theft, and computer criminal profiling.

Zhouyuan Yang has a master's degree in advanced security and digital forensics. His research areas include host- and network-based security, forensics, penetration testing, and IDP/S systems.

Currently, he is a researcher at Fortinet's Fortiguard Labs on the zero-day team, focusing on network security and vulnerability research.

I would like to thank my father, Qisheng Yang, who gives his full love supporting my career dreams.

Previous Section
Next Chapter