You are previewing Mastering Windows Network Forensics and Investigation, 2nd Edition.
O'Reilly logo
Mastering Windows Network Forensics and Investigation, 2nd Edition

Book Description

An authoritative guide to investigating high-technology crimes

Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.

  • Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network

  • Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response

  • Walks you through ways to present technically complicated material in simple terms that will hold up in court

  • Features content fully updated for Windows Server 2008 R2 and Windows 7

  • Covers the emerging field of Windows Mobile forensics

Also included is a classroom support package to ensure academic adoption, Mastering Windows Network Forensics and Investigation, 2nd Edition offers help for investigating high-technology crimes.

Table of Contents

  1. Cover
  2. Contents
  3. Introduction
  4. Part 1: Understanding and Exploiting Windows Networks
    1. Chapter 1: Network Investigation Overview
      1. Performing the Initial Vetting
      2. Meeting with the Victim Organization
        1. Understanding the Victim Network Information
        2. Understanding the Incident
        3. Identifying and Preserving Evidence
        4. Establishing Expectations and Responsibilities
      3. Collecting the Evidence
      4. Analyzing the Evidence
      5. Analyzing the Suspect’s Computers
      6. Recognizing the Investigative Challenges of Microsoft Networks
      7. The Bottom Line
    2. Chapter 2: The Microsoft Network Structure
      1. Connecting Computers
      2. Windows Domains
        1. Interconnecting Domains
        2. Organizational Units
      3. Users and Groups
        1. Types of Accounts
        2. Groups
      4. Permissions
        1. File Permissions
        2. Share Permissions
        3. Reconciling Share and File Permissions
      5. Example Hack
      6. The Bottom Line
    3. Chapter 3: Beyond the Windows GUI
      1. Understanding Programs, Processes, and Threads
      2. Redirecting Process Flow
        1. DLL Injection
        2. Hooking
      3. Maintaining Order Using Privilege Modes
      4. Using Rootkits
      5. The Bottom Line
    4. Chapter 4: Windows Password Issues
      1. Understanding Windows Password Storage
      2. Cracking Windows Passwords Stored on Running Systems
      3. Exploring Windows Authentication Mechanisms
        1. LanMan Authentication
        2. NTLM Authentication
        3. Kerberos Authentication
      4. Sniffing and Cracking Windows Authentication Exchanges
        1. Using ScoopLM and BeatLM to Crack Passwords
      5. Cracking Offline Passwords
        1. Using Cain & Abel to Extract Windows Password Hashes
        2. Accessing Passwords through the Windows Password Verifier
        3. Extracting Password Hashes from RAM
        4. Stealing Credentials from a Running System
      6. The Bottom Line
    5. Chapter 5: Windows Ports and Services
      1. Understanding Ports
      2. Using Ports as Evidence
      3. Understanding Windows Services
      4. The Bottom Line
  5. Part 2: Analyzing the Computer
    1. Chapter 6: Live-Analysis Techniques
      1. Finding Evidence in Memory
      2. Creating a Windows Live-Analysis Toolkit
        1. Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System
        2. Using WinEn to Acquire RAM from a Windows 7 Environment
        3. Using FTK Imager Lite to Acquire RAM from Windows Server 2008
        4. Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image
      3. Monitoring Communication with the Victim Box
      4. Scanning the Victim System
      5. The Bottom Line
    2. Chapter 7: Windows Filesystems
      1. Filesystems vs. Operating Systems
      2. Understanding FAT Filesystems
      3. Understanding NTFS Filesystems
        1. Using NTFS Data Structures
        2. Creating, Deleting, and Recovering Data in NTFS
      4. Dealing with Alternate Data Streams
      5. The exFAT Filesystem
      6. The Bottom Line
    3. Chapter 8: The Registry Structure
      1. Understanding Registry Concepts
        1. Registry History
        2. Registry Organization and Terminology
      2. Performing Registry Research
      3. Viewing the Registry with Forensic Tools
      4. Using EnCase to View the Registry
        1. Examining Information Manually
        2. Using EnScripts to Extract Information
      5. Using AccessData’s Registry Viewer
      6. Other Tools
      7. The Bottom Line
    4. Chapter 9: Registry Evidence
      1. Finding Information in the Software Key
        1. Installed Software
        2. Last Logon
        3. Banners
      2. Exploring Windows Security, Action Center, and Firewall Settings
      3. Analyzing Restore Point Registry Settings
      4. Windows XP Restore Point Content
      5. Analyzing Volume Shadow Copies for Registry Settings
      6. Exploring Security Identifiers
        1. Examining the Recycle Bin
        2. Examining the ProfileList Registry Key
      7. Investigating User Activity
        1. Examining the PSSP and IntelliForms Keys
        2. Examining the MRU Key
        3. Examining the RecentDocs Key
        4. Examining the TypedURLs Key
        5. Examining the UserAssist Key
      8. Extracting LSA Secrets
        1. Using Cain & Abel to Extract LSA Secrets from Your Local Machine
      9. Discovering IP Addresses
        1. Dynamic IP Addresses
        2. Getting More Information from the GUID-Named Interface
      10. Compensating for Time Zone Offsets
      11. Determining the Startup Locations
        1. Exploring the User Profile Areas
        2. Exploring Batch Files
        3. Exploring Scheduled Tasks
        4. Exploring the AppInit_DLL Key
        5. Using EnCase and Registry Viewer
        6. Using Autoruns to Determine Startups
      12. The Bottom Line
    5. Chapter 10: Introduction to Malware
      1. Understanding the Purpose of Malware Analysis
      2. Malware Analysis Tools and Techniques
        1. Constructing an Effective Malware Analysis Toolkit
        2. Analyzing Malicious Code
        3. Monitoring Malicious Code
        4. Monitoring Malware Network Traffic
      3. The Bottom Line
  6. Part 3: Analyzing the Logs
    1. Chapter 11: Text-Based Logs
      1. Parsing IIS Logs
      2. Parsing FTP Logs
      3. Parsing DHCP Server Logs
      4. Parsing Windows Firewall Logs
      5. Using Splunk
      6. The Bottom Line
    2. Chapter 12: Windows Event Logs
      1. Understanding the Event Logs
        1. Exploring Auditing Settings
      2. Using Event Viewer
        1. Opening and Saving Event Logs
        2. Viewing Event Log Data
      3. Searching with Event Viewer
      4. The Bottom Line
    3. Chapter 13: Logon and Account Logon Events
      1. Begin at the Beginning
        1. Comparing Logon and Account Logon Events
        2. Analyzing Windows 2003/2008 Logon Events
        3. Examining Windows 2003/2008 Account Logon Events
      2. The Bottom Line
    4. Chapter 14: Other Audit Events
      1. The Exploitation of a Network
      2. Examining System Log Entries
      3. Examining Application Log Entries
      4. Evaluating Account Management Events
      5. Interpreting File and Other Object Access Events
      6. Examining Audit Policy Change Events
      7. The Bottom Line
    5. Chapter 15: Forensic Analysis of Event Logs
      1. Windows Event Log Files Internals
        1. Windows Vista/7/2008 Event Logs
        2. Windows XP/2003 Event Logs
      2. Repairing Windows XP/2003 Corrupted Event Log Databases
      3. Finding and Recovering Event Logs from Free Space
      4. The Bottom Line
  7. Part 4: Results, the Cloud, and Virtualization
    1. Chapter 16: Presenting the Results
      1. Report Basics
      2. Creating a Narrative Report with Hyperlinks
        1. Creating Hyperlinks
        2. Creating and Linking Bookmarks
      3. The Electronic Report Files
      4. Creating Timelines
        1. CaseMap and TimeMap
        2. Splunk
      5. Testifying about Technical Matters
      6. The Bottom Line
    2. Chapter 17: The Challenges of Cloud Computing and Virtualization
      1. What Is Virtualization?
      2. The Hypervisor
      3. Preparing for Incident Response in Virtual Space
      4. Forensic Analysis Techniques
        1. Dead Host-Based Virtual Environment
        2. Live Virtual Environment
        3. Artifacts
      5. Cloud Computing
        1. What Is It?
        2. Services
        3. Forensic Challenges
        4. Forensic Techniques
      6. The Bottom Line
  8. Part 5: Appendices
    1. Appendix A: The Bottom Line
      1. Chapter 1: Network Investigation Overview
      2. Chapter 2: The Microsoft Network Structure
      3. Chapter 3: Beyond the Windows GUI
      4. Chapter 4: Windows Password Issues
      5. Chapter 5: Windows Ports and Services
      6. Chapter 6: Live-Analysis Techniques
      7. Chapter 7: Windows Filesystems
      8. Chapter 8: The Registry Structure
      9. Chapter 9: Registry Evidence
      10. Chapter 10: Introduction to Malware
      11. Chapter 11: Text-based Logs
      12. Chapter 12: Windows Event Logs
      13. Chapter 13: Logon and Account Logon Events
      14. Chapter 14: Other Audit Events
      15. Chapter 15: Forensic Analysis of Event Logs
      16. Chapter 16: Presenting the Results
      17. Chapter 17: The Challenges of Cloud Computing and Virtualization
    2. Appendix B: Test Environments
      1. Software
      2. Hardware
      3. Setting Up Test Environments in Training Laboratories
        1. Chapter 1: Network Investigation Overview
        2. Chapter 2: The Microsoft Network Structure
        3. Chapter 3: Beyond the Windows GUI
        4. Chapter 4: Windows Password Issues
        5. Chapter 5: Windows Ports and Services
        6. Chapter 6: Live-Analysis Techniques
        7. Chapter 7: Windows Filesystems
        8. Chapter 8: The Registry Structure
        9. Chapter 9: Registry Evidence
        10. Chapter 10: Introduction to Malware
        11. Chapter 11: Text-Based Logs
        12. Chapter 12: Windows Event Logs
        13. Chapter 13: Logon and Account Logon Events
        14. Chapter 14: Other Audit Events
        15. Chapter 15: Forensic Analysis of Event Logs
        16. Chapter 16: Presenting the Results
        17. Chapter 17: The Challenges of Cloud Computing and Virtualization
  9. Index